Password tips

Passwords are important. Basically your entire online life, and a lot of your offline life, is protected in some way by passwords. In many cases, other peoples' lives are protected by your passwords; this applies, for example, if you have access to personal information on others through your professional position.

Yet passwords often get the short end of the stick. Lots of people use simple passwords; it is common for people to use a single password or a small number of different passwords; and most passwords that people use aren't very imaginative, let alone random. Lists like "the top 1000 passwords on the Internet" show up every once in a while, and invariably, a large fraction of accounts can be broken into using those relatively few passwords. There are relatively easy ways to not be one of the easy targets.

Terminology: entropy

An important word to know with regards to passwords is entropy. Without going into mathematics, "entropy" in the context of passwords is simply a measure of how difficult a given password would be to guess.

The entropy of a password can barely be defined, but the entropy of a method of generating passwords can be defined. The entropy is an expression of how many different passwords can be generated by the method of generating passwords, often expressed in terms of bits. Adding one bit doubles the number of possible passwords.

Many attacks on passwords can broadly be broken into two categories. There are social attacks, which rely on tricking you into divulging your password, where the password itself does not help much; and technological attacks, where the strength of the password can matter a great deal. Adding a few extra characters to your password, chosen at random, greatly increases the entropy of your password and thus its resistance to attacks.

How not to do it

The first myth to be done away with is that passwords should be possible to remember. For the very most part, memorable passwords tend to have low enough entropy that a computer these days can find them easily. We need something better.

The second myth that needs to be displaced is that attackers use the same web form to log in as you do. That just is not the case in many attacks. Rather, attackers often get their hands on account databases; huge lists of usernames, email addresses, password hints, (hopefully) well-protected versions of the passwords, and/or other paraphernalia. They then use huge numbers of computers to attack these directly. In this case, depending on the exact methods used by whoever had their password database leaked, a single computer can potentially easily check millions of candidate passwords per second (some multiple of 220/sec). A network of systems can quite quickly bring this number into the billions of passwords per second (some multiple of 230/sec). The NSA is claimed to have been, in 2013, able to try on the order of a trillion passwords per second (240/sec); realistically, they are unlikely to do worse today. Properly protected passwords can bring these rates down to dozens per second per computer or even less; 25/sec instead of 220/sec or so.

The third myth that has become obsolete is that you should never write passwords down. Actually, that is still about half true: what you shouldn't do is write passwords down in a way such that an attacker can get at them. For passwords that can reasonably be believed to be secure against modern attackers, writing them down is almost a requirement, but you have to pay attention to the manner in which you write them down.

How to do it

So how should we be selecting and handling passwords these days? In short, I recommend that you:

I go into more detail about each of these points below.

Do not share your passwords with anyone

It's really about as simple as that. There is virtually never any reason whatsoever to share your password with someone else, or divulge it anywhere but during the login process to the account it is protecting.

Social engineering attacks are called such because they focus not on the technological systems, but on the individual humans involved. And they are surprisingly effective; very often, they are far more effective than attacking the technology. Attackers using this technique can be very confidence-inspiring and sound very legitimate, so just because what they say sounds legitimate does not mean that they have your best interests at heart.

If you find yourself in the situation of thinking about sharing your password with someone, even someone you trust, consider if there is no other way to accomplish the same goal. Virtually always, there is.

A security-oriented professional should never, ever ask you for your password or other sensitive information. If they do, ask yourself why they need to know this information, why they need to get it from you, and if there is some other way to accomplish that same end.

For example: Why would your bank e-mail you and ask you to confirm your contact information in order to keep your account active? Why would they call you and ask you what your card number with them is? How could Microsoft afford the manpower to call their literally millions and millions of customers and help them, individually, to remove a virus from their (your) computer? And so on.

If a notice, particularly one that arrives as an e-mail, looks legitimate, then locate an older invoice, account statement or similar from the party involved and contact them using the contact information you already have for them. If it is legitimate, they will very likely be happy to help you out, but now you have contacted them on a point of contact that you already trust; if it's not, then you just potentially saved your account with them from being hijacked, and possibly even saved yourself from an attempt at real-world identity theft or monetary theft.

The simple rule is to never, ever divulge your password to anyone else. If you want someone to help you do something to your account, log in yourself while they look away and then let them sit down at the computer while you stand beside them looking on.

Use a password manager

A password manager is a special-purpose database program that is specifically designed to simply and securely store and retrieve passwords and other relevant details for user accounts. They often include password generators, and can include other convenience features such as auto-type, web browser integration, search, and subcategories to help organize your password collection. There are password managers offered as cloud services, as well as software running locally on a computer under your control.

