On Twitter, _th1nk3r asked:
I answered yes, and Khaosus asked if there was an article about my recommendation. I don’t know that there is, so I offered to write one.
First, let’s talk about the problems we run into. People are generally not that good at coming up with passwords. I always tell people that they can make my job much harder by ensuring that no one uses any of three particular passwords. I wrote about that for the Rapid7 blog. Those three passwords that I always find are:
- Variations of “password”. Things like Password1, Password123, or P@$$w0rd
- Variations of the site’s or company’s name
- SeasonYear, because we make people change their password every three months.
Longer is better, but if people just use “Password1Password1”, we’ll probably guess that. The other thing that people will do if you just require a long password is a keyboard walk. What’s that? It’s when you just use consecutive characters on the keyboard like “Asdfjkl;qwertyuiop”. But let’s stick with the fact that a longer password is more secure for now, and we’ll talk about how to make it stronger in a moment.
People also love to refer back to the XKCD comic:
We’re getting closer. The comic says to choose four random words and stick them together. That does make a long password that will not be easily guessable. And is it memorable? Maybe, but maybe not. It will still be a potentially crackable password, if that’s something you care about, as those are just four words from the dictionary and password cracking machines can guess at those.
People should then just bang on the keyboard and generate some random string of characters and use that, right? Well, no. We don’t want people re-using passwords for everything either, as if the password gets leaked one place, it’s then like a skeleton key for everything.
So we want people to remember a long, complex string of characters that is unique for everything? That takes us back to where we started. A strong, complex, memorable password that isn’t re-used. How do we do that?
Here’s my solution. I’m not going to claim to be the person to first came up with this as it’s very likely others did before me. If anyone sees links to someone else saying the same thing, I’m happy t add credit here.
First, get a password manager. Any of them, I don’t care which one, LastPass, 1Password, Dashlane, whatever. Let that create and remember the passwords for you. It will remember your passwords and even auto-fill them into the correct web sites. They even let you store other secrets as well, so if you want to store your mobile device passcode, you can store it there. Want to share the Netflix password with the family, there are family plans where you can choose which passwords to share with others in your family plan. All you need to do is remember one strong, complex password now, to log in to the password manager and it will create and manage all the others! Great!
Actually you need one other one, a second strong, complex and memorable password. A password manager doesn’t help you to log on to your workstation/laptop, so you’ll need one for that as well. Ok, so you need to remember two strong, complex and memorable passwords. How will you do that? Like this:
Have you ever had a memorable event in your life? Sure you have. Here are some examples:
- My son was born on February 11th, 1984. It was a Tuesday.
- I got married on December 1, 1978. The honeymoon was in Hawaii!
That’s the password?!? No. That’s way too much. Let’s make them shorter. Just take the first letter from each word, keep the numbers, keep the punctuation and see what we get:
The first one is a 19 character password that is long, complex and memorable. The second is 17 characters which is a long password and it is complex. If I’d shown you those passwords before explaining it, you’d probably thing they are just randomly generated characters. But because they’re derived from something that is memorable to you, the password will be memorable as well.
On Twitter Ted Pavlic also suggested using song lyrics, which is a great idea.
“Bye bye Miss American Pie, drove my Chevy to the levy but the levy was dry…”
“All in all, you’re just another brick in the wall!”
There we have it. We came up with a solution to the problem. We are able to have a strong password for every site that we use (with the password manager) and we have a strong, complex, yet memorable password to log in to the password manager and a totally different one to log in to the workstation/laptop.
Would love to hear feedback on this approach.