Home => The BEST password advice
Created: August 16, 2019 Recent updates: Feb 21, 2021 | Jan 19, 2021 |Nov 29, 21, 2020 | Oct 25, 24, 19 | Sept 18 | July 30, 25 |April | March | Feb 2020
|Table of Contents|
|Introducing a Formula|
|Examples of Simple Formulas|
|More Secure Examples|
|Two Types of Formulas|
|Arguing Against Password Manager Software|
|Arguing For Password Manager Software|
|Beware of Browser Extensions|
|What I Do|
|Formula vs. SQRL|
|Me vs. The New York Times|
|Still More Problems With Password Managers|
Seeing as how it is 2019, you might think that everything there is to say about passwords has already been said. But, no.
I would argue that most password advice, to date, has been flawed. Some advice is intended to help people pick a single "good" password when we all need hundreds of passwords. Other advice comes from techies thinking in the box and is only appropriate for other techies. Still other advice comes from people devoted to the one true solution who ignore any other solution.
The problem is not just that we need hundreds of passwords, it is also that they have to be reasonably long and reasonably unique.
Long passwords (12 characters is probably a minimum length, the exact number is debatable) defeat brute force guessing attacks. Wi-Fi passwords are one case where bad guys can make billions of guesses a second for as long as they care to. The password "TipTop99" has upper and lower case letters and a number but will not stand up to a brute force attack for very long.
Unique passwords defeat two other types of attacks. In one, bad guys try to guess your password using lists of popular passwords and/or lists of previously stolen passwords. Even if a password is not globally unique, it is far better for it be so rarely used that it never appears on any list of the most popular passwords. In the other attack, bad guys use a password of yours, stolen from one website, at many other websites, hoping that you re-used it. The common terms for this are "password stuffing" or "credential stuffing". It requires a victim to have used the same email address, as their userid, at multiple websites, which many people do.
We need many passwords for things that we don't care about at all, so it is tempting to re-use a single password for these accounts. I disagree with ever re-using a password, but I understand the motivation. A formula, as explained below, is a much better solution while also being easy to use.
This brings up another problem with some password advice: it is solely focused on retrieving passwords, not helping at all to make the passwords longer or reasonably unique.
There are multiple solutions for dealing with hundreds of passwords. Perhaps the most popular approaches are:
Three of these solutions simply help retrieving passwords, they do nothing about making them long or unique.
We all have different needs and abilities so there is no one best solution. I wrote this blog to make the case for using a formula. But, its never simple. Often the right solution is to use more than one approach.
Gabriel Fair is a case in point. He has 5 different types of passwords and deals with each type differently. He may have over-analyzed, but using one system for all your passwords is likely to be just as extreme and sub-optimal. (added Feb. 2021)
PAPER HAS ITS PLACE
The main purpose of this blog is introduce Formulas as a better alternative to password managers. There is a section below with my arguments against password managers. Interestingly, many techies who recommend password managers, point out that paper is a safer alternative for our most important passwords. I will join that crowd and say that even if you use a password generating formula, paper still has its place. For what?
If your life savings are in one financial institution, that password clearly deserves special treatment. The password for your main email account is probably more important than your realize. If you do use a password manager, its main password, the one used to access all the other passwords, is special. It is reasonable, if not preferable, to keep your most important passwords away from any type of computing device.
I am not the only techie who thinks there is a place for paper:
"If you use a third party password manager, you might not realize that modern browsers have password management built in with a beautiful UX [User eXperience]. Frankly, it’s harder to not use it. Even if you can’t use a password manager, it is totally acceptable to record your passwords in a paper notebook, spreadsheet, rolodex, or any other method you have available to record data. These are cheap, universally available and accessible."
If you do use paper, please keep two copies in two different, safe, locations.
The lesson from these stories, is that anyone who suggests that one approach is always the best is a fool.
In August 2019, the New York Times published an article "Why You Need a Password Manager. Yes, You" which is an example of this tunnel vision. The author, Andrew Cunningham, is a true believer in the only solution. More about this article is below in the Me vs. The New York Times section. Different approaches are a better fit for different people with different needs. And even for a single person, different approaches may make sense for different passwords. The real lesson to be learned is not to get computer advice from the New York Times.
