Passwords are often the weak link in data security. You can build the most secure system in the world, but as soon as someone sets their password to 12345, you might as well leave the front door open.

Good passwords are essential to data security, and this article has everything you need to know about creating and keeping track of good passwords.

Index

Why Are Passwords Important?

First, why are good passwords important? In 2013, Ars Technica gave three experts an encrypted, 16,000-entry password file. The “winner” of the contest cracked 90% of the passwords. Even the loser cracked 62% of the passwords in a few hours. When a breach at a major corporation happens, hackers gain access to hundreds of thousands (sometimes millions) of hashed (encrypted) passwords. And they can crack the vast majority of them in under a day, compromising those users’ accounts on the target website and any other website with the same password.

You want to have one of the passwords that doesn’t get cracked so you don’t wake up a few days later to an email receipt because Amazon just billed you for 1,000 tins of uranium ore and shipping to someone in North Korea. Or the entire Xbox game catalog and shipping to a teenager in Nebraska.

What Makes a Good Password

A good password is unique, not found in the dictionary, long, and contains letters, numbers, and symbols.

Unique means not using the same password for multiple sites. If you reuse the same password across multiple sites, someone who gets ahold of your password for one of those sites can access your accounts on all the others. For example, if there is a security breach on the Target website, and you reused that password for your Gmail account, both have been compromised.

In practice, it is probably okay to share some passwords between sites that do not hold much personal information and that have a low potential for doing you harm if hacked. It won’t do anyone much good to have your NYTimes.com password, for example, even if you also use it on Pinterest. But never reuse passwords for important things.

Not found in the dictionary means don’t use real words. Or real names, for that matter. When attempting to decrypt passwords, one of the first things a hacker will do is run through every word found in a dictionary, common names, known passwords, and combinations of all of those things. You can use nonsense words, or you can change some letters to symbols, like replacing L with 1, or A with @. This is probably the easiest way to get numbers and symbols into your passwords, too.

Long is sort of a moving target, but 12–14 characters is a good length. More is better — to a point. At around 22 characters, brute-force decryption apparently becomes effectively impossible.

The password scheme popularized by Randall Munro in his webcomic, XKCD, may no longer be good advice, by the way, according to security expert Bruce Schneier. Hackers are on to it, he says in his own guide to good passwords.

As Trevor Gau points out in the comments, there is a spirited debate about this in the comments to Schneier’s post. In another comment, Joseph McDaniels elaborates further. Here’s my takeaway: you can’t go wrong with long and random.

Extra Security

Scramble Your Username

Consider scrambling your username, too. Or if you must use an email address and you have a Gmail account,1 you can add a code to the email address so that your plain email address won’t work. For example, if your email address is name@gmail.com, you could use name+1j4k5@gmail.com to make it harder for someone to figure out which email address goes with your account. You could even use something simple like the domain name of the website (e.g., name+nytimes@gmail.com), which would be easier to remember and still better than your “naked” email address.

Multi-Factor Authentication

Multi-factor authentication (usually just two factors, actually) bolsters security by pairing something you know — your password — with something you have — usually your phone. When you log in to your account, you must enter your password and a code sent to your phone or generated by an app or key fob. Some services (Clio, for example), can also send the code to your email address. With two-factor authentication turned on, a hacker needs more than just your password to access your account.

You should enable two-factor authentication for anything you care about, like your email account, password manager, and practice management software.

Biometrics

Touch_ID_iPhone_5s

The current trend in authentication seems to be biometrics — fingerprints, retina scans, etc. The iPhone 5S, for example, includes Touch ID, which lets you unlock your phone (and do a few other things) with your fingerprint. While Touch ID (which is currently the most-advanced biometric system on consumer hardware) is definitely more secure than nothing, it is not particularly difficult to crack. You leave your fingerprint everywhere you go, and as the Chaos Computer Club demonstrated soon after the iPhone 5S was released, Touch ID can be fooled with basic household items like a digital camera, laser printer, and white glue.

Biometrics may be the future of authentication, but there are many problems left to solve. You cannot get new fingerprints or retinas if your old ones are “cracked,” for example. For now, biometrics are not superior to a good password, and they seem to be easier to crack if someone is motivated.

Password Managers

KeePass has a vulnerability where the user could end up downloading a malicious piece of software instead of a legitimate KeePass update, but there are steps users can take to mitigate that risk.

The best passwords are hard to remember, and even harder to type on a smartphone. And the more you are asked for your password, the more likely you are to use a shorter password that is easy to remember. So banking apps, for example, which typically demand your password every time you want to check your balances, are — perversely — discouraging you from using good passwords. One solution is to use a password manager like LastPass, 1Password, Dashlane, or KeePass. Or you could actually just write them down on paper.

Password managers encourage good-but-hard-to-remember passwords because you don’t actually need to remember them. You just need to remember one password: the one you use for your password manager, which should be really good and long and hard to crack, plus two-factor authentication. Everything else can be 22+ totally-random characters.

LastPass, Dashlane, and 1Password2 are cloud-based password managers that sync your passwords between your browser, phone, tablet, and the cloud. This makes them an extremely convenient way to get at all those good-but-hard-to-remember passwords when you need them.

KeePass is a free, open-source, and cross-platform password manager. There are even third-party KeePass apps that can import your passwords from Dropbox to your phone or tablet. KeePass is a good option, but LastPass, Dashlane, and 1Password seem to be more secure and more convenient.

Finally, writing down your passwords may seem old-school, but it is actually quite safe. Bruce Schneier recommends it, and Vox recently wrote about why it might actually be the best way to keep your passwords. Assuming you don’t lose the paper on which you wrote your passwords.

The Future of Authentication

The password is far from perfect, and many call it broken. That’s why there are several efforts underway to “kill” the password. Apple’s Touch ID is one, and The Verge recently reported on the FIDO Alliance, which includes companies like Google, Microsoft, Bank of America, and MasterCard. The FIDO alliance is pushing for zero-knowledge proof authentication — a way of authenticating you without holding onto your credentials. If it works, you could use a single device you carry with you to authenticate yourself across the web.

If FIDO catches on in the next few years, it may render this entire article obsolete. For now, make sure you are using good passwords for everything that matters.

Originally published 2014-04-18. Last updated 2015-09-24.

Featured image: “Through the Keyhole” by Peter Taylor is licensed CC BY 2.0.


  1. This tip works fine with Google Apps for Business accounts, and it may also work with non-Gmail accounts. Try it and let us know. 

  2. While both were “affected” by Heartbleed, neither was compromised because SSL was only one of multiple layers of security. Here are the Heartbleed blog posts from LastPass and 1Password