Find one that you like and start using it. I personally do not trust storing passwords with an external entity (such as a cloud service provider) but even that, with a good master password, is probably safer against most realistic attackers for the vast majority of people than you trying to make up and remember potentially hundreds of different passwords, or reusing passwords. Just have an idea what you will do if you receive a notice that the database has been breached, and if you do receive such a notice, implement it immediately. This most likely involves changing every single password that you have stored in that database, because the confidentiality of those passwords can no longer be guaranteed.

If you have reason to believe that you might be of special interest to a determined adversary, then you should probably pay even closer attention to the above, as well as adjust it according to your personal threat model.

Whether you use an online or local solution, make sure you back up the password database regularly.

Use unique passwords everywhere

Never use the same password for more than one account. I don't care how clever you think your password scheme is or how much you love that password you came up with; just don't. If the confidentiality of one of the passwords is somehow breached, then any other accounts where you have used the same password are suddenly at much higher risk of compromise.

Similarly, never use an obvious pattern for passwords to different services, unless those passwords have sufficient underlying cryptographic strength to withstand a reasonable attacker's efforts anyway. (For example, it's not a problem to use similar-length passwords generated from a similar character set everywhere if and only if a password of that length generated from that character set would be secure anyway. If you use the password helloworld1 for some service, it is probably not a good idea to use the password helloworld2 somewhere else, but if you use aif2eeth1oh for one service then using yek1xiekool for another is probably fine.)

The easiest approach is to simply use a truly unique password for each and every account or other place that requires a password. That way, should that password somehow be compromised, you only need to change that single password and deal with that single account compromise.

Use random passwords everywhere

Don't try to come up with a password yourself. Use a properly generated, random password of sufficient strength for the thing, account or asset that you are trying to protect.

Passwords that you don't have to remember

Frankly, this is the vast majority of passwords. Password managers can generate and keep track of virtually any number of passwords, and they can use character sets that are difficult to type (because most places where you need a password allow copying and pasting passwords during entry).

For these accounts, simply use your password manager's feature to generate a long, random password with a large character set and use that. If you are unsure of which characters to use, you can start with the 32/Z85 character set:

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-:+=^!/*?&<>()[]{}@%$#

This character set should be safe in most situations you are likely to encounter, and consists of digits, letters (lower- and uppercase), and special characters, but no whitespace, for a total of 85 different characters. A random password of appropriate length generated out of this set should be sufficient to satisfy any reasonable password requirements while providing reasonable cryptographic strength (log2(85) or about 6.4 bits per character). For example, a 14-character password using the 32/Z85 set where characters are selected in a truly random fashion will provide about 90 bits of security, which should be sufficient to protect against all but the most determined of adversaries. To match the theoretical strength of 128-bit AES, you need a 20-character password selected out of an 85-character set.

Passwords that you have to remember

Unfortunately, there are a few passwords that we simply, realistically, have to be able to memorize. System login passwords and password manager master passwords are the main candidates that lend themselves poorly to being stored in a password manager.

For these, I recommend the Diceware method of generating passwords. (Diceware-style passwords are also known as XKCD-style passwords after the Password Strength comic, XKCD #936, posted by Randall Munroe in 2011; you may see references to both, but they are essentially the same thing.) A Diceware password is made up of words, selected out of a dictionary of 7,776 different words, selected by throwing physical dice. The number 7,776 represents the possible outcomes of throwing a single six-sided dice five times (65 = 7,776), and each word is indexed in the word list by five digits from 1 through 6 (corresponding to the outcome of the dice throws). Each word added to the password contributes approximately 12.9 bits of cryptographic strength to the password. Because this method uses direct, physical randomness, we can directly estimate the cryptographic strength of a Diceware password; for example, a five-word password generated from this 7,776-entry dictionary provides about 64 bits of security, or a nine-word password provides about 116 bits.

With the standard Diceware dictionary, a separator is required, which works well if the system requires special characters in the password (just pick one that it likes as the word separator). Alternatively, the Electronic Frontier Foundation (EFF) has published a total of three alternative word lists, one "long" and two "short" lists, which are designed such that a separator is not required, although one can obviously still be used if desired. The "short" lists have fewer but shorter words, providing log2(64) = 10.3 bits per word instead of 12.9 bits per word. Hence, for approximately 64 bits of security with the short list, six words are needed giving about 62 bits of security, instead of five words from the long list for 64 bits of security.

The fact that Diceware passwords are made up of words is largely immaterial to their security. You could use the output of the dice directly, and the search space would be the same, but turning the numbers into words make the resulting passwords far easier to remember.

The most important part of generating Diceware-style passwords is that you must trust the randomness of the dice, and not try to improve on it or select words that are somehow more memorable to you. If you are unhappy with how it turned out, throw away the result and start all over. Anything less reduces the effective security of these passwords in a potentially unpredictable manner. This applies also to any generated password which makes sense in a linguistic sense; while this is unlikely, if the password reads as something you could say, then start all over.

