Written for the average online user, this guide focuses on how to better create and manage passwords.
Passwords in general aren’t a very good security function, but they aren't disappearing any time soon. However, following these suggestions will increase your security, an important component in improving your online privacy.
This guide is part of a series about improving online privacy:
- Intro: privacy is a universal right – an introduction to what privacy is and why it's important.
- Step one: change your online habits – begin with these simple changes.
- Step two: plugins that block and protect – continue by blocking trackers, and more.
- Step three: create better passwords – you are viewing this guide.
What makes for a good password
The following guidelines are based on scientifically researched recommendations from the National Institute for Standards and Technology (NIST).
Use a passphrase
That's right, stop making one-word, easily guessable passwords. Instead, string a bunch of words together to make a passphrase. Something like "dolphinsjumpintheocean" is much better than "dolphins".
Use at least 8 characters
Password length is important, and 8 characters should be considered the absolute minimum, with no upper limit. Using a passphrase easily gets you into double-digit territory.
Choose password memorable only to you
Create a password that is easy for you to remember and difficult for an adversary to guess.
The best way to do this is with a passphrase composed of a few words that have some related association to you but will seem random to others. Love your car? Choose a few words related to it, such as "whiteminivansixteencupholders".
This XKCD comic sums it up pretty well.
Source: xkcd.com, made availabe under Creative Commons Attribution-NonCommercial 2.5 License.
Use a unique password for each service
Using the same password for multiple accounts is dangerous because if one account is compromised, it's pretty easy for someone to test that password elsewhere. Oops!
Keep it simple
Avoid complex rules when composing your passwords – no more special characters or always capitalizing the third and fifth letters. Instead, focus on the length of your password (once again, passphrase).
Avoid your mother's maiden name
If, when signing up for a service, you are required to answer predefined questions for potential password recovery, think twice about giving actual, verifiable answers. While it's great that you remember your mother's maiden name and the first street you lived on, it's likely that an adversary can figure those out as well.
Use a password manager
Now that we've urged you to use long, unique, and memorable yet random passphrases for every single login, you're probably wondering how we expect you to remember them all. The answer is simple – with a password manager.
A password manager is an application offering secure and encrypted storage for all of your passwords in one convenient location. In general, you only need to remember one complex password (passphrase!) to unlock the password manager and access your information.
Multiple solutions are available, depending on your platform of choice and the type of manager you want. For further information, we recommend checking out the following password managers and learning about what they offer:
Use multi-factor authentication
Multi-factor authentication, also known as two-step verification, requires a user to prove his or her claimed identity through a combination of two or more methods, or factors.
In many cases, the website that you are logging in to will first ask for your password and then send a one-time code to a phone that you have previously confirmed is yours. You would then also enter the code on the website.
Using multi-factor authentication makes it much more difficult for someone to impersonate you because an adversary would need to not only know your password but also be in possession of your device.
To learn more, we refer you to these well known multi-factor authentication providers:
Last but not least, while you will naturally want a good passphrase for unlocking your computer, set it to automatically lock after a defined period of non-use, ideally just a few minutes. Otherwise, what's the point of a password at all if you leave your device open for anyone to access? This goes for your tablet or smartphone as well.