Humans are terrible at being unpredictable, including when making passwords. Password managers let you generate and use hundreds of highly secure passwords, but there are still a few passwords that you must memorize and produce regularly:
- Login passwords
- Master passwords for password managers
- Disk encryption passwords
- Things you choose to remember, like your primary email or bank
Picking a good password depends on the attacks it will face and its value, but simply being able to remember it is a major issue with computer-generated passwords.
These passwords have similar strengths:
Mnemonics are a typical way to memorize long, otherwise unmemorable strings. Digits are commonly memorized using the major system. Phrases can be turned into passwords using the first letter of each word. Abbrase uses 3-letter prefixes of a more memorable phrase.
||“run bills pending admirers ascribed box”|
||“Won’t you join us in trying to find out who did it?” Thornton Waldo Burgess, Old Mother West Wind|
||“The Scourge flogged him heartily.” William Makepeace Thackeray, The Newcomes|
||“He stopped suddenly: “No money to any one?” " Wilkie Collins, Basil|
Roughly ordered by how likely you are to be subject to them, attacks on passwords include:
You used the same login at another site, and someone discovered your password on that. This lets hackers pivot low-value credentials like a niche forum to marketable high-value credentials like a Netflix account.
Strong defense: don’t reuse passwords, ever. Use some form of password manager.
Average defense: don’t reuse passwords to high-value accounts– especially anything that could cost you money or reputation! Emails, bank accounts, and large social media passwords should all be unique.
Ridiculous defense: have a very complex password that even state-level attacker won’t be able to crack in your lifetime. This probably requires at least a password with at least 80 bits of entropy.
Average defense: have a password that’s complex enough to withstand broad
An attacker attempts to guess your password to log in as you.
Strong defense: use hardware 2FA. This might not prevent discovering your password, since many sites check 2FA after a correct password, but it limits the damage.
Average defense: don’t use a common password (in the top million or so). Expect that sites will have reasonably rate limits on how quickly an attacker can test logins.
Strong defense: use hardware 2-factor authentication keys like YubiKey that can’t be spoofed or cloned.
Average defense: check login URLs carefully, especially when you’re following a link from an email. Using SMS 2FA helps, but can be easily subverted by motivated attacks, as seen by the myriad stories of stolen bitcoins following unauthorized phone number transfers.
Dropbox has a password strength estimator that recognizes patterns and estimates how long a password would take to be compromised by different attackers.
I think of passwords in terms of bits, or the number of essentially equivalent passwords that it could be instead. If my phone has a random 6-digit PIN like
875641, there are a million potential passwords, meaning I have about 20 bits of security, since 10 bits is 2^10 = 1024 possibilities. An attacker would on average have to guess 500,000 PINs to find the correct one.
Hopefully, your password is stored by a site that will slow down online attacks with throttling and offline attacks with a slow hash function. This directly impacts the security margin: a fast hash might be attacked offline with a billion attempts per second, while a throttled online attack might only proceed at .1 attempts per second– 10 billion times slower, adding 33 bits of strength!