In October 2020, on Episode 1,737 of the Tech Guy podcast, a caller asked show host Leo Laporte, for a good way to remember passwords for a senior citizen. Laporte went through four different approaches for managing passwords, but in the end was forced to admit that none was a great fit for a senior citizen. He never considered a password formula. If you watch the video, the topic comes up 13 minutes 25 seconds into the show.
FYI: Let's debate password managers at the Forums of askwoody.com.
INTRODUCING A FORMULA
In my opinion, a password formula is a great solution. It solves three problems: it makes retrieving passwords easy and it helps create reasonably long and reasonably unique passwords. A tri-fecta. It is the Rodney Dangerfield of password solutions - it gets no respect.
What everyone has gotten wrong, is thinking of a password as a single thing. My idea/suggestion is to consider a password as a two part thing.
One part never changes, its something meaningful to you that you will never forget (trust me on this). The other part does change but can be very simple and also meaningful to you. That's it. A constant and a variable. This should help you create dozens of unique, yet easily remembered, passwords.
EXAMPLES OF SIMPLE FORMULAS
Say, for example, that you are a fan of the New York Yankees and your favorite player is Babe Ruth. Fine. Start every password with "BabeRuth". That's your constant. You should write it down in case amnesia sets in, but I doubt you will have any problem remembering that all your passwords start with the name of your favorite baseball player. It should not take too long for this to get burned into your brain.
Or, perhaps you use the name of your pet dog as a password. Then instead of it being the entire password, use it as the constant part of every password. Now, all your passwords start with "Fido" or "Rover" or "Daisey".
The variable part of your passwords does not need be any more difficult. You can pick what, on its own, is a miserable password. For amazon.com, you could, for example, use "jungle". For Barnes and Noble, you could use "book". For Gmail you could use "geemail".
Putting it all together, our fictional Yankee fan, would have passwords of "BabeRuthjungle", "BabeRuthbook" and "BabeRuthgeemail".
Not the most secure passwords in the world, but probably better than most. And, speaking as computer nerd, I can not stress enough how important it is to not re-use passwords.
Speaking of which ... a formula means never having to re-use a password, even for accounts that you don't care about. Your password for websiteX could be "BabeRuthwebsiteX". This is barely harder than re-using a password, yet its more secure. It's not very secure, just more so.
MORE SECURE EXAMPLES
These passwords can (and really should) be made much more secure fairly easily.
Just replace the "BabeRuth" constant prefix with "Babe-Ruth" or "BabeRuth--" or "babeRUTH". Many passwords that consist of a single capital letter have it as the first character, so, don't use "Baberuth-".
Likewise, "Fido" and "Rover" can be made more secure by adding a special character or two ("Fido=" or "Rover//"). Heck even just repeating the pet name twice ("RoverRoverjungle"), is a huge improvement.
If you are really ambitious, break up the name into a prefix and a suffix such as "Babe-jungle-Ruth" or "babeBOOKruth". For pet lovers, consider "Fido-geemail-Fido".
And, Joe DiMaggio is better than Babe Ruth - not because he hit more home runs, but because his name is longer (11 letters vs. 8). And Mickey Mantle beats them both; his name is 12 letters long. Lou Gehrig? Barely better than Ruth.
Baseball players come and go, but team loyalties do not. So, Missouri residents can create great Amazon.com/jungle passwords such as "STLcardinalsjungle" or "St.Lcardsjungle" or "StLouisjungleCardinals" or "st.louis.junglecardinals" or "STLjungleCardinals".
Finally, let me note that while you might use an extremely simple word ("book" and "jungle" in our examples) as the variable half for some accounts, your most important accounts deserve something better. If you depend on Gmail, for example, then "geemail" is a bit too simplistic, even as only half the password.
These formula-generated passwords are virtual unicorns: easy to remember, long and, almost definitely, unique.
It's the best password advice in the world.
TWO TYPES OF FORMULAS (Added August 31, 2019)
To sum up the above, I suggest a formula with a fixed and a variable component. To begin with, the fixed component can be at the beginning followed by the variable part. If you are more ambitious, then create a fixed beginning and a fixed ending, with the variable part in between them. For the lack of a better term, I will refer to this as a soft formula, in that you can always change the variable portion.
