your password sucks

A couple months ago, the new White House press Secretary tweeted out these seemingly random letters assumed to be his password:

A day later, Secretary Spicer tweeted out a seemingly stronger set of letters and numbers, also assumed to be his password:

You might think that Secretary Spicer was greatly improving his password strength by starting to incorporate numbers and letters, but you’d be wrong.

In fact, just adding numbers and letters isn’t the best way to improve your password strength.

Passwords are an annoyingly bad user experience and an almost unusable way to maintain your personal security, but unfortunately they’re one of the best ways we developers have at keeping your information secure.

And thanks to a myriad of historic reasons and bad practices, we as users have had to resort to bad and hard-to-remember passwords.

Think about the times have you run into a site where ridiculous requirements are enforced / suggested. Things like “you must not use special characters” or “your password is too long”. It’s no wonder we as users have ingrained such bad practices in our passwords.

The Solution: Passcodes, Password Managers, and 2-Factor Authentication

There is a better way to create a password. If you’re using an up to date password manager (eg Keepass, LastPass; etc), then you’re able to make one “Entropic Passcode” (we’ll call them “passcodes” for short) as long as you want, and they’ll be super-secure as a result.

The best way to come up with your passcode is to use the EFF Dice Method, which is basically: roll 5 dice, find the word in the EFF Long Wordlist, Repeat. If you do this 6 times, you’ll have 1 of 221073919720733357899776 alternatives.

For example, you could end up with:

CorrectHorseBatteryStaple ¹

The reason this is better than something like Tr0ub4dor&3, is primarily because it's longer, which is much, much harder for computers to guess.

Source: https://www.xkcd.com/936/

When combined with a password manager, even if your password is compromised, you won’t have your password stolen on other sites because they’ll be different (having been randomly generated by your password manager).

2-Factor Authentication is another way to combat your password being stolen. If you have to put in a continuously-changing key in addition to your password, then even if your password is stolen, an attacker still needs to have access to your phone or other device in order to wreak havoc. Authy is my personal favourite, as it also securely backs up your 2-factor keys.

In Short

  1. Generate a long & secure passcode using the dice method.
  2. Use a password manager for day-to-day password logins, and protect it with your secure passcode.
  3. Use 2-Factor Authentication if available.

One last note

If you’ve been using the same password everywhere, you should definitely check out have i been pwned?. There, you can plug in your email address and find out if one of your accounts has ever been breached.

Yes, I have been pwnd.

If you have, then it’s definitely time to change your password.

Stay safe out there!

¹ Don’t use this particular passcode, it’s from an xkcd comic