Passwords. How do we remember them? Where do we store them? And do we really have to change them so often?
In this post, I share some wisdom on password security. I offer tips on how to keep track of your passwords and look them up when you forget. And, I suggest some alternative approaches to keeping your passwords safe if none of the others agree with you.
Last year, Lorrie Faith Cranor gave an excellent TED Talk on password security. A researcher at Carnegie Mellon University, Lorrie hired humans through Mechanical Turk to help her team choose various password characteristics and analyze their effectiveness.
Creating Secure Passwords
In her talk, Lorrie shares common passwords that are easy to guess, such as “password” and “12345678.” She offers insight on the password versus the pass phrase. Contrary to the famous xkcd cartoon, “Password Strength,” a person stringing three or four words together seemingly at random is not likely choosing words that would be hard for someone else to guess.
Finally, Lorrie’s research indicates the potential value of passwords that are both pronounceable and not actual words in any language. She suggests you take a series of letters, mash them together into a new word, give that word meaning for yourself, and you might have a password that will be tough to crack.
I recommend a combined approach that fulfills the requirements of most of the password-based login systems you find on the Internet:
- Start with an abbreviation that represents the site or service for which you are creating a password
- Follow with a short phrase (3–5 words) that is memorable to you and easy for you to type, but not commonplace enough for others who know you to guess. (Some systems do not permit spaces so only include them if you’re allowed.)
- Now, modify your phrase using leetspeak, a common language among hackers, or some other substitution code. This Leet Converter might be of use if you need some inspiration.
With this system, you will be able to create 15- to 30-character passwords that are consistent enough for you to remember while secure enough to prevent a hacker from guessing your login. Hopefully, the sites you use do not get hacked and passwords stolen.
Storing Passwords Securely
Now, where to keep your passwords from prying eyes? Well, where do you keep your keys in the real world? On a keychain perhaps?
Your Mac does just the same. When you permit your web browser to save a password you just used to log into a website, it gets stored on your “keychain,” a Mac convention for securely storing this kind of data. Naturally, your Mac has a utility called Keychain Access where you can get access to any of these passwords.
You can find Keychain Access in the Utilities folder in Applications or search for it using Spotlight (the magnifying glass on the menubar). Then, you can easily search for a password by website or network or server name. Double-click an entry to open it, check the “Show password” box, and enter your computer password to give permission. (So, you will also want to have a secure computer password since it alone secures all the other passwords you permit your web browser, email application, and Wi-Fi system to store.)
How often do you forget your wifi password? Now you know how easily you can find it to share with friends and family when they visit.
There are other utilities that may make it easier to create, store, and use secure passwords. One of the leaders is 1Password by AgileBits. Once you enter your chosen master password, 1Password can create strong, unique passwords and enables you to easily log into websites with one click.
It will also store all sorts of other private information like financial account numbers, identity info, and much more. My only gripe with 1Password is that it does not have a template for storing hardware serial numbers. 1Password uses common platforms like iCloud and Dropbox to sync your secure vaults among various devices like your Mac and iPhone.
Apple has added similar functionality for password generation and syncing to OS X and iOS. iCloud Keychain generates strong passwords in Safari and stores account names, passwords, and credit card numbers in iCloud. However, it lacks as many generation choices as 1Password.
Alternatives to Keep Passwords Safe
If storing your passwords on your computer or in the cloud (that is, on a distant server on the Internet) makes you uncomfortable, you will want to choose an alternative approach that is still difficult for a hacker or thief to decipher. Create a password-protected file on your computer. Print your account list and store it in a safe deposit box. Choose a folder hidden in an unusual place or category in your filing system.
There are many possibilities for keeping your passwords safe so you might not have to change them too often — except for the handful that require changing every few months. You could even choose not to remember your passwords at all. Instead, click “Forgot Password” or other password reset links and create a new one every time.