Stop me if you’ve heard this before: you should use a different password for every account you have, and each of those passwords should be an exceptionally long and complex string of characters that’s easy for you to remember, but easy for others to remember hard to remember is guessing.
Unfortunately, that’s solid advice, and equally, unfortunately, it’s hacking season. Even worse, hacking season never ends.
However, there are two pretty lazy but safe ways to ensure you’re using sufficiently strong passwords. Here you are:
The easiest way: use a password manager
With a password manager, you really only have to remember one password. This password unlocks your password manager—the vault of your passwords, so to speak—and your password manager does all the heavy lifting for you.
Every time you create a new account online, you can ask your password manager to create a complex password for you. To do this, it creates one that is complete gibberish and then stores it in the vault for you.
The next time you log into your account, the password manager will automatically fill in your username and password for you, so you don’t have to remember them.
Well, there are many password managers out there. Some are free, but most are not, and the big difference between free and paid is the number of devices you can use the password manager on.
This is important! Why? Because if you’re using a free password manager that only works on one device — say, your desktop computer — and you’re accessing an account on your phone, you need to be in front of your desktop to access your password vault and then frequently enter your password manually into your phone.
This of course defeats the purpose from the point of view of simplicity. So be ready to shell out a few bucks a month for a premium password manager, or check out the very excellent and open source Bitwarden password manager that has a free personal version to be used on any number of devices can.
The other great thing about password managers is that they’re really good at fending off phishing and similar scams that try to trick you into entering your usernames and passwords on fake websites. The password manager will only autofill on sites it recognizes. So when you’re instructed to log into a website called Fast-Company.com that looks like the real FastCompany.com, the password manager doesn’t offer your actual credentials.
The still somehow easy, manual way
OK, maybe you don’t trust password managers or you don’t want to mess around with syncing your credentials across devices. And let’s assume that, despite all the wise advice, you have little interest in using a separate password for each account.
This is something of a compromise, but it will do in a pinch. Basically, the longer and more complex a password is, the more difficult it is to crack.
Of course, for us humans, remembering long and complex things is not really our forte. But what if you just had to remember one extremely long and convoluted thing, and then add context to that thing for each account?
You can use a site like PasswordMonster.com to see how long it would take to crack one of your passwords. You’ll find that the more you type, the longer it takes to crack your password.
So pick something super long that only you will remember, ideally containing a mix of letters, numbers, symbols, uppercase, lowercase, and punctuation.
In my case, I would choose a basic password like this:
[email protected]$5.15per hour
It’s long, it’s complex, it’s a mixture of a bunch of gibberish, and I’ll always remember that my first job was at Best Buy and I was making $5.15 an hour. According to PasswordMonster, that alone would take a million trillion years to crack. Ideally, I’ll be dead by then.
Then for my Fast Company account I would add something like [email protected]@ny and then a hyphen at the beginning of my super password:
This little extra extends the crack time to 862 trillion trillion years.
Well, there are two catches here. First, you have to manually type a bunch of things into your password field every time you log in.
Secondly, if you use such a password on a poorly managed website that doesn’t protect their passwords properly and that website gets hacked, a hacker could very likely conclude that you use this super password for every website and only appends to the site name and a hyphen at the beginning.
Why not both?
So, the absolute best course of action? Use a password manager and create your master password that protects your password vault as something extremely long and complex. That way, if the password manager somehow gets compromised, all you have to do is reset your master password.
And no password manager on this planet should store passwords incorrectly, so you’ve got at least a million trillion years or so to put things right.