A: Don’t follow standard password advice. It is out-of-date. Instead, use three unrelated words as the heart of each password.
According to a recent blog post by Bruce Schneier (Passwords Are Terrible (Surprising No One), Schneier on Security, Feb. 1, 2023), a $16,000 computer can easily crack “strong” passwords like:
Each of these passwords follows the old standard rules:
- Eight or more characters
- Upper- and lowercase letters
- A number
- A special character
So why do these passwords fail? They are memorable. That’s good. But they are predictably the result of following the old rules. Not good.
Password crackers are onto our tricks for creating compliant, memorable passwords.
They know all our “tricky” number-for-letter substitutions. They have enormous lists of frequently-used word combinations (“polar bear”) and phrases (“change it now”). They know we tend to comply with complexity rules by sticking numbers and punctuation at the beginning or end of our passwords.
Yet, you can create passwords that are fairly easy to remember but impractical for password crackers to crack.
You need an element of randomness to create a truly strong password. Relatedness is the basic flaw in thinking up our own multiple-word passwords. Our minds are just too predictable.
New Password Rules
To create safe, long, memorable passwords, follow these new password rules:
- Three or more words from large word lists
- Randomly selected
- Separated by punctuation
- With a number and one or more capitalized letters
For my passwords, I found a large word list online. I created a spreadsheet with a random selection of words scrambled in each of several columns. I separated the words with one special character and added a number in a memorable location.
You don’t have to go to all that trouble.
The website CorrectHorseBatteryStaple.net does the work for you. It is based on a method popularized by, of all people, the cartoonist Randall Munroe.
To memorize your password, imagine a mental picture with each word as an object or an action linked together. That is a long-established, effective memorization technique popularized by ancient Roman orators.
Encryption purists complain that passwords made up of words are not truly random. That is correct. But long passwords with random elements do not need to be made of completely random characters. Computers require literally years or centuries to break multiple-random-word passwords.
Sure, computers get faster every year. We need to pay attention. If there is a quantum leap in computing power, everyone will need to use even stronger passwords or password-less methods for security. For now, computers can become millions of times faster and still not break CorrectHorseBattery2Staple passwords. (Notice the “2” inserted for strength.)
Standard Security Advice That Still Applies
Not all the standard security advice has become obsolete. Standard recommendations that are still good include:
- Use a password manager such Dashlane, Bitwarden, or 1Password, and you only need to memorize one password.
- Do not reuse any passwords for multiple logins.
- Use multi-factor authentication (MFA or 2FA), such as a free authenticator app on your phone or a physical Yubikey.
- Don’t write down your passwords near your computer or in any other easily discoverable place.