All About Strong Passwords
Good morning, everyone! This is Pavluu. Today, I want to talk to you about the importance of strong passwords. Passwords are what hackers are always after. Sure, if someone installs a stealer on your device and extracts all your browser logs, they can get your passwords regardless of how complex they are. But what if someone is actively trying to hack you—brute-forcing your email or wallet? In that case, you have options to protect yourself.
Why Unique and Strong Passwords Matter
If you spend a lot of time online, you’ve probably registered accounts on many different websites. If you use the same password (or nearly the same, with minor variations) for all of them, your accounts are vulnerable to cyberattacks. If even one of these sites gets hacked, attackers can access the passwords of all its users and potentially break into your accounts on other sites. These breaches happen more often than you think, and site administrators often don’t even realize it’s happened. That’s why it’s crucial to use strong, unique passwords for each of your accounts.
Of course, such passwords are hard to remember, but you can use one of the following methods:
- Write passwords down on paper — It’s practical to write your passwords and keep them in a safe place (like a safe or your wallet). At the very least, you’ll notice if these notes are lost or stolen and can quickly change your passwords.
- Use a password manager — This is a program for your smartphone, tablet, or computer that lets you create, securely store, and even automatically fill in unique passwords when logging into websites and online apps (see the “Password Managers” section below). Password managers also sync your password database across your devices. Note that password managers require a master password, which you’ll need to enter to access all your other passwords. This master password should be especially strong but easy for you to remember, as it’s the only password you can’t store in the manager and will need every time you use the program.
Choosing Strong Passwords
There are a few passwords you’ll have to remember, and they need to be truly strong. These include, at a minimum, passwords for your devices, disk encryption (including full disk encryption), and your password manager’s master password.
Modern computers can easily crack a 10-character password. So, short passwords—even if they’re made up of random characters like a$ct7W.p9!, UTAc'dp-rE, or xc,u&HqlY{—aren’t secure enough for encrypted systems.
There are many ways to create strong, memorable passwords. The simplest and most reliable is the Diceware method, developed by Arnold Reinhold. In this method, you physically roll dice to randomly select several words from a list. These words form a passphrase. For disk encryption (and for your password manager), it’s recommended to use at least six words.
Several password selection programs and online generators are based on Reinhold’s method—for example, here: tinyurl.com/hdub86x.
When using a password manager, the security of all your passwords (including your master password) directly depends on the security of your computer. If your device is infected with malware, it can intercept your master password as you type or copy the contents of your password database. That’s why it’s essential to protect your computer and other devices from malicious software.
About “Secret Questions”
It’s also important to know about “secret questions” like “What is your mother’s maiden name?” or “What was your first pet’s name?” Websites use these for password recovery. The existing password, a new one, or a link to generate a new password (depending on the site) will be sent to your registered email address.
However, attackers can often find the correct answers to many secret questions in public sources (like your social media accounts) and use them to reset your password and access your account. That’s why it’s recommended to use made-up answers for secret questions (which, like your passwords, only you know). Store your made-up answers in your password manager as well, and consider changing your secret questions and answers periodically.
Password Managers
Remembering many different passwords for various sites and programs is hard. That’s why people often use just a few—or even a single—password for many accounts, sites, and services. As a result, the same password is used everywhere. If any of your passwords fall into the wrong hands, the attacker will likely try it on your other accounts. To stay secure, never reuse passwords.
But then, how do you remember so many different passwords? That’s where password managers come in. They let you securely store an unlimited number of passwords and protect all your passwords for different accounts with a single master password (ideally, a passphrase). You only need to remember this one phrase (password), and the program will handle the rest.
Password managers help you choose strong passwords, which is extremely important. Inexperienced users often use short, simple passwords that are easy for attackers to guess: password1, qwerty, 12345, birth dates, a friend’s (or spouse’s) name, pet names, and so on. A password manager, on the other hand, lets you create and use random passwords with no predictable style or structure. For example: mdD50*df]Q32/dfR4$vH0(s!—impossible to guess.
Despite all their advantages, password managers have one significant drawback: all your passwords are stored in one file or group of files, located in one place on your computer’s drive. This is an obvious target for attackers. It’s also recommended to create backup copies of your password file(s). If this file is lost due to a device failure or theft, recovering your passwords could be very difficult or even impossible. Most password managers offer backup features, but you can also use your own backup methods.
When choosing a password manager, keep in mind that many popular programs have vulnerabilities. So, before deciding if a tool is right for you, it’s a good idea to check online reviews and expert recommendations. As an example, I can mention the free password manager KeePassX.
Using a Master Password
The master password acts as the code that opens your password “safe” (the password database)—without it, you can’t access your passwords.
- Your master password protects all your passwords, so it must be strong!
- The strength of your master password comes from its length and complexity. When creating a master password, you don’t need to worry about including special characters, uppercase letters, or numbers—a passphrase of six random words (all lowercase, separated by spaces) can be more resistant to hacking than a 12-character password with a mix of uppercase, lowercase, numbers, and symbols.
- You must remember your master password! It gives you access to all your other passwords, so you need to memorize it and not write it down. This is another argument in favor of the Reinhold method, which uses a series of simple, easy-to-remember words instead of unnatural combinations of characters, numbers, and uppercase letters.
Using a Key File
As an alternative to a master password (passphrase), you can use a key file to encrypt your password database. In this case, every time you want to open your password database, you’ll need to tell your password manager where the key file is. You can keep this file on a flash drive or another portable device, connecting it to your computer only when you need access. If an attacker gains access to your computer’s hard drive and the password database, they still can’t decrypt it without the key file stored on your external device. In many cases, it’s much harder for a hacker to find a key file than to guess a regular password.
The downside is that you’ll need to connect the external device every time you want to access your passwords. If you lose or damage this device, you’ll lose access to your passwords. So, if you decide to use a key file instead of a master password, make sure your flash drive is physically reliable (it’s a good idea to have a backup stored separately) and keep it in a safe place—if an attacker finds it, they can access your password database.
Combining a Master Password and Key File
The most secure way to encrypt your password database is to use both a master password and a key file at the same time. Then, to break into your database, an attacker would need both your master password and the key file. Choose this option based on your risk level. For most regular users who just want to store their passwords securely, a strong master password is enough. But if a potential attacker has massive computing power, it’s best to choose the most secure solution.
Password Sync Across Multiple Devices
Chances are, you use more than one device—like a computer, smartphone, and tablet—to log into websites and services. Many password managers have a built-in feature to sync your password storage file across your devices. After syncing, you can use your passwords on all your devices. For example, if you add a new account to your password manager on your computer, you’ll be able to log in from your smartphone or tablet as well.
Some password managers let you store your password database “in the cloud”—encrypted on a remote server. Managers that use their own servers for password storage and syncing are convenient but more vulnerable to attacks, since a hacker could target their server. If you store passwords only on your own computer, an attacker would first need access to your device before getting to your passwords.