Dear Lifehacker, I always get stuck when a website asks me to register and choose a password. Almost all websites require this and it is sometime hard to pick something I’ll remember and not have to write down. Any ideas? Thanks, Pass Tense
Notes picture from Shutterstock
Dear PT,
We have two simple suggestions, both of which we’ve covered before:
- The best approach is to use a password manager, which automatically creates hard-to-crack and unique passwords for everything you access online, meaning you only need to remember one master password. Check out our detailed guide on how to choose the right password manager.
- If a password manager isn’t an option (which can happen on locked-down work machines), then check our overview of how to choose and remember secure passwords. Make sure you don’t make any of the obvious password mistakes.
Password management is a nuisance, but it doesn’t have to be a chore.
Cheers
Lifehacker
Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.
Comments
7 responses to “Ask LH: How Can I Choose A Good Password?”
Remember1992,WhenYouWere4
Password Manager all the way…
There’s almost no excuse these days. Your phone can hold passwords for you if your work computer is so locked down you can’t even run a Portable app Password Manager.
I suggest reading up on Arstechnica for their series on security/hacking around passwords.
They go in-depth on how hacking works these days (table of emails and hashed passwords gets stolen, hackers attempt to guess yours, which can take minutes, days, weeks or years, then go by the ‘people are lazy’ rule and assume you use that email/password combo on more than one site).
Two main things change that minutes-years length when cracking passwords:
-Strength of the hashing algorithm — you have no control on this
-Strength of the password — you have control on this
Do not – do *not* use dictionary words, at all. Ever. Or replace letters in words with numbers/misspell them. When password guessing on custom rigs can happen at thousands/millions/more hashes a second, them trying a few variations on a words costs them less than a fraction of a second.
Same for mashing the keyboard to generate ‘random’ strings — ever notice that a keyboard mash gets you a similar set of keypresses every time? Good crackers know that, and can predict it.
Use a password manager (I have lastpass, but there’s more than one way to go), generate a unique password for each site, as complex as the site lets you have, and change every 1-3 months, as well as changing the password to your account on whatever password manager you use.
Serious question. Why change them every 1-3 months? What makes the ‘new’ password any more secure than the one I’ve already got?
It’s not about increasing password security, it’s about limiting damage. by changing your password every month, anybody who potentially gets the password – however they do it – has a month to take advantage of it before they’re once again locked out.
If you already practice good password security (two factor when possible, original passwords for each service, etc) it won’t add much. If your computer is already compromised, it wont help much.
It’s mostly used by companies because we know that some users will always have bad security practices. We cant stop them using the same password on every terrible website or giving it away in exchange for a piece of gum, but we can reduce the length of time that specific password can be used to access company data.
After you change your password a few times you’re less likely to re-use one of your usual passwords that you use on every other website. This is something that a very large number of people are guilty of (myself included).
When just *one* site that you’ve used it on has a breach, and if they use a weak hashing algorithm, your email/password combo can be used on any other site where that pair is in use.
“Passphrase” works for me: http://preshing.com/20110811/xkcd-password-generator