The New (And Relieving) Rules For Secure Internet Passwords
A recent Wall Street Journal article starts “The man who wrote the book on password management has a confession to make: He blew it.”
That article is behind a pay wall, so I’m going to summarize it for you.
The new rules say you don’t need to use special characters, mixed cases, numbers, and all that to create a secure password (unless of course the website forces you to, which is another unfortunate issue). That old advice just led to short passwords that were hard for humans to remember but easy for hackers to guess or discover through brute force. Pa$$w0rd1 anyone? Oops, it’s been 90 days, time to change it to Pa$$w0rd2. Again. You get the idea.
Instead, use a series of memorable but seemingly unconnected words in one long string, because more characters is better. Lots better. There is even an internet-famous comic about it: correcthorsebatterystaple
That’s the WSJ article in a nutshell.
Of course there is a but. Also consider that avoiding password commonality is also very important. So don’t go around using “correcthorsebatterystaple” or “thisismypasswordsucka” or anything else that might be used by many other people.
Make sure to string together four or five otherwise unconnected words that you can remember but aren’t likely to be commonly used in passwords.
Unfortunately, chances are good you’re going to be pretty bad at that.
The Best Thing You Can Do
For the love of all that is good — and as referenced in the password commonality article — stop making up your own passwords. Instead, use a password manager such as 1Password (I use it), LastPass, or similar. You make one super-good password that you can remember and let the manager come up with ridiculously long and complex randomized passwords for you.
Fifty random characters including mixed cases and as many numbers and specials as I want? And I don’t have to remember it? Yum!
You get fast at entering your one long but memorable password when necessary, and the manager remembers and fills in your ridiculously long random password per-site. You can also store credit cards and other personal info in there for easily filling out forms or just as a vault for social security numbers, etc, etc.
And now you can turn off and purge your browser auto-fill. I’m pretty sure you don't want someone who just took your laptop to auto-waltz into your bank website or whatever. Let the password manager auto-fill those login credentials after you've entered your master password for an extra level of security.
Theoretically someone could hack your password manager. I don’t know, I trust a company whose sole reason for being is security more than I trust my ability to repetitively create and store secure passwords. I trust it more than sticky notes or that sheet of paper in the desk drawer. If I can’t access a website when I’m on another computer or device (which is rare) I can use the “forgot password” feature that every site has. It feels like an obvious choice to me now, even if at first it was a little scary to make the leap. And, yes, it costs money.
So, there you go. Go forth and be ever more secure on the big, bad internet.
Earlier Post: Procrastination Hacks for a Better Today (and Tomorrow)
Later Post: New Website & Studio Update