Use a password manager. Please.

There are so many articles about passwords out there — so why another one? Well, to be honest, it’s because so many of you are still doing it wrong. Yup… there it is. It’s your fault. You’re doing it wrong, and I’m repeating what so many other people have said, ad nauseam. Can I do a better job? Un-fucking-likely, but that’s not going to stop me from trying.

My goal with these articles is to condense and highlight the important parts of the security world, so here it is:

Use a password manager. I recommend LastPass. Turn on all of the complexity options and set the length to at least 32 — you don’t have to type it in, so it doesn’t matter. One guy I work with uses 100 character passwords. He can log in just as quickly as I can and my passwords are only 32 characters long. Pick a good password to protect your account. ‘My 1 Pa$$word to my cloud password account is very long.’ — that’s a great password :)

You may have noticed I said a swear — that’s probably going to happen a lot. I’m not allowed to do that when I write about security for work, which is funny because few things in life merit swearing as much as security+people. Security is the right place for swearing. Lots of it. I also said I write short blurbs — well, I also make my own wine. I can drink and swear and write about security, so I’m going to do that. You don’t need to read it, the good part is right up there. If you want to keep reading, I promise to try and make it interesting. If not, you won’t hurt my feelings.

There have been so very many breaches in the news that it gets hard to keep track, but I want you to think wayyyy back to 2013. Adobe users and their passwords ended up on the Internet. Out of 150 million users, 2 million of them used “123456” as their password. A few security-savvy people (probably hackers) used the much safer “123456789”. Rounding out the top three was “password”.

Are you fucking kidding me!? 123456? Did you even lift your finger off of the keyboard? Sure — maybe your Adobe account wasn’t government Top Secret, but these trends are consistent with reports on passwords everywhere else.

So… are you lazy? Some sort of cybermasochist? (I’m not judging your life choices, they just limit how much impact I can have. Power to you.) If so — stop reading. Nothing I’m going to say will change that. Keep hoping that you’re a small enough target that nobody wants to steal from you. Or that you’re nice enough or unknown enough that nobody anywhere wants to screw with you. Or that you don’t just randomly show up on a list of potential targets from some random service breach. Good luck with that.

Or… are you uninformed? Well, you can keep reading. You I can help. I won’t talk about entropy. I won’t show you any math. I will share THE definitive comic about passwords. I also promise to get to the point — password managers.

“Password” is a bad password. “XK$<wX5s[xGWH]hV[pzP36t^G.\{6,nh” is a good password. Can you remember that? Can you come up with something crazy long, complex and unique for every single service you use online? No? Well, that’s what password managers are for.

When it comes to passwords, long is more important than complex, but long and complex is better than just long. A unique password for each service you use is critical; if one service gets hacked, you don’t want that combo of email+password to work on every other service you use. Do you want to get hacked? Because that’s how you get hacked.

What operating systems do you use? What browsers do you use? Do you use cloud storage? Do questions like these register on your “pain in the ass” meter? Well then use LastPass.

Have lots of devices to keep in sync? Have a family and want to sync shared accounts? Upgrade to LastPass Premium. It’s $12 a year. I do not work for LastPass. I am not affiliated with them… but I hear good things.

Do you have employees? LastPass also has an enterprise plan.

Dislike their logo? I’ve heard good things about 1Password. They don’t support Linux, so I don’t really have an opinion. It’s a paid app that many of my coworkers use.

Still with me? The last solution I’ll talk about is the one I personally use. I really do think LastPass is decent, but it isn’t what I use. I use KeePass. I use DropBox, SpiderOak, and Google Drive to sync it between all of my devices.

What makes this solution right for me? Well, for one, I don’t have to put my trust into someone else’s security. My solution is also redundant. The chance that of all of my devices and all of those sync services would go down at the same time is very very unlikely. My solution isn’t user-friendly. That might not matter to you, but I’ve been using Linux for a while now… I may have cybermasochistic tendencies.

That’s it. There are lots of options, including many more than I’ve mentioned. Some free, some paid. Some easy and integrated, some less so. All of them — ALL OF THEM — let you do better than “fluffykitten123”. After a few days, you’ll get the hang of it, and you’ll start to notice that logging in is actually faster this way.

Put in a bit of initial effort. Get an app. Rotate all of your passwords as you put them into your manager. Stay safe.