Creating unique passwords
Human cognition plays an important part in what we can ask of people with their passwords. The number of distinct strong passwords that a person can remember is far less than the number of distinct passwords that they need.
Password reuse is a big security problem. In 2013, a number of Dropbox accounts were compromised because people used the same password there that they used for sites which suffered breaches. The same thing happened with Best Buy. There was not an actual breach of Best Buy, but customers’ passwords had been discovered through breaches of other sites. As we always like to remind people, “Friends don’t let friends reuse passwords”.
A good password management system solves this problem. As password researcher Troy Hunt says, “The only secure password is one that you can’t remember”.
Remembering important passwords
But this still leaves us with a small number of passwords that we do need to remember. And because so much depends on these, we need them to be very strong. What people don’t often recognize is that we not only need these few strong passwords to be memorable by normal humans, but we need them to be created using randomness – such as a Diceware phrase consisting of randomly-chosen words. However, if humans are bad at remembering random things, they are far, far worse at generating randomness.
In Toward Better Master Passwords, we see that if we pick words truly at random (by rolling dice for example) we can get a string of words that we can remember and type, but which still remain enormously difficult to guess. Symbols may also be used to add additional complexity, but it is important to stick to using standard characters for compatibility.
The original credit for this should go to Arnold Reinhold. And after “Toward Better Master Passwords” revived it, it was made famous by Randall Munroe, who summed up the mathematical part of the argument in a single comic: Password Strength.
See Toward Better Master Passwords for why it is crucial that you use some random process that is not in your head for creating these. We’ve seen people try to make up examples of these kinds of passwords, and is is usually easy to tell whether a random process was used or not. (For example, people trying to come up with a random sequence of words will almost always pick concrete nouns.)
Avoid helping the hackers!
When 1Password asks you to enter a password hint, there is no requirement for it to actually have anything to do with your Master Password. In fact, it is more secure if it doesn’t!
As the daughter of our Chief Defender Against the Dark Arts says, “Polly likes crackers; crackers like hints”. Indeed, many on the team here at AgileBits use password hints like “Nice try” and “Don’t even think about it”.
If you are worried that you may forget your Master Password, it is best to record it on a piece of paper and keep it in a safe deposit box or other secure location.
By keeping a paper copy of your Master Password in a safe place you’ll be able to refer to that paper if you ever need to, but if someone else gets ahold of your 1Password data, they won’t be able to use the password hint to help them crack it. Just treat your Master Passwords at least as securely as you treat your credit cards and other important personal records.
If, despite this, you still want to use a more traditional password hint, consider the following suggestions.
- Don’t pick something that others know about you. For an example, if your password is “Molly”, your cat’s name, don’t use the hint “Cat”. (By the way, “Molly” isn’t a strong Master Password.)
- Don’t use “My password is Molly” if your password is “Molly”.
- Consider something that indirectly reminds you of the password but that nobody else would be able to figure out. For example, if your strong Master Password is
adjust%cliche%0bama%dicey, your hint might be “Mittens” to remind you of the US presidential election of 2012, so you may remember what your password looks like because it contains “0bama”.
With a strong, memorable Master Password and a hint that wouldn’t help a cracker, you’re on your way to a much better password hygiene. Now be sure to use the password generator to have unique passwords for all your Logins.