Some criticism of formulas assumes another type, which I will call a hard formula. This type, like a mathematical formula, creates one and only one output, for any given input.
For example, assume a hard formula based on a website name. Perhaps the first two letters of the site name and the suffix. So, Amazon.com would generate a password of "am.com" and yale.edu would be "ya.edu". This would then be appended to a fixed constant, yielding something like "BabeRutham.com".
I know of two problems with hard formulas:
I mentioned Gabriel Fair and his five different password solutions for five different classes of password earlier. One solution is a formula, but he uses a hard formula.
Hard formulas are what scares people away from formulas. Specifically, the worry that if a few passwords leak, through the inevitable data breaches, a bad guy might figure out the formula. With soft formulas, even if the formula leaks, you are still safe. But, if you are still concerned about the formula leaking, consider using two formulas to increase your odds. Specifically, use one formula for important websites/systems and a different formula for places that you don't care much about.
If a fan of the St. Louise Cardinals baseball team used "StLouis<variable>Cardinals" for their important passwords, they might use the simpler "stlouis<variable>" or "STLC<variable>" for their unimportant passwords. (added Feb 21, 2021)
ARGUING AGAINST PASSWORD MANAGER SOFTWARE
The knee-jerk reaction of techies, is typically to use a password manager. I think a formula is better. Here is why:
In response to one of my tweets about this blog, ZDNet reporter Catalin Cimpanu tweeted: "I've always used password formulas. Password managers are on my threat model as a reporter. Can't use them. Unless it's some account on a no-name site that I don't care about, I have a formula-based password for it." Computer security is Companu's beat. He has been covering it for years. He is as well informed on security as anyone.
Even someone who uses and recommends password managers, Daniel Aleksandersen, notes that password managers are a single point of failure and are difficult to back up. See How to back up your password manager. (Feb 17, 2020)
In their Creating Strong Passwords article (Oct. 2018), the EFF said "Wondering whether a password manager is the right tool for you? If a powerful adversary like a government is targeting you, it might not be. Remember: Using a password manager creates a single point of failure. Password managers are an obvious target for adversaries. Research suggests that many password managers have vulnerabilities."
On April 2, 2020, computer expert Robert Graham blogged about an issue with Zoom possibly stealing passwords. This led him to discuss good password practices, in general. He said: "By far the most important thing you should do to protect yourself from Internet threats is to use a different password for all your important accounts, like your home computer, your email, Amazon.com, and your bank. Write these down on paper ... Don't print them, don't store them in a file on your computer ... Store copies of that paper in a safe place. I put them in a copy of the book Catcher in the Rye on my bookshelf ... Writing it on a Post-It note taped under your keyboard is adequate security if you trust everyone in your household." In the article he does recommend Password Managers but, he knows all too well the things that go wrong with software and that some things are too important to trust to a computer.
ARGUING FOR PASSWORD MANAGER SOFTWARE (section added Oct 10, 2019, last updated Jan 19, 2021)
A password manager that automatically enters passwords for websites, can protect against scam websites. Many people do not know the rules for domain names and thus can be tricked into thinking a scam website is legitimate. I explain the rules for domain names on my Defensive Computing Checklist web site.
For example, a saved password for citibank.com will not be automatically entered at citibank.badguy.com or secure-citibank.io. The protection is not foolproof however, a victim may think there is a problem with the password manager and manually enter their password.
- - - - - -
A undated (probably from 2019) white paper Modern password security for users by two Google employees (Ian Maddox and Kyle Moschetto) argues in favor of password manager software. This is a classic example of advice from techies for techies that is not appropriate for many people. Their advice on evaluating the software and how to use it, is making my case for me.
For example, they say: "A common criticism of password managers is that all of your secrets are in one high-value target. Losing control of that vault means losing control of all the accounts that it contains. This is why it is important to choose a password manager that has a high level of trustworthiness, transparency, and multiple layers of security controls." If you can evaluate software by these criteria, fine. If not, then password management software is not for you.
In addition, they advise keeping an offline copy of the recovery codes that you can use if the master password for the password manager is lost. And, to make sure the devices that have access to your password manager are secure and kept up to date with the latest patches. After all, they say, your overall security is only as strong as the weakest link. Agreed. Consider this advice table stakes for playing in the password manager game.
