Figure Out Which Passwords You Must Memorize

First, the bad news: you must memorize at least a few passwords, and those few have to be both long and strong.

But the good news is that for most people, with careful planning, the number of passwords that must be stored in the brain is very small. For me, the number is three. Depending on your situation, you might have only one or two, or you might have nine or ten—but if your number gets much beyond a dozen, you’re doing it wrong. Whatever the number is, I’ll refer to this short list as your Very Important Passwords, or VIPs.

Which passwords belong on the must-memorize VIP list? Only those passwords that you need often and can’t easily enter using a password manager app (which I discuss two steps ahead). For example, here are my three:

• The master password for my password manager: A password manager lets you use a single master password to unlock all your other stored passwords. I use that key constantly and I can’t very well keep it in my password manager, so I have it memorized.

• My computer’s login password: Everything on my computer is encrypted, so I can’t turn it on or even wake it up from sleep (much less run an app such as a password manager) without entering the login password for my main user account.

• My Apple ID password: My Apple ID can get me into all sorts of services—iCloud on my Mac, PC, iOS devices, and Apple TV; my iTunes Store and Mac App Store accounts; Game Center; Apple developer accounts; and so on. I enter it so often that it was well worth memorizing. (I have more than one Apple ID, but I use one much more than the others.) See Devices Without Full Keyboards, later in this chapter, for additional advice on passwords—such as an Apple ID password—that must be entered frequently on a tiny virtual keyboard.

Those three passwords are the only ones I feel I have to keep in my head. My other 900+ passwords (really!) are either web logins that my password manager can enter for me or passwords I use so seldom that I don’t mind looking them up and then copying and pasting (or retyping, as the case may be) when the occasion arises.

Your VIP list might be different from mine—and it might be longer or shorter. But the one item that’s non-negotiable is the master password for your password manager, because a large portion of this strategy depends on it.

The best way to figure out which passwords should make your VIP list is to keep a tally of the passwords you enter manually on any given day outside a web browser. Anything that shows up on that list more than a few times is a good candidate. But don’t include passwords you enter on webpages, because a password manager can handle those for you. Your list might include a school or corporate login password, a Wi-Fi network password, passwords used in individual iOS apps, or the password for any account you have to access on a device where you can’t install your own password manager.

Once you have your list of VIPs, you’re ready to…

Create Strong but Memorable Passwords

Maybe one or more of the passwords on your VIP list already has extremely high entropy (refer back to All About Entropy). If so, you need only commit it to memory—more on that in a moment. For each of the rest, your task now is to create a new password that’s adequately strong, memorize it, and change your existing password to the new one. As you do, be sure to write these passwords down (yes, on paper). These are the ones you can’t afford to lose or forget, and as I explain in Keep Your Passwords Secure, having a carefully hidden paper copy of your passwords might actually increase your security.

How long must this password be, and how can you remember it?

Those questions are two sides of the same coin. As I explained earlier, the important thing is to make the password strong enough—to give it enough entropy—to resist a brute-force attack. You can derive that strength from randomness, length, character-set size, or a combination of these.

If you want the fewest possible characters, the characters must be random and varied; if you want a password that’s a breeze to type because it’s all lowercase words, it must be much longer to have equivalent strength. You’re the one who has to type these passwords all the time, and you know how your memory works better than I do. So I’ll leave that decision to you.

Here’s how a few of your options compare:

• Random: Mathematically speaking, random passwords using all available character types pack the most entropy into the fewest number of characters. So, if you have a good memory and want to save yourself a considerable amount of typing, use the password generator in your favorite password manager (see the next topic, Use a Password Manager for Everything Else) to create a random password that includes upper- and lowercase letters, digits, and punctuation—and is at least 12 characters long.

• Sentence/pronounceable: Passwords created using the first letter of each word from a sentence or a password generator’s “pronounceable” option may appear random, but they have lower entropy because they do contain recognizable patterns. You can use such a password if you prefer, but make it longer—16 characters or more (assuming they include either digits or punctuation).

• Lowercase words: If you go for the simplest possible password to type and remember—a series of ordinary English words, all in lowercase—then you need many more characters to reach a comparable level of entropy. If you choose something in the correct horse battery staple vein, make sure it consists of at least five words—all of which are randomly chosen—and has at least 32 characters. (A four-word, 28-character phrase like correct horse battery staple arguably has insufficient entropy to resist modern cracking methods.)

  One good but time-consuming way to create a sufficiently complex passphrase of this type is to use a simple technique called Diceware, which requires actual dice, a downloadable word list, paper, and a few minutes per password. As I mentioned earlier, there’s also an online password generator based on the XKCD method, and 1Password’s Words option, which is like Diceware but more secure because it’s based on a much longer word list—and far quicker to use. You can also try a new method by John Clements called Molis Hai, which creates long, high-entropy passwords that are easier to remember because of their resemblance to English words.

