Trying to create strong and, more importantly, memorable passwords for all the different services that you use can be a real problem. Every site seems to require a different password length and combination of character types, which you often aren’t told about until after entering a non-compliant password. Combine this with being forced to change your password regularly and it is easy to see why people fall into bad password practices, such as changing a number at the end of the password at each forced change, reusing them between different sites and services, or using a easily remembered pattern. There are a few different ways to simplify things for yourself while still being secure and two of the easiest, in ascending order of complexity, are using passphrases rather than passwords, and using a dedicated password manager tool or service.
As the name suggests, a passphrase is essentially a longer version of a password that contains multiple words or a full sentence. As the comic strip below shows, a longer passphrase is inherently more secure than a shorter password even if the password includes numbers and other characters, and it is also much more likely to be memorable.
The passphrase could be several words picked at random, as in the comic strip, or it could be something more memorable and related to the purpose of the site or service. For example, a passphrase for Facebook might be ‘Used for updates from friends‘ , which according to a password strength checker would take 695 octillion years for a current PC to crack – that’s 695,000,000,000,000,000,000,000,000,000 years! Unfortunately, a large number of organisations still enforce password format rules (such as defined maximum lengths, requiring numbers and special characters (or not), and requiring regular changes), that even the originator of many of those rules now says were naive and encourage bad password practices. However, wherever you can use a passphrase, you should.
While the new password recommendations filter through to the websites that we use, an alternative way to get maintain good security practices, and your sanity, is to use a password manager. A password manager is a piece of software or an online service that securely stores your passwords, can generate new ones for you automatically, and can enter them into web forms for you. The big advantage of these tools is that you can use them across all your computers, smartphones and tablets with changes synchronised automatically and create secure passwords that meet the requirements of any organisation. When picking a password manager the main choice is whether you want an online service or software that runs only on your computers and devices – online is more convenient but it means trusting a company with your data (though it is encrypted so they can’t actually read it), while the local software method is potentially more secure but can make synchronisation between devices more complex. Popular online tools include LastPass and DashLane, both of which have a free basic service and a paid service with extra features, while KeePass is a free, comprehensive tool that is available for Windows, MacOS, Linux, iOS and Android – there is even a ‘portable‘ windows version that runs entirely from a USB stick so you can always have access to your passwords, while the mobile ones can often use a smartphone’s fingerprint scanner instead of a passphrase. Most password managers have browser plug-ins that make it really easy to create new passwords for websites and enter existing ones. You should always use a strong passphrase to secure your password manager, but this should be easier as it is the only password that you’ll need to remember..