Learn Password Security Basics

The whole idea of a password is that it’s private—something known only to you and to the entity with which you have an account (a bank, website, cloud service, etc.). If someone else learns your password, that person can access your data, which could mean stealing your money, impersonating you online, taking over your computer, and worse. So, your main goal when picking a password should be to select one that won’t be guessed.

Most people think of “guessing” as a strictly human activity. For example, a friend or colleague might guess that your password is the name of your dog, your anniversary, or your favorite ice cream flavor, and that’s why you should never use words, names, or numbers someone might associate with you as passwords.

However, most of the time it’s not people doing the guessing directly, but rather computers. A friend might never guess poiuytrewq as a password, but it would be among the first guesses by a program designed to crack passwords, because that string follows a pattern (in this case, a keyboard pattern). Cracking software is great at identifying the patterns people commonly use to help them remember passwords, including patterns based on words, names, numbers, and shapes, not to mention substituting numbers for similar-looking letters (3 for E, 4 for A, and so on).

Now, suppose one of your passwords is guessed, leaked, stolen, or hacked. That’s bad news, but it becomes much worse if you used the same password in lots of different places. For example, hackers probably don’t care about your Facebook password as such, but they’d still love to know what it is, on the theory that you use the same one for your email account, bank accounts, PayPal, and other services that they could then access instantly. And that’s exactly what hackers do—they immediately try stolen passwords on lots of different sites. The moral of the story is that you should never reuse passwords in more than one place. Make every one unique!

Even if you choose a unique, random password—a meaningless string of letters, numbers, and symbols—you’re not necessarily safe. I know of cracking systems based on ordinary, off-the-shelf computer hardware that can try every single possible password of up to 8 characters in just a few hours. This is called a brute-force attack, and it’s guaranteed to succeed eventually. The only way to defeat a brute-force attack is to make every password so complex that “eventually” is longer than the attacker can afford to spend trying.

Fortunately, that’s easier than it sounds. Cryptographers use the term entropy to mean a mathematical approximation of how strong a password is—that is, how well it can resist guessing. It turns out that you can increase a password’s entropy, thereby increasing the average time it would take for a brute-force search to crack it, in any of three ways:

• Make it longer. Every character you add to a password exponentially increases the number of possible passwords that must be checked. For example, if each character in a password can be one of 52 possible choices (upper- and lowercase letters), then an 8-character password has about 53 trillion (52⁸) possible combinations. Add just one character, and the number of combinations jumps to almost 2.8 quadrillion (52⁹).

• Use a broader range of characters. The example above used only alphabetic characters—26 lowercase and 26 uppercase. If you add 10 digits and the 33 punctuation characters on a standard U.S. keyboard, you get a total of 95 characters in each slot. That means the number of possibilities for an 8-character password jumps to more than 6 quadrillion (95⁸), and for a 9-character password, it’s over 630 quadrillion (95⁹). So, simply by including upper- and lowercase letters, digits, and symbols in your password, you can massively increase its entropy without making it longer.

• Make it random. Even in a brute-force search, patterns are checked first. So ABCdef123!@# still isn’t a great password. Even though it’s 12 characters long and contains all the different character sets I mentioned, its entropy is still fairly low because it follows an obvious pattern. Random combinations will be checked later, which increases their entropy. I should add that “random-looking” isn’t the same as random. Humans are terrible at picking truly random passwords, so that’s a task better left to computer programs (such as 1Password).

You can use these methods individually or in combination. For example, if your password contains only English words in lowercase alphabetic characters but is adequately long, it can have just as much entropy as a shorter, random password. (That’s basically the point of the wonderful and now famous Password Strength comic from XKCD—although given the ways password cracking has improved in recent years, I recommend a longer password than correct horse battery staple. To learn about 1Password’s method for creating passwords of this type, see Memorable Password.) But the highest-entropy passwords use a combination of all three factors.

A number of people have asked me why it’s important to have high-entropy passwords that can resist billions of guesses per second when most websites, apps, and local computer accounts take more than a second to process a single login—and many lock you out after only a few incorrect attempts.

