Only you can decide if you have a problem with passwords. But, questionnaires are fun, so here you go:
How many of the following statements are true for you?
- One or more of the passwords that I use has both a year and an exclamation point in it.
- My passwords are stored in multiple places.
- I have had to contact customer support about a forgotten password in the last year.
- I use the same password on more than ten accounts.
- One or more of my accounts has been hacked in the last seven years.
- One or more passwords I use has the name of the service I’m logging into in the password itself.
- My email (which can reset the login for my bank account) has what I know is not a great password.
- I don’t know what a great password is.
- I do know what a great password is, but my understanding is based on something I heard somewhere seven or more years ago.
- I’ve had to contact acquaintances and ask them not to wire emergency funds.
- Some of my passwords haven’t been changed in years. I know because the year I set my password is in the password.
- I know what makes a great password, I know there are systems available to store and sync them, but I have answered yes to any of the previous questions.
If you agreed with…
none of the statements above, you might not have a problem with passwords.
one to twelve of the statements above, you have a problem with passwords.
It might not be hurting yet, but like any unmanageable problem, once it does, it really does. Consequences could include ad-riddled websites, drained bank accounts, creepy social media activity, and identity fraud. It’s not just that malicious teenage hackers are trying to target you in particular; it’s also that there are legions of merciless bots trolling the internet for unsuspecting targets for malware and ransomware.
Yikes! Are you awakened, but daunted? Could you just change one bad password? Maybe start with something important: think of the email address you use to log into all your overseas bank accounts—the email address that if I broke into I could get access to basically any service I might be able to think of. If you do anything after reading this, change that password today. Gosh, stop reading this and just go do it!
Wait! Don’t go quite yet. Can we talk about what you’re going to change it to? Are you going to just change the last five characters of the password (which are currently 2015!) to 2022!? And then are you going to save that password in an unencrypted Google Doc? Are you going to scribble it on the legal pad in the kitchen drawer?
Before you do those things, I want you to know how to approach making a good password, and how to store passwords well. Both of these things might take experimentation on your end. But let’s start with crafting a good password first.
1. This post is intended for entertainment purposes only. I’m a designer, not a medical doctor!
2. The tips in this post are already obsolete. See Question 9 above.
3. Sharing your answers to the above questionnaire might not be the safest way to publicly engage with this content.
Making Good Passwords
You’ve probably heard these rules before:
- don’t reuse passwords or parts of passwords
- don’t use your dog’s name in a password
- don’t use the name of the service in the password
- don’t use anything meaningful to you in any way in a password
- don’t send passwords to people unencrypted
Your best bet is often to just surrender to whatever your password management system suggests. Sometimes, and especially for passwords you’re expected to remember, a passphrase is the way to go. Our client Nina Lanza, PI of the ChemCam instrument on the Mars Curiosity rover, introduced me to four-word passwords. They’re the best thing ever. (Read this cartoon from xkcd.) Here’s why they’re great:
- they’re easy to memorize
- they’re as secure as j$-28f~`LM(c sorts of passwords
- they’re easy to communicate
- they’re delightful
A word of warning—the four words have to be truly random (not thought up by us) in order to work. Fortunately, there are a bunch of randomized passphrase generators out there.
I like to cycle through useapassphrase.com until I find one that feels like I could make up a story about it. (And yes, I know that hurts the randomness factor, but we’re all about harm reduction versus perfection here.) For example, “folic compacter mauve grafting” doesn’t speak to me—but “crisply fantastic banister wreckage” most certainly does. I immediately see an image. I don’t know what it means, but I see it.
Four-word passwords won’t always work.
Let’s say your four, truly random words are:
ornery cactus unwitting opal
Some platforms require special characters, or don’t allow spaces. Some will reject four words as too many, and you’ll have to use three. Or in some ridiculous cases, the upper limit only allows for two words, in which case you’re better off using your browser’s standard password generator.
You could type your new password in with the spaces—or, you could remove them:
What if the website demands a number and a capital letter and a symbol? Because the four words are relatively secure and have likely never been uttered together in human history, you could have a few reusable character strings in your repertoire that satisfy most websites’ requirements.
For example, let’s say you were born in New York, and your area code is 212. You could inject NY212! at the end of every four-word password where the special characters were required.
You could have several passwords like this:
ornery cactus unwitting opal NY212!
blizzard handsaw reheat gown NY212!
compacted rice twiddle said NY212!
And so on. Someone could guess NY212! on its own, but they’d have no way of deducing it had anything to do with succulents or gemstones. (Unless, of course, you use one of the passwords published in this blog post. Please don’t do that.)
Please don’t use NY212! or something like it on anything less secure than a four-word password.
Another word of warning: there are brilliant minds and machines out there that can break into an account with one of these passwords. But if you scored anything but perfectly on the questionnaire, a randomized passphrase will most likely be immesurably better than what you’ve got going on now.
You’ve probably heard that it’s not a great idea to store your passwords in an unencrypted Google Doc or on a notepad in your kitchen drawer. You’ve heard correctly! The best way (as of this writing) to store passwords is in a strong password management system, preferably one with two-factor authentication.
I always recommend using the simplest tool available, which is often already installed on your devices. I use my browser’s built-in password management system, and I use the same browser on my phone and tablet. Look up your preferred browser’s recommendations online. (For example, you could search for ‘managing passwords in Chrome’ or something similar.)
If you want something more powerful, search for ‘best password managers’ and see what sounds reasonable and trustworthy. 1Password, LastPass and Dashlane are all systems clients have used with varying levels of success.
Passwords aren’t for sharing, but sometimes they are. For example, if you have to share your domain registrar password with your web developer, you could email it, but you’re assuming both your email account and theirs are secure. It’s better to call, or use a service like onetimesecret.com to transmit it. Some of the password management systems have built in password sharing functionality.
While I’d love if you reformed everything over a weekend in the near future, it’ll be more sustainable if you focus on one or two passwords today. The passwords that matter the most are the ones where real damage can be done—bank accounts, email, and public-facing accounts like websites and social media. Now step boldly, into your secure future, emboldened to eschew vagueness and embrace clarity!
Share your progress in the comments by letting us know what four-word passwords you chose!
A fourth disclaimer:
4. Please do not share your password progress in the comments. That was a joke.