by Elliot Christenson on November 29, 2016 - 6:35pm

I suck at passwords. I'm extra-super-bad at coming up with new, unique passwords. Maybe you're awesome at it! While that is great, it's probably not good enough. My "password sucking" forced me to long ago look for solutions!

Don't get me wrong, I think we've all learned to adapt to the explosion of the password needs that we all encounter on a daily basis. We do the best we can. There are simply a lot of sites, a lot of rules, and an even greater risk due to our connected lives - of getting it wrong!

If you're reading this, you likely know better of course are going to pick simple passwords:

  • football
  • baseball
  • sunshine
  • rainbow
  • qwertyui

You may not believe it, but statistically, you know someone who is using one of those passwords right now! So even if you're a password researcher, maybe share some of the thoughts below with others.

More advanced users even attempt to outsmart the hackers with "clever" simple passwords:

Statistically, you probably know someone with one of those passwords as well!

With the aforementioned explosion, maybe you picked a "personal password system" like those mentioned in articles like this:

http://www.makeuseof.com/tag/7-ways-to-make-up-passwords-that-are-both-secure-memorable/

To varying degrees, these techniques have all worked in the past. But they require being "good" at passwords!

What if I told you there was a way you could make much more secure passwords (even than those techniques) while still sucking at passwords? Read more to find out how!

The Problems

The "Alphabet" Problem

Just about everyone uses the same "Latin Alphabet" characters. Most websites that request passwords "require" letters and numbers - in some combination. Many even limit the charactersets - and/or the length of the password!

If the attacker knows what the specific formula is in use for a website (i.e. 6 lowercase letters and 1 number), it can drastically cut down on the "alphabet" (the collection of characters) that need to be tried. Computers are really fast at things like that. In what's called a brute force attack (trying each possible combination in succession), computers can crack a simple password in less than a few days - at worst. If it's a targeted attack using many computers, or if the encrypted password database for a service was downloaded, it can be fractions of a second.

The Personal Password System Problem

Computers are fast, right. We all know that. So, you're smart, and you came up with a complex password to use. It's 10 characters, it uses your own personal system. So, you think you're clever using "[email protected]" - password spelled backwards with some characters replaced and numbers added to the end. Sure, that's better than just using "password". No doubt.

That's better, right?

The bad guys - to varying degrees - have put more thought into this that you or I have. They know we might try to spell things backwards. They know we might replace characters in a predictable fashion ('@' for 'a', '!' for '1', '$' for 's', etc.), and they know that most frequently, numbers come at the end.

That drastically cuts down on the number of passwords to try in such a brute force attack. The hacker can try all the easiest ones first - leaving the very complex to last (or not at all - how many passwords do they need, after all!).

The Per Site Password Problem

OK, so you have a totally random password. Maybe you got one from here:

https://www.grc.com/passwords.htm

All random! Long! Great!

So, you got your one password. You committed it to memory or put it in a "secure" place (we could have a whole discussion on what that means too!). What do you do for the second website you need a password for? The hundredth?

Do you use the same password everywhere? If you've used some of these services, your "perfect" password may already be in the hands of hackers!

https://en.wikipedia.org/wiki/List_of_data_breaches

You shouldn't use the same password on different sites, but depending on the random password, maybe you CAN'T anyway. Some have an upper limit on length, some require a number, still others have other arbitrary rules. They are often trying to help create randomness in their clients' passwords.

So, what do you do? You need:

  • random passwords
  • unique per site passwords
  • yet, still follow the "per site" rules

The Solution: The Password Manager

Excel

One solution is to keep all your passwords - randomly generated hopefully - in an Excel spreadsheet or a text file on your computer. That's a step up. It keeps everything in one spot, and it lets's you have unique passwords for each service!

What do you do if someone accesses your computer? What about when you need to use that same password from your smartphone? It's not very convenient.

LastPass/1Password

This is where the many password managers comes in! I'm a big believer in password managers like LastPass and 1Password. Both are great products. LastPass was even thoroughly vetted by security expert Steve Gibson here: https://twit.tv/shows/security-now/episodes/256

These work by putting all of your passwords together - like the Excel spreadsheet idea above - but then securing the whole thing with a single password. That's where their names come from. LastPass wants that single password to be your "last password" to remember (which means it can be long and secure). Similarly, 1password wants you to be left with only "one password" to remember.

LastPass

I do personally use LastPass, and we use LastPass Enterprise at myDropWizard. For sharing passwords with employees in a secure fashion, Enterprise is great. If you're interested more in the security of LastPass, listen to Gibson's commentary above. It's very thorough.

1Password

If you have a Mac/iOS-centered workflow, 1Password might work well for you as well. It's got some stronger integrations into macOS and iOS.

Multiple Devices Is Now Free

The free version of LastPass now allows you to use the (free) iOS and Android apps to access your passwords! That used to be something reserved for paying customers.

https://www.engadget.com/2016/11/02/lastpass-is-now-free-across-all-your-devices/

I'm sure 1password and the competition will step-up their free or low-cost options as well.

No Excuses for Bad Passwords Anymore

The thing is, for free - or even for the very modest cost for LastPass Premium - there really is no excuse for using bad passwords any longer. myDropWizard co-founder David Snopek always says "LastPass is both more secure and more convenient." And I always throw down the explanation (even before the recently announced free version of LastPass) that "There are two Internet services that I would easily pay double for. One is Netflix." I usually receive an agreeable nod with that statement. "The other is LastPass," I conclude.

At myDropWizard, we do our best to keep ourselves and our clients secure, so I'm always on the lookout for the newest, best ideas! Do you use these services? Do you use something else? Do you have an altogether different solution? Let me know! I'd love to have a follow-up to the state of passwords in a future post.

Want to read more articles like this?

Subscribe

Subscribe to the myDropWizard.com blog and recieve e-mail updates when new articles are published!

Comments

Great article. Thank you for recommending the service! This is just what I was looking for.

P.S.: Recently I found this password manager - https://lesspass.com . Have you seen it? What do you think of its idea to generate passwords using formula instead of just storing passwords?