They suggest that the features below are the minimum requirements for a good password manager:
Going beyond the bare minimum, they suggest looking for a password manager with these extra features:
Not sure what self-hosting refers to. Ditto for behavior-based security.
I do not disagree with the advice from Maddox and Moschetto. If you want to manage your own encryption keys, fine. My point, again, is that there are very few people able to understand and implement these suggestions. And, anyone not able to grasp or carry out their advice is asking for trouble by using password management software.
They did give some examples of formulas. Starting with the simple password "mango2", they suggest:
Being techies, they say nothing about using a paper and pencil for saving passwords. And, being Google employees, they fail to point out the danger in web browser extensions, the next topic. Could it be because Google is so heavily invested in the Chrome browser?
- - - - - -
This article, Can Your Password Manager Be Hacked? (by Roger Grimes Jan 18, 2021) is yet another example of someone who has drunk the Kool-Aid. While Grimes admits to some danger with password management software, it is the only password solution on his radar screen. This is the very definition of thinking inside the box. He admits that a password manager is a single point of failure, but he blows it off rather than suggesting ways to protect yourself. And, like other people that argue in favor of password managers, he ignores the dangers of a browser plug-in. Back in 2018 Grimes, offered yet another poor argument (Using a password manager: 7 pros and cons). On the pro side, he cited both better security and ease of use. This is never possible, whenever you increase one, the other decreases. He is selling snake oil. Finally, his worst case scenario is forgetting the master password. Apparently he has never experienced a software bug or a memory error or a broken keyboard. And here too, nothing about planning for the worst. All told, two lame articles that boil down to: it's better than re-using passwords. For some people, yes. But not for all and certainly not for many.
BEWARE OF BROWSER EXTENSIONS
Many password managers install a browser extension to handle passwords in web pages. These extensions have carte blanche. They see everything on every web page. And, they can change it. They are the Queens of the chessboard. This, to me, is an accident waiting to happen.
The permissions of browser extensions are usually hidden. Normally, you see them only when the extension is first installed. With the Chrome browser, the Queen-level permission is "Read and change all your data on the websites you visit". Let that sink in. I checked four Chrome password manager extensions (Avira, Lastpass, Bitwarden and Dashlane) and each required this permission. What if the vendor of the password manager gets hacked? Or, their supply chain gets hacked? Or, they make an honest mistake? With such a powerful extension installed, you are living on the edge of a cliff.
Plus, there are some Chrome browser permissions whose meaning is not at all obvious. Dashlane, for example, not only wants to read and change everything on every page, it also wants to:
Unless you fully understand what these permissions mean (I do not) you can not make an informed decision as to whether this lowering of normal browser security is worth the convenience offered by the Dashlane password manager. You will never see anyone make this argument. I very much doubt that anyone who recommends password manager software has thought things through to this level.
FYI. Mozilla explains the assorted permissions for extensions in Firefox here Permission request messages for Firefox extensions.
Update September 16, 2019: LastPass bug leaks credentials from previous site by Catalin Cimpanu. A bug in their browser extension exposed credentials entered on a previously visited site.
Update January 20, 2020: Avast Online Security and Avast Secure Browser are spying on you by Wladimir Palant (October 2019).
Update January 23, 2020: From Ars Technica More than 200 browser extensions ejected from Firefox and Chrome stores. Firefox ousts almost 200 add-ons while Google detects a significant increase in abuse.
Update March 3, 2020: From Brian krebs The Case for Limiting Your Browser Extensions.
Update October 25, 2020: Adblockers installed 300,000 times are malicious and should be removed now from Ars Technica. A popular browser extension was sold and the new owner made it malicious. There is no way for people using any given browser extension to know if this happens. Quoting the article: "It’s hard to provide actionable advice for preventing this kind of abuse." Me: avoid browser extensions that have full access to every web page. Many/most do. But not all.
From a different perspective, consider why browser extensions exist for password managers. Convenience. I have been a computer nerd for more years than you would believe, and trust me, that convenience is the enemy of security. Nothing is both secure and convenient.