The answer is that most successful password cracking attempts don’t go through the “front door,” as it were. Instead, an attacker gains access to a file containing encrypted passwords (for example, by stealing a company laptop or by hacking into a network), and then uses cracking software to decrypt those passwords directly—bypassing the security features that would normally slow them down. This is known as an offline attack. And it’s exactly that sort of attack that could be used to guess your 1Password master password if anyone were to obtain that file. That’s why your master password should be especially strong!

Understand Optimal Password Length

How long should your passwords be? There’s no simple answer. I can say unequivocally that all your passwords should have more than nine characters (assuming that longer passwords are permitted). Beyond that, I could throw out some arbitrary number, such as 16 random characters, but even that might be far too short if it’s used on a system with a weak encryption algorithm, yet it would be too long for a site that restricts passwords to a maximum of 10 characters. Aiming for a certain level of entropy (which is measured in bits) is slightly better—75 bits might be a good target—but even then, it depends on the context.

Instead, let me make a few broad recommendations:

• For passwords that 1Password will always enter for you—especially web logins—you have nothing to lose and everything to gain by using the built-in password generator to make them as long, complex, and random as the site permits.

  However, every website has its own set of rules for passwords. There are varying length restrictions. One website may forbid punctuation while another requires it; one may limit special characters to @, #, and $ while another accepts only _, +, or *. Some sites require upper- and lowercase letters and digits, making a long phrase (such as correct horse battery staple) a nonstarter, even if it has high entropy. Therefore, although you may choose highly secure default settings, you’ll have to vary them as needed.

• For some passwords, you may encounter situations where neither autofill nor copy-and-paste is possible. I’m thinking, for example, of entering a Netflix or Amazon password on your TV using a remote control, or a Wi-Fi password on your printer. An additional disadvantage in these cases may be not having a full keyboard.

  When choosing such passwords, the “as long, complex, and random as possible” rule works against you. Stick with something of a more modest length, such as 12–14 characters. And even if you start with a random password, you may want to rearrange the characters slightly to limit the number of times you have to switch onscreen keyboards (for example, a device might put all the lowercase letters on one screen, the uppercase letters on a second, and digits plus punctuation on a third).

• Your 1Password master password must be strong because it protects all your other passwords. And yet, you’ll have to type it frequently—and sometimes on the tiny virtual keyboard of a mobile device. So a 50-character random password would probably drive you to distraction. If you choose a random password with all the major character types, 12–14 characters is a reasonable compromise. After all, the longer a random password is, the harder it is to memorize, and you do not want to forget this password!

  If you want a password that’s more memorable and easier to type, compensate for the lower entropy by making it considerably longer, such as using a complete (and preferably nonsensical) sentence, as I suggested in Choose a Master Password.

Password Dos and Don’ts

No matter how great your password is, it’s not secure at all if it’s posted in public view. That’s obvious, I hope, but I’ve seen lots of unsafe password practices. Here are my personal dos and don’ts for better password security.

Passkeys, WebAuthn, and the Passwordless Future

You may have heard about a new technology called passkeys that promises to replace passwords, using a different method to authenticate you that’s both more convenient and more secure. And you may be wondering whether passkeys are about to make 1Password obsolete. Let me fill you in briefly on the details, as things stand in mid-2023.

Over the years, numerous apps and technologies have promised to “kill the password,” but we all still have just as many passwords as we did before—and we add new ones all the time. Even though 1Password and other password managers can dramatically reduce the pain of password management, what everyone wants is a magical future in which we never have to mess with passwords at all, yet are still secure.

We may finally be on the cusp of that seemingly impossible future, but with a number of qualifications.

A technology called WebAuthn, in the works since 2016 and published as a standard in 2019, provides a framework that websites, apps, and browsers can use to authenticate users without passwords ever being created, stored, or entered. WebAuthn also promises greater security, including resistance to hacking and theft—and, it achieves this security without the use of an additional authentication factor (such as a one-time password). So, not only passwords but also those annoying extra steps (and their associated time cost) should disappear.