Whichever word list you choose to use, properly generated Diceware passwords have a very strong advantage over actual phrases because it is actually possible to estimate their cryptographic strength while also being reasonably easy to memorize. Memorizing a six- or seven-word Diceware passphrase is perfectly reasonable; for most people, memorizing a 14-character 32/Z85 password is not.

If you can, something like a Yubikey configured to emit a static password can be used to greatly reduce the risk of someone shoulder-surfing your password. This static password can be used either as a prefix or a suffix to the password that you type. Yubikeys are not appropriate in all situations, and there are ways in which Yubikey static passwords can fail to significantly enhance the overall security, but if a Yubikey can work in your situation, strongly consider purchasing one and using it to enhance the security of the overall system. Do write down the password it emits and store the note in a secure location in case something happens to the Yubikey. Some cloud service providers allow you to use a Yubikey in one-time password mode to improve the security of the login process; do not confuse static password mode with one-time password mode.

Back up your password database, religiously

If you follow the advice elsewhere on this page, your passwords will be extremely difficult to crack. The vast majority of them will also, for all intents and purposes, be impossible to remember. If the password manager database becomes lost, corrupted, unavailable or otherwise can't be read by normal means, you will be in major trouble.

To protect against losing access to all of your accounts, you have to make regular backups of the file(s) that contain your password database. If the password manager is doing its job properly, the files on disk will be strongly encrypted with a key ultimately protected by your master password, and thus be relatively safe to simply back up as-is without any additional protection. Copy them to some other media regularly (the exact interval depends on how often you make changes to your password database and how important you feel those changes are), and keep a few old revisions in case one of them becomes corrupted for some reason. Make sure you don't forget the corresponding master password.

Do make sure to regularly test the copies. Nobody makes backups because it's such fun to make backups; people make backups in order to be able to restore a working copy of the file in question. Determine how to test the restorability of these copies, and test restoring them every once in a while. Never fully trust a backup that you haven't restored yourself.

If you are using local software on your own computer to store and manage the passwords, make sure to keep a copy of the installation file or archive for the version you are using, including any license keys or similar, together with the backed up password database. That way, should the need arise, you have everything on hand that is needed to get back to where you were on a completely new computer with an otherwise blank operating system installation.

Using a cloud service does not absolve you of the responsibility of making backups. In fact, unless you are specifically paying the provider to make backups and have successfully restored older versions of your data, assume that anything you store online is not being backed up at all and act accordingly. Locate some way to export or download the full list of accounts in a format that you can later import back into the solution, try it out, and download a copy of your database whenever you have made sufficient changes that recovering them manually would be difficult. Consider whether you can import the data into some other password manager, for example in case your preferred provider shuts down service for any reason. (This is less of a concern, but not completely eliminated, if you run a local software solution on your own computer.) Consider whether such an export needs any additional protection; if in doubt, contact your service provider. Again, keep a few old revisions in case one copy somehow becomes corrupt.

Decide on and stick to a reasonable minimum password entropy

I recommend not going below about 50 bits of security for most account passwords. This corresponds to maybe a few weeks of computing for a cybercrime-group level of attacker, which should be plenty enough to entice them to move on to easier targets, and provides a non-negligible hurdle for higher-funded attackers as well.

With Diceware-style passwords, this corresponds to a total of 20 dice throws, in turn corresponding to four words out of the ordinary-size dictionaries. With the 32/Z85 character set (or any other 85-character set) and random selection, this corresponds to 8 characters. With only lowercase letters and digits (a-z, 0-9), selected at random, it corresponds to 10 characters.

Keep in mind that this is what I suggest as a minimum and that, within reason, more is almost always better if you can wing it.

For high-value secrets, such as your password database, you should use a significantly stronger password. I suggest aiming for no less than 80-100 bits of security there, depending on your level of paranoia. Remember, if your password manager master password is broken, every password within it is compromised, so choose and treat the master password accordingly. 80-100 bits of entropy means 31-39 dice throws or 7-8 words for a Diceware-style password, or 13-16 characters selected at random out of a set of 85, or 16-19 characters selected at random out of a-z, 0-9.

Keep in mind that some ordinary passwords may also be protecting high-value assets. For example, if someone is able to gain access to your e-mail account, they can often issue password reset requests on various services and gain access to your other accounts that way. Take this into consideration when you decide whether a minimum-security password is sufficient for a particular account, or if a longer password is called for.

Going beyond 256 bits of password entropy is almost never worth it, even with a safety fudging factor. Hence, 20 Diceware words, 40 characters out of a set of 85, or 50 characters out of a-z 0-9, is the most you should realistically ever need.

Do not change your passwords needlessly

Some systems require you to change your passwords regularly, and if there is a forced policy in place that requires that you change your password, this obviously does not apply because it cannot apply.