WHAT I DO (section updated Nov 30, 2020)
As I noted in the introduction, the right solution for anyone may be more than one approach. Personally, I find that my passwords fall into three categories. There are a small number that I use often enough to memorize. The vast amount of my many many passwords are rarely used and I need to look them up when needed (not saying how). Then there are perhaps a dozen that I use often enough to want quick access to, but not often enough that I can memorize them. These dozen passwords are kept in a password manager.
I also use a simple formula with an online service where I have 4 accounts. This is not a service where I need a high level of security, but since no one should ever ever re-use a password, I made a simple formula that I use exclusively with this service. I use a fixed prefix with the rest based on the userid. For example, my account in the name of "michael" has a password of "abc123michael" and my account in the name of "william" has a password of "abc123william" (my passwords don't really start with "abc123", this is just an example). Again, this formula is used with just the one on-line service. (Added November 21, 2020)
I also use a formula for the many laptop computers I use. Here again, I have picked a fixed password prefix used only with these laptops and I use the laptop model number as the suffix. So, an HP x360 laptop has a login password of "laptopx360". A ThinkPad T420 has a login password of "laptopt420". Needless to say the common prefix is not "laptop". The laptops never leave my home. If they did, I would probably (hopefully) add a fixed suffix too. (Added November 29, 2020)
On Windows, the password manager I use for the dozen or so passwords I often need but can not remember is KeePass. It is free and open source. I use the portable version, so Windows does not know the software is there. Portable Windows also lets me copy the folder where it lives from one PC to another and make backups that contain both the software and the passwords. KeePass does have a cloud option, but it is off by default and I do not use it. There is no web browser extension. There are no KeePass accounts. The software does not store anything in the registry. I do not use the password generator feature or any of the available plug-ins. KeePass can check for updates automatically, but I disabled that feature. If I like the software the way it is, I can keep using it forever. If the people creating/maintaining the software stop doing so, the software will still work.
On Android, I use the KEY Password manager from F-Secure. I use the free version, not the Premium version. It is a stand-alone app, not part of a software suite. I trust F-Secure and like the fact that it is not one of the most popular password managers. Here too, there is no cloud or on-line component and no web browser extension. You do not need to create an account with F-Secure.
That said, I am not you. What is right for me is not necessarily going to be right for you.
FORMULA vs. SQRL (section added September 27, 2019)
As I write this in September 2019, Steve Gibson has just started promoting a new identity system called SQRL (pronounced Squirrel). Basically, it competes with passwords. Maybe it will take over the world, maybe it will be ignored. No one knows at this stage. It requires software to be installed both on a web server and the end user computing device, which certainly will be a hurdle to its adoption. Time will tell.
Frankly, I don't fully understand SQRL. It uses the now classic concept of a public key and a private key, two numbers with a relationship between them that seems magical to non-math people. SQRL creates a public and private key pair for each website where the SQRL user has an account. The website only knows the SQRL public key. Thus, if a website using SQRL gets hacked and leaks your public key, no big deal. The public key is not the whole SQRL proof of identity, its only half of it. This is analogous to writing down your password when using a formula. You only need to write down the variable component which is half the actual password. If someone sees the variable half of the password, they can't use it without the fixed component.
Also, in the SQRL system, each person gets a single userid that is used for every website where they have a SQRL based account. In Gibson's lingo, the SQRL userid is a 256-bit master key. Sounds a lot like the fixed component of a password formula which is also used at every website.
Formulas have two advantages over SQRL: they are not limited to websites and they do not require software to be installed.
- - - - - - - - - - - - - - - - -
ME vs. THE NEW YORK TIMES (section added August 29, 2019. Updated Aug 30, 2019)
Now I know how Al Pacino felt in the last Godfather movie. Just when I thought I was done, they drag me back in.They, in this case, is the New York Times. On August 27, 2019 they published: Why You Need a Password Manager. Yes, You by Andrew Cunningham. The story was originally published three weeks earlier at the Wirecutter which the Times owns.
The article in the Times does not allow comments. The Wirecutter does allow comments, and I made one pointing to this very blog. It was quickly removed, which, in a nutshell, tells you everything you need to know about the Wirecutter.
A tweet of mine about this, generated a response from Andrew Cunningham the author of the article: "I’m not going to go point-by-point here but I don’t think this is workable advice for the vast majority of computer users". By not debating, he helps makes my point for me. I don't pretend to know what is best for the vast majority of computer users. Fortunately for them, Cunningham does know.