In fact, WebAuthn has already been in use on a number of sites for years, but until recently it required the use of a hardware key (such as a Yubikey device). What has changed recently is that Apple, Google, Microsoft, and other companies have begun integrating WebAuthn support into their products in such a way that you can use it without any extra devices—you can use biometrics or enter your device password/passcode to prove you are who you claim to be and log yourself in to the sites in question.

This new implementation of WebAuthn is called passkeys (see Why Passkeys Will Be Simpler and More Secure Than Passwords at TidBITS). It’s already built into a number of operating systems (including iOS 16/iPadOS 16 and later, macOS 13 Ventura and later, Windows 10 and 11, ChromeOS, and Android 9 or later), plus recent versions of Google Chrome and other Chromium-based browsers.

I go into considerable detail about how passkeys work—as well as their quirks and limitations—in my book Take Control of Your Passwords. But, for our current purposes, the important thing to know is that, as of mid-2023, passkeys saved within Apple’s ecosystem sync only to other Apple devices (and are unavailable to third-party browsers on those devices); passkeys saved in Chrome, Chromium-based browsers, ChromeOS, or Android sync via Google Password Manager but only within Google’s ecosystem; and passkeys saved in Windows sync only to other Windows devices.

It’s awkward in some cases, and impossible in others, to cross those boundaries. If you’ve saved a passkey using Safari on your iPhone, and you try to log in to a site using Chrome on your Mac, you can click a link that displays a QR code on your Mac’s screen, and then scan that code with your iPhone to log in. Better than nothing, but not exactly smooth. But if you want to export passkeys from one ecosystem and import them into another (much less keep them in sync across ecosystems), you can’t—yet—as the infrastructure to do so isn’t yet available.

But help is on the way, courtesy of 1Password. As of publication time (late June 2023), beta versions of 1Password support passkeys! Because your 1Password data can sync across all your devices, operating systems, and browsers, as long as you use 1Password to save your passkeys, you can avoid all the hassles and drama of using the solutions offered by the various operating systems and browsers.

If you’d like to try this out now, you’ll need the beta version of any relevant browser extensions (and, ideally, the beta version of the 1Password app too—see Advanced Settings for how to set the release channel to beta); you must also turn on “Offer to save and sign in with passkeys” (see Configure Browser Extension Settings). For complete instructions, see the AgileBits article Save and sign in with passkeys in your browser (beta). I don’t provide more details in this version of the book because the feature is still in beta; support for passkeys on public websites is still quite limited, as I explain ahead; and in any case, the process is nearly identical to what I described earlier (Learn How Logins Work)—it’s just that instead of storing and filling a password, 1Password stores your passkey and uses it to authenticate you. But if you see a prompt to save a passkey in 1Password, by all means do so! You’ll be glad you did.

And it gets even better. In the future, you’ll be able to use a passkey, rather than a password, to unlock 1Password itself—turning it, effectively, into NoPassword! AgileBits previews this upcoming feature in their blog post Goodbye, passwords.

You have every reason to be optimistic about this more secure, more convenient future. But before you make plans to bid a final farewell to all your passwords (and perhaps even 1Password itself), consider this:

• Site support will take time. Every single website that currently uses passwords will require nontrivial programming work, and in some cases significant design changes, to support WebAuthn. This won’t happen overnight or even in a year or two. I can confidently predict that a decade from now, millions of websites will still depend on passwords.

• Passwords will still have a purpose. Even if a site adds support for WebAuthn, it must still also support passwords if it wants to be accessible to people using older devices and operating systems that can’t use WebAuthn. Passwords can also be useful as a secondary means of access—for example, by a person whose devices are all lost, stolen, or damaged.

• 1Password does other things, too. Even if you could replace 100% of your passwords with passkeys and the capability to sync across platforms and browsers wasn’t useful to you, you might still want to use 1Password to store other secrets, such as credit card numbers, software license keys, and secure notes.