Happy World Password Day!

I wrote a few versions of this article, but none of them really felt "right". There are lots of articles released for World Password Day. Some of them try to explain why we have it; many of them try to give advice on what makes a strong password. Tons of these article end up giving advice that's incomplete, or jusy flat out wrong.

Rather than trying to bore everyone to death with the same old content, I am just going to release a short list of recommendations for good password hygeine. Let's face it: there's almost never a "one-size fits all" answer to anything. If you think you have a firm handle on your personal threat models and the advice here doesn't fit your needs, good for you. Do what you think works best and I won't be offended. But for the ~99% of everyone else... this one's for you.

How to keep good password hygeine in 2021

  • Use a password manager.
  • Don't trust password meters (they are usually wrong.)
  • Let your password manager generate your passwords, don't make them yourself.
  • Generate long passwords (at least 16 characters when possible.)
  • Use unique passwords for every service/platform you use.
  • Don't arbitrarily rotate passwords. Change them when they are at risk of compromise.
  • Avoid diceware. It's not that diceware can't work, there are just a lot of caveats, and we're going to keep it simple here. (Read this if you don't believe me.)

All that said, there are two passwords you will need to make for yourself.

  • One to unlock your computer.
  • Another to unlock your password manager.

For these, I would recommend using a sentence that is easy for you to remember, but doesn't include personal information about you. Maybe something like They dance with purple ponies today.

Every other password you use should be randomly generated by your password manager. Don't try to remember them.

Passwords are hard

The real answer would be to get rid of passwords altogether, but there aren't many practical solutions for that yet. U2F tokens are pretty nice if you can handle them (like Yubikey), but not everything will accept that yet. In the meantime, we have to acknowledge that good password hygeine is hard. For the average person, most of it is going to come down to using a password manager. If you can add MFA to your account, please do so. It helps.