Question from John: Rick, I’ve seen multiple articles regarding the dangers of using password managers or storing passwords in browsers.
Ok, I get it, but the flip side is also very daunting.
For me, I have over a dozen Internet accounts, and keeping track of all those passwords without some kind of automated manager is almost impossible.
Believe it or not, each and every password is extremely complex and UNIQUE.
Here’s an example of one password: A422A#5zkhN32B
This does not bode well for memorization.
I refuse to use any password manager that stores this information anywhere other than my local computer. Roboform used to, but now stores in the cloud.
I would be very interested in your recommendations for this situation. Thanks.
Rick’s answer: John, I wish there was an easy answer to the password storage dilemma, but there just isn’t.
Any solution that requires a connection to the Internet has the potential of being hacked, and any local password storage device is also vulnerable in multiple ways.
The only truly secure method of password storage is to store them in your brain. I understand the difficulty that can pose for people with numerous accounts, but it’s just a reality.
Now, about the security of passwords themselves…
It’s long been thought (and several recent studies have confirmed) that the length of a password is more important than the randomness of the characters when it comes to determining the “strength” of a password.
While you wouldn’t want to use a short password consisting of just one or two short dictionary words that are related to one another, a longer phrase consisting of several unrelated words is even much stronger than a password like the one you mentioned above (A422A#5zkhN32B).
That password is truly “random”, but the problem is it’s only 14 characters in length.
14 characters is enough to make a password fairly secure (for now), but longer passwords are vastly more secure. What’s more, if they are properly crafted they are much easier to remember as well.
Note: If you’re interested you might want to read this excellent whitepaper on password strength from the security experts at INFOSEC Institute.
Here’s an example of an easy-to remember, yet extremely secure password:
sundowngoatCruisingFelinemississippi
This password is a whopping 36 characters in length, and it contains these four completely unrelated, yet very easy to remember words:
sundown goat Cruising Feline mississippi
You could make it even slightly more secure by replacing all the letter o’s with 0’s (zeros) but with 36 characters that wouldn’t really be necessary.
The beauty of using a long passphrase like this is you can easily use the same password for multiple accounts by adding another (very short) series of letters somewhere in the sequence to identify the individual accounts.
For example, you could add an “i” between the words Cruising and Feline to denote a password for your Instagram account. The result would look like this:
sundowngoatCruisingiFelinemississippi
For Facebook you could use an “f”:
sundowngoatCruisingfFelinemississippi
Alternatively, you could assign each account a number. For example, Instagram could be account number 13:
sundowngoatCruising13Felinemississippi
…while Facebook is number 26:
sundowngoatCruising26Felinemississippi
Again, it’s the length of the password that’s most important because there are so many possible combinations in a password of this length.
Any bot trying to guess the password would either timeout and fail or simply give up and move on to someone else’s account hoping that password will be easier to break.
I hope this helps, John. Good luck!