Now that you have your short list of Very Important Passwords, it’s time to memorize them. This will require actual effort, even if you’re using a sentence or plain English words (was that correct battery horse?—no, wait, correct staple battery…). Sorry about that. But you’ve successfully memorized plenty of other things—your phone number, your address, your Social Security number—and I have the utmost confidence that you can add a few more items to that list.

For some people, rote repetition is the way to go. With concentration, it shouldn’t take more than 15 minutes to memorize a password. Or, try writing or typing the password a hundred times in a row. (“I will not chew gum in school. I will not chew gum in school…”) Or, break it down into chunks of three or four characters and memorize those one at a time. Or, turn it into a game to see how many sentences or stories you can come up with to represent your password. Think of it as a small investment of time for long-term savings.

Once you think you have a password down, put it out of your mind, distract yourself with something else, and then try to remember it an hour later. Try again before bedtime and when you wake up in the morning. You should have your entire VIP list down in a day.

Use a Password Manager for Everything Else

With your VIP list down cold, it’s time to turn your attention to your other passwords. Virtually every other password in your life (I’ll mention a few exceptions ahead) can be handled the same way: you’ll use a piece of software to create it, store it, and then enter it for you whenever you need it.

I refer to this type of software as a password manager, but you may hear other names, such as password vault and keychain. Password managers wrap up all your individual usernames and passwords—and sometimes other important data too—in a securely encrypted file that you can unlock with a single master password.

Since you have only one password to remember, the others can be long and complex. You won’t need to see them. You won’t even know what they are. They’ll be created for you randomly by a feature called a password generator. Then they’ll be stored automatically, and—at least in the better password managers—entered into web forms for you with the flick of a finger.

You’ll install a version of this software on your Mac or PC as well as on your smartphone or tablet so you can keep your passwords in sync among devices. You may even choose a manager that lets you access your passwords securely from any web browser, or keep a copy of the app and its encrypted data on a flash drive in your pocket. That way, as long as you are in the vicinity of a computing device of some kind, you’ll have a way to get to all your passwords.

It doesn’t matter to me which password manager you choose. There are tons of them out there; I mention more than a dozen popular examples in the next chapter, Pick a Password Manager. The important thing is that the app meets your personal needs and works with all the devices and operating systems you care about.

Once you’ve chosen a password manager, install it on all your devices, set it up with a strong master password, and if it includes an automatic sync feature, turn that on. Then follow these steps:

1. When a site or service asks you to create a new password, use your password manager’s password generator. It’ll likely have lots of options, but my recommendation is to let it create the longest and most complex random password that the site will accept. Maybe one site restricts you to 10 characters and another doesn’t accept punctuation, while a third lets you create a 64-character password containing any imaginable symbol.

   Whatever the case, let the site’s maximum be your guide—it’s no more difficult or time-consuming for a password manager to hand you a 64-character password than one with 10 characters, so there’s nothing to be gained by making some passwords shorter or simpler, even if you feel they’re of trivial importance.

   As you encounter sites and services for which you previously created passwords, enter or paste them in manually, but then immediately capture your credentials with your password manager so they’ll be ready for you the next time you need them.

2. When you visit a site for which you’ve previously stored credentials, your password manager should be able to fill them in for you. Depending on which app you use and on which platform, this might happen automatically; it might require a click, a tap, or a keystroke; or you might have to copy and paste. But in any case, you should rarely if ever have to retype a password.

3. When time permits, follow the steps in Audit Your Passwords to replace any old, weak passwords with new, strong passwords.

Along with these steps, I strongly recommend that you follow a few other key practices:

• Always use long, unique, randomly generated passwords, even if the password merely serves to identify you and doesn’t protect any valuable data or resources. Read the sidebar Why Use Secure Passwords for Throwaway Accounts? for a longer explanation of why I recommend this.

• Do not enter a password hint when a system gives you that opportunity. No matter how innocent or obscure you may think your hint is, it can help an attacker who’s trying to guess your password. Password managers eliminate the need for hints! (Some password managers prompt you to enter a hint for your master password, however. Personally, I’d feel better writing down that master password in a safe place and leaving the hint blank or filling in “No.”)

• If there’s any possibility of someone else using your computer without your permission, avoid selecting those “remember me” or “keep me signed in” checkboxes on webpages. Such pages use cookies stored on your computer to identify you, eliminating the need to log in manually the next time you visit the site. Since your password manager can autofill your credentials, there’s no point in leaving any such security holes that someone else could exploit. For even greater security, delete the cookies already in your browser.

