Note: I originally published this on Medium on Nov 5, 2015.
We’ve all been there: You visit a new website and inevitably you’re asked to create an account. If you’re lucky, the site lets you piggyback off of an existing site’s credentials, such as Google or Facebook. But if not, you need to come up with yet another password; Remember that you never want to reuse a password because if a site’s security is compromised (which happens all too frequently), hackers will try your username and password on all major websites — online banks and email accounts — things that can really screw up your life.
So you come up with a password, and with any luck the site runs it through a strong one-way encryption algorithm and saves it in their database. “One-way” here means there’s no known mathematical way to reverse the process to get back the original value. Whenever you login and re-enter your password, it goes through the same algorithm and the two encrypted values are compared, and only if they match are you signed in.
The beautify of this approach is that no one knows your password — not even the employees who take care of the database. Unfortunately, there’s no guarantee that any given website follows this best practice; they may use weak encryption, or two-way encryption, or no encryption at all.
But even if a website uses strong encryption, if hackers get their hands on the database they can still try to crack your password by using sheer brute force. Imagine you had a padlock with three digits and you didn’t know the combination but had plenty of time on your hands — you could literally go through all 1,000 combinations, one by one. Hackers use the same concept, but before resorting to trying every letter and number combination imaginable, they start with a list of the most common passwords, followed by every word in the dictionary (including all the uppercase and lowercase permutations, and the common tweaks such as substituting zeros for o’s, and adding a number to the end), followed by names of celebrities, TV shows, movies, books, character names, band, song, and album titles — basically anything you’d find in the Wikipedia.
In “Your Password is Too Damn Short”, Jeff Atwood (one of the founders of StackOverflow) explains why your passwords need to be a minimum of 12 characters long — and if you’re paranoid about the ever increasing sophistication of hacking techniques coupled with the relentless improvement in computing hardware power (which you should be), you’d do well to go beyond that minimum. Extending my combination lock metaphor from earlier, this would be like enhancing the combination lock to have, say 9 digits; Someone might have the patience to try 1,000 combinations, but probably not the will (or time) to try a billion permutations. He states that a 13 character password would take a hacker 64 years to crack using today’s tech, versus 2.2 seconds (!!!) for an 8 character password.
Coming up with a password, that’s fairly long, that’s essentially gibberish and that you can memorize is a tall order; but coming up with a unique one for each website that requires a password is, well, damn near impossible.
After reading Jeff Atwood’s post above I decided to use a password manager. Here’s how it works: You sign up and install a browser extension. As you go about visiting your various sites, the password manager offers to save the site’s name, URL, username and password. So this learning process is fairly painless. And whenever you need to log into the site again, LastPass automatically fills in the username and password. Personally I use LastPass, though there are others and from what I’ve seen they all work well. I have LastPass installed on my work and home computers, and on my phone, so if I make a change on one device, I’m covered everywhere else.
For big name sites such as Facebook, LastPass has the ability to change your password automatically with the click of a button. I love this feature. Back when I first set everything up, I would click this button and just sit back and watch as it signed in to my account, brought up the change password screen, entered the old password and a new strong password such as “R#87Xsr8ZWD43g”, and then updated the record in LastPass. And this is my favorite part of all this: I only have to remember my LastPass password, but that’s it — I no longer give a damn what any of my other passwords are. And since they’re all unique and strong, I don’t have to lose sleep worrying my password getting cracked.
LastPass has a tool to generate strong passwords for whenever you change a password manually. It also has a security audit feature that will show you all the weak or duplicate passwords you’re using. Basically, it’s got your back, and if you follow its advice you’ll be in really good shape. Honestly, it’s worked so well for me that I wish I’d started using a password manager years ago. If password management is a nightmare for you, I urge you to consider signing up.