Good password habits, part 2
Continuing on from last month’s column, APC’s editor shares his other key bit of password advice.
In last month’s editorial, I harped on about good password practices, and this issue, I’d like to share a bit of other password know-how — it’s something that we touched on, but didn’t really dive too deeply into, in last issue’s security cover story.
I personally still advocate that everyone should use a password manager (like KeePass, Lastpass or 1Password) to ensure their accounts are kept as secure as is reasonably possible. That’s not practical in all security situations, however, so what should you do when you have a password you need to remember and manually type out, but can’t use your password manager? For example, the password you use to unlock your password manager — the whole idea of using one of the latter is that they generate supersecure random strings of characters for passwords, and save them, so you don’t ever have to remember those strings. However, creating such a secure password with your password manager for your password manager would be a recipe for digitally ‘locking your keys in the car’.
In such cases where you can’t use your password manager, I favour the ‘long memorable phrase’ approach. This is where you pick a phrase that you can easily remember, then add a number and a couple of capital letters to it. For example, you could go with something like “APC is my favourite tech magazine”, and add a couple of the traditional ‘good password practice’ elements in there, like using ‘4487’ in the middle, and capitalising a couple of letters — so that you end up with something like “APC is my favouritE 4487 tech magaZine”.
There’s a few reasons this is a better practice than the standard ‘secure’ password approach most of us know of combining a word and a number (ie. “password1234”). Firstly, the longer your password, the harder it is to crack mathematically — every extra character you add exponentially increases the difficulty. Second, spaces count as special characters (in the same class as symbols like # or $), making them especially tough for ‘dictionary attack’ style password-crackers to handle — they’re another nice way to increase the complexity of your password without making it harder to remember.
Obviously, you don’t want to use this method for all your passwords (unless you like typing them in), but in conjunction with a password manager, this is an easy way to bulk-up your digital security.