However, most systems don't require regular password changes. For those, unless you have reason to believe that your password may have been compromised or otherwise might have become known to a third party, don't change your password.

If you follow the advice elsewhere on this page, your passwords will be plenty strong enough to resist almost any attacker for a very long period of time unless your own system is compromised.

If you follow the advice I give here, then

  • changing your password regularly does not make it significantly more difficult for an attacker to figure it out, and
  • if your own system is compromised, changing your password does not improve the security of your account unless you deal with the system compromise first

You should by all means change your password if you have any reason to believe that it has been compromised in any way. In fact, in such a situation, I would be the first to argue that you must change your password as quickly as possible, along with any answers to secret questions. (In such a situation, it might very well be better to immediately change to some simple password at the first indication of a breach, then change it again to a stronger one, just to lock an unauthorized person out of your account while you generate a new, strong password.) However, changing them every X weeks or months is pretty much completely pointless in most situations, particularly if you follow otherwise good password hygiene.

Make your passwords strong to begin with, and keep them to yourself. Then, unless the password is actually compromised, there should be very little reason to change them.

Do not use "secret questions" for password recovery

Many sites offer "secret questions" for password recovery. In effect, these form a secondary password which can be used to gain access to your account in case you forget your actual password.

Worse still, these are often limited to a small set of possible questions, with one answer given for each, and the stock questions tend to be about information that can be quite easy to get. Even if a potential attacker doesn't immediately have access to the information, any reasonable search space is usually far smaller than that of a proper length, random password.

Instead of filling these in truthfully, I recommend that you disable this altogether if that is possible. If you can't do that (if the system forces you to pick such "security questions" and provide answers), then at least provide reasonably long, but bogus, answers. Treat them as the passwords they are, and give garbage "answers" that have absolutely no bearing on the question and are no easier to guess than your actual password.

For example, if you absolutely have to provide an answer to a "secret question", and one option for the question is "in what town did you grow up?", don't answer it with anything remotely resembling the name of a real town, let alone the one where you actually grew up. Instead, here is a better answer that you could provide:

SsK}:aEjfkQ=koj-2t}$2$wxa:>#rTxg

If you are required to provide answers which look like words, turn to Diceware. For example, you could use (providing about 64 bits of security against someone who knows that you have a Diceware answer):

wow-witty-rap-bunny-pay

Of course, now that I have suggested these particular ones, don't use those, but rather something similar. At the risk of repeating myself, treat the answer(s) to these security questions as the passwords they are.

Write down the question(s) and answer(s) in the notes field in your password database, or as separate entries in the unlikely case that your password manager provides no separate notes field. That way, if they ever turn out to actually be needed, you will have them on hand, but they will be no easier to get to than your actual account password.

Consider using password-quality usernames

Not all services require your username to be public or memorable. Some even make a point of that your username is not publicly available information. If the one you are registering with falls into such a category, such as an online store or financial institution where you log in with something other than an e-mail address and which you can choose yourself, consider creating a password-quality username to use along with your high-quality password.

This is not for everyone, and it is not for every place where a password is needed. But where it applies, having a username that is not related to you in any way beyond being used for your account can make breaking into the account far more difficult because now an attacker has to guess both your username and its corresponding password.

By using a username made up of (for example) 3-4 Diceware words, the length of the username remains reasonable yet the username is far harder for anyone to guess. Since you are using a password manager anyway, there is little to keep you from using different usernames for different services.

A password-quality username is not at all a replacement for a high-quality password, particularly because usernames are rarely protected even remotely as well as passwords. However, in situations where it applies, a password-quality username can be a great complement to slow an attacker down.

Turn on any available last lines of defense

Use two-factor authentication, if available

Two-factor authentication relies on something more than just a password to provide additional security. This can be an access code delivered over SMS, or generated by a physical token in your possession, or some other method. This makes it much harder for someone to log in to your account should they be able to guess your password, significantly improving the security.

Two-factor authentication doesn't solve everything, and different methods have different security properties, but most turn what would have been an undetected attack against a static string (your password) into a significantly more overt attack against something that is far more likely to be detected. Using two-factor authentication will not stop a truly determined attacker, but it will make their job far more difficult.

Turn on login notifications, if available

If the service offers some form of notifications on login, turn those on. Make sure those notifications are delivered to some place other than the service or system that they are about. That way, should someone be able to guess your password, at least you will notice the login that you didn't do and can hopefully take corrective action before the damage is too severe.

Keep in mind that particularly login notifications really form a last line of defense, kind of like a home security alarm system, in that they do not prevent the breach, but rather only notifies you of the breach after the fact. If this goes off, then everything else has already failed to protect you and your assets and the attacker has gained access to your account; proceed accordingly.