• Related to the last point, most browsers have their own mechanisms for storing and autofilling passwords. When you see a “save this password” dialog box after logging in to a website, you’re being prompted to store the password in your browser or in a system-wide keychain. Again, I suggest that you stop agreeing to these prompts, turn off the feature in your browser, and delete any passwords it has already stored. Otherwise, the security you’re gaining by using a password manager may be nullified by having a less-secure way to access the same information—and one that likely can’t sync across all your browsers, devices, and operating systems.

  A rather terrifying example of how problematic browsers’ built-in password managers can be appeared in the news in December 2017. (See No boundaries for user identities: Web trackers exploit browser login managers.) It appears that scripts found on numerous websites were taking advantage of a flaw in the design of built-in password managers to extract email addresses (presumably for the purposes of user tracking and profiling) without the users’ knowledge. Basically, these scripts create invisible login forms, let the browsers’ password managers fill them in automatically, and capture the information they contain without you, the user, ever seeing anything! Issues like this put the lie to claims that browsers’ built-in password managers are inherently safer than third-party password manager apps that use browser extensions. (Password managers that use browser extensions are also superior in the sense that they let you use the same set of passwords across multiple browsers.)

  In any case, 1Password’s current design makes it immune to this type of problem, though it could potentially occur with apps such as LastPass or Dashlane if they’re configured to autofill and autosubmit credentials as soon as a page loads—something I recommend against (see the sidebar Four Autofill/Autosubmit Models).

Handle Security Questions

Earlier, in Understanding Security Questions and Reset Procedures, I talked about the security questions you may be prompted to fill in, and the various ways those are used. For all practical purposes, you should treat these as alternative passwords for each account—which means taking the same care in generating them and storing them.

When asked to supply the answer to a security question, there’s one rule: Lie. Never, ever type in your mother’s real maiden name, your third-favorite dessert in kindergarten, or your best friend’s pet’s name. The facts related to typical security questions are too easy for someone else to discover, and they weaken rather than strengthen your security.

Give answers that are not merely untrue but irrelevant. For example:

• Smash a couple of unrelated words together. My favorite sports team? brandishedcontumely

• Use your favorite password generator to create something random. My favorite teacher? MEk8^RL3{Xvu

• Vent. The phone number I remember most from my childhood? I-refuse-to-engage-in-this-nonsense

A qualification I want to mention is that in some cases, you may have to answer security questions over the phone. If you do, you’ll find it easier to say (and easier for the person on the other end to understand) if it’s made of English words.

Store the question(s) and corresponding answer(s) in your password manager, preferably in the same record that holds the username and password for the service in question. This is essential because you’ll need to regurgitate them later, and you’ll no sooner remember these answers than you will the rest of your random passwords.

Unfortunately, your password manager may be unable to fill in the answers to your security questions, since a site may randomly choose any of several questions—and may do so only on occasion. I say more about this in Sites That Thwart Password Managers.

Manage Email Options

Another point I raised in Understanding Security Questions and Reset Procedures is that many sites send email to whichever address you’ve given them if you ever forget or need to reset your password—so that email account and its password should be given special protection. In many cases, you can’t distinguish between the email address the site uses for day-to-day communication with you and the address used for password resets, but sometimes you’re asked explicitly for a secondary email address to be used for security purposes.

The safest way to handle email addresses used mainly or solely for password resets is to set up a new email account—perhaps using Gmail or another free service. I don’t mean an alias pointing to your existing inbox, but a separate account with its own password and an address that you never share publicly. When a website or service asks for an address to use to verify your account or reset your password, use that new address. Keep its credentials handy so you can log in and check messages when needed, but don’t add it to your regular email client, where someone might gain access without needing a strong password.

If you choose instead to use your regular email account, take extra precautions with it:

• Make sure your email password is strong, and that you use SSL to access the account securely on all your devices. If your email provider doesn’t offer SSL and you can’t switch to a better provider, at least make sure to use an encrypted authentication method—such as Kerberos version 5 (GSSAPI), NTLM, CRAM-MD5, or Apple Token—so your password can’t be sniffed while in transit.

• If feasible, set all your devices to lock when not in use and require a strong password to unlock them.

• If your account supports it—I’m thinking mainly of Gmail and iCloud here—use two-factor authentication or two-step verification. See Appendix A: Use Two-Factor Authentication for details.

Deal with Exceptions and Surprises

So far, the strategy I’ve outlined works well for most websites that use straightforward username-and-password authentication. But some sites, services, and resources that require passwords have unusual attributes that throw a wrench in the works. Let’s look at how to handle some of these.