Making strong passwords is important and will remain so for at least the next several years. Currently, biometric identification and some other forms of authentication are usually either major sacrifices to privacy and/or security and therefore quite flawed. Police in the U.S. can (under recent court rulings) legally force someone to unlock a device locked with their fingerprint, but they cannot force someone to reveal their password, for example.
So there are several ways to create stronger passwords, and while revealing them it’s useful to understand what actually makes for a strong password.
Passwords are primarily strong based on the degree of randomization that they have. This can be measured through the bits of entropy (or randomness) in the password. Stronger passwords therefore have more bits of entropy, but the problem for humans is that they don’t tend to be that good at generating the efficient elements of password randomness on their own.
The Diceware Method
What’s referred to as the Diceware method is a viable way to make strong passwords though. The process is simple: Use a competent pre-selected word list designed to maximize randomness — such as the one from the Diceware site or the one that the EFF maintains — and roll some physical dice. The numbers rolled on the dice should correspond to the numbers on the word lists in order to decide which of them to use.
Rolling 36362 corresponds to the word levy on the Diceware site’s word list and it corresponds to the word lustily on the longer EFF word list, for example. For a strong password, this process should be repeated at minimum six or seven times so that six or seven words are gathered.
So one example could be lustily able jot playmaker those control astute from the EFF word list. This is a strong password and it could even be made somewhat stronger by placing a space between each of the words, but it’s strong enough if they’re bunched together too. It’s an example of one that should be arrived at by rolling physical dice, and the reason for using those is that the act of rolling the dice actually generates entropy, more entropy than what a human would have in merely selecting the words off the list.
The password generated above is also a unique password, and the unique element complements the strength element of the Diceware method. When there’s a data breach, the passwords of user accounts are often stolen, and when they’re stolen the passwords are often stored or sold by malicious adversaries. Storing those passwords like that allows for the possibility of targeting users who make the mistake of reusing passwords between sites, which of course creates vulnerabilities that users must be cautious about.
There’s also now a website that generates Diceware-type passwords, and it looks legitimate, but I still recommend people roll physical dice when possible instead. Additionally, there is software such as what password managers possess that also generate strong passwords, and although those might be fine too, I still recommend physically rolling real dice.
Password Best Practices
There’s a variety of incorrect password advice floating around society, such as the myth that passwords need to be changed every 90 days or so for better security. In reality, there’s no need to change passwords every 90 days or even every year as long as they’re strong and the user feels that they haven’t been compromised. Actually, the data shows that the practice of forcing people to change passwords every 90 days actually leads to worse password outcomes than what would have happened if the passwords merely stayed the same.
It’s also fine to keep passwords written down somewhere as long as they’re in a secure location. Relying on memory alone for keeping passwords can cause serious problems if the password memory is lost and an important account or file is no longer able to be opened. With the state of computer security today, it may actually be superior to have passwords written down instead of stored on computer systems. Someone should also always be especially careful about typing sensitive passwords on computers that aren’t theirs — an unsafe computer could easily contain a keylogger that leads to their compromise.
And beyond the recommended advice of avoiding the use of the same passwords between sites, it should also be noted that saving passwords in a web browser is a potentially unwise gamble. Browsers often contain sandboxing security features these days and are therefore better than they used to be, but since they have their own share of vulnerabilities, I would at least recommend against saving the most important passwords in browsers. A stolen computer with an unlocked web browser containing valuable passwords is an easy compromise. It should be obvious that the added convenience sometimes isn’t worth the added risk.
Summary and Notes
Use of the Diceware method is thus shown to be a viable way to create strong passwords in a world of regular data breaches and often inadequate computer security systems. It can take mere seconds for an attacker to use a brute force program and figure out a typical password, and based on recent research showing that even basic password guidance in light of this can have significant benefits, it makes enlightening others about creating stronger passwords all the more important.
Users who lack high threat models (sophisticated adversaries such as elite government agencies and large corporations) should also consider using password managers. Password managers are software that rely on one strong master password that store other passwords, and while I am personally ambivalent about them, I recognize that they can be helpful for many users. The saying about having all of one’s eggs in one basket and individual concerns should be considered, however.
Also, really strong security practices require often require more than passwords. Use of good two-factor authentication can significantly amplify security.
In the interest of avoiding much technical jargon and potentially complicated mathematics, this article was simplified to enhance the clarity of the basic ideas. For the skeptical users questioning the authenticity of this article’s claims, I have provided extensive hyperlinks here that reveal the sources and data used. Digital security is important and can be tricky, and so good users should proceed with caution.