Perhaps the most offensive thing about this article is the total belief in the one true solution. It does not consider, or even mention, using a formula to generate passwords. I have listed 14 problems above with password management software, yet the article mentions none of them.
STILL MORE PROBLEMS WITH PASSWORD MANAGERS
Three arguments against password manager software, that I had not considered, were raised by people commenting on the Wirecutter article.
Someone calling themselves Joe said: "So what happens if I set up a password manager and then find myself needing to log into a site/account from a machine that is not mine? Perhaps a family member's whom I'm visiting? Since the password manager has created all the passwords for me, how can I hope to know what the password is when I'm not using the manager?" Good point.
Someone calling themselves Rick said: "What happens when you decide you no longer wish to use 1Password, Lastpass, Dashlane etc. as your password manager? Can you transfer your password vault to another provider? Can you transfer them back to the sticky note filing system you used to have?" This generated a link to a possibly helpful article, but still, it would be a hassle that does not exist when using a formula.
Someone calling themselves Michael Rooney cited a glaring exception to the article: " ... who owns the various password managers and how is the user protected from them being purchased by someone else?" The only way to insulate yourself from a change in ownership is with software that only runs locally, has no on-line component and never gets updated. If, if, if. This is not a theoretical issue.
LastPass was purchased by LogMeIn Inc. in 2015. What was a small start-up is now part of a large conglomerate. This is a cause for concern. Being part of a large company there is no way to judge the quality of the software. When a product is developed by a small group, or a single person, you can form an opinion of how good and trustworthy they are. This is not possible when the software is in the hands of faceless programmers who, likely, rotate into and out of it. Current Lastpass users are trusting both LogMeIn and, perhaps, their corporate partners too. As a company, LogMeIn has been moving away from consumer oriented products towards Enterprise markets. For example, they purchased GoToMyPC.
Update Dec 19, 2019: Yet again, LastPass was sold. By mid 2020 the software will be owned by "... affiliates of Francisco Partners, a leading technology-focused global private equity firm, and including Evergreen Coast Capital Corporation, the private equity affiliate of Elliott Management Corporation...". Do you trust these nameless faceless owners with ALL of your passwords?
Update: January 20, 2020. It seems that LastPass is not trustworthy. They suffered an outage and did not come clean about the problem.
Reader Richard Belew was hesitant to use password manager software and wrote: "... please create a list of other plausible mechanisms, and publish again".
And these are the comments the Wirecutter let stand. Since they deleted my comment, chances are they deleted others too.
Another article arguing for password managers, generated another reader comment against them. Quoting: "I'm a huge believer in using a Password Manager. I've been a LastPass user for many years. I'm now searching for a different one due to the fact that their 'new interface' is abominable compared to the old one. Where it took one click before, it now takes three. Does that sound petty? Maybe. But hubs is technologically challenged and no longer wants anything to do with LastPass. I have to admit, I can't stand the new interface and don't really want anything to do with it anymore either ... I'm all for change when it's for the better but in this case, LastPass is a major fail...and I'm searching for a suitable replacement."
BLACK SHEEP (section added October 27, 2019)
My suggesting a password formula makes me a black sheep amongst techies. Pretty much every computer nerd recommends password managers. It's like a cult, one always thinking inside the box. One exception is the watchyourhack.com website, created by six techies. Quoting from the website:
"Pen and paper can also be used as a password manager. Make sure to use unique passwords and store them with care. And create a copy that you store in a physical vault, should you need a backup. When you’re expecting company - like friends, family, a mechanic or plumber - take extra care not to leave your list of passwords out in the open. A useful tip is to have all of your passwords start with the same word, which you don't write down in your password book. Simply remember it. If someone gets a hold of your password booklet, they still won't be able to use any of the passwords you’ve written down, because they’re missing one essential component that’s safely stored in your brain."
A breath of fresh air :-)
- - - - - - -
For more Defensive Computing advice, see my DefensiveComputingChecklist.com website.
|@defensivecomput||TOP||Home => The BEST password advice|
|michael--at--michaelhorowitz.com||Last Updated: February 22, 2021 2AM UTC|