At a minimum, we recommend:
- Using a different password for every account or login, so that if one account is compromised, only one account is compromised.
- Strong, randomly generated passwords or passphrases that are sufficiently long to resist password attacks, such as
- Complement your passwords (where possible) with 2-factor authentication (a.k.a. 2-step verification).
For more details on how to do this in practice, keep reading.
Password managers (in general)
To accomplish this, use a password manager to generate and store all of your passwords that you don’t need to manually type in. If you are already using a password manager, great! But still consider the following selection criteria for password managers:
- Is your password manager trustworthy? Do you trust the developers of the software? Do you need to fully trust the developers (is it open source)?
- Does your password manager store your passwords “in the cloud”, and if so, is it protected with strong encryption and an equally strong password?
If you aren’t backing up your whole computer (even though you should be), you should at least be backing up the file containing all your passwords, particularly if it isn’t stored in the cloud. How to access this file will depend on the password manager.
The password manager should be able to generate strong random passwords for you such as
bdY,Fsc_7\}*Q]cFP. This is great for a password that you never have to type in, that is, a password that the password manager will input for you or that you can copy-paste from the password manager.
Passwords that you need to type in
For passwords that you will necessarily need to type in (for example: a password you enter on your phone, the password you protect your password manager with, the password you use to encrypt your computer) use a diceware password a.k.a. passphrase a.k.a. a random sequence of words such as
remake.catfight.dwelled.lantern.unmasking.postnasal. You can generate this password manually using dice and a word list. We have a guide available here. Many password managers will also generate such passwords, although you probably won’t need many of these.
We always recommend, where possible, software that will work on all computers and that is open-source. To that end, we recommend KeePassXC. The Tools tab gives access to a password generator, where you can generate long random passwords and passphrases as described above. The Database (file of passwords) tab gives you the option to create a new file to store your passwords. Remember to use a strong passphrase (which you can generate via the Tools tab) to protect this file. We recommend that you write this passphrase down and store it somewhere safe (away from whoever your adversary is). You choose the location to save the file, so you know where it is for backing it up.
KeePassXC does provide integration with Firefox and other browsers (so that you don’t have to copy and paste passwords every time you log in), however, for simplicity, we recommend the built-in password manager that comes with Firefox (our recommended browser) for managing any password that you type into a webpage, which is most passwords. To set a strong password to protect the file that Firefox uses to store your passwords, navigate to the menu, preferences, security and select use a master password. Use KeePassXC to generate a memorable passphrase; you will need to type in this passphrase whenever you restart Firefox. Unfortunately the Firefox password manager does not include a password generator. If you don’t want to use KeePassXC, you could use a Firefox add-on for this. We recommend “Secure Password Generator” (to install, navigate to the menu, add-ons, search for “Secure Password Generator”, select install) which adds a lock icon to your toolbar and allows you to specify the often ridiculous requirements that websites have for passwords (no special characters, at least 3 numbers, etc).
One final note. We always get asked “What length of password should I use?” and it is a difficult question to answer. For passwords that are stored in your password manager, you may as well use as long a password as is allowed. 30 characters is likely a good number to try first (and this gives you an extremely strong password). For passphrases that you need to type in, you need to balance security with convenience. The more words, the more security, but the longer it takes to type in. So consider how often you need to type in this passphrase. For the passphrase to encrypt your computer or external hard drives, that you are likely not typing in very often (perhaps once a week), then try starting with 7 words. For the passphrase to encrypt your password manager, which you might type in more frequently, you may not be willing to use 7 words. For the passphrase you use to turn off your screensaver, you may only be willing to type in 3 or 4 words. Start with as secure practices that you are willing to try and see how it goes, and only adjust as you need to so that you aren’t frustrating yourself. Note that “password strength” meters may erroneously judge a passphrase of many plain English words to be weak, because these meters are looking for passwords of the form
Tr0ub4dor&3 instead of
correct horse battery staple; see above.
This is where, in addition to entering a password to access an account, you must also enter an authentication code that is delivered to you via text, app on smartphone, or app for a usb key. To compromise your account, an adversary would need your password as well as your device that receives the authentication code. Beware though, that SMS text messages offer somewhat limited protection. Black Lives Matter activist Deray McKesson and Federal Trade Commission’s top technologist Lorrie Cranor have seen unauthorized access to their accounts by way of adversaries gaining control of their mobile accounts, thus defeating their 2-factor authentication setups.