Michael Horowitz
Home => The BEST password advice
[Formatted for Printing] From the personal web site of  Michael Horowitz

The world's BEST password advice

Created: August 16, 2019   Last revised: August 31, 2019

Seeing as how it is 2019, you might think that everything there is to say about passwords has already been said. But, no.

I would argue that password advice, to date, has been flawed. Some advice is intended to help people pick a single "good" password - but, we all need dozens of passwords. Other advice comes from techies and is only appropriate for other techies.

Passwords need to be both reasonably long and reasonably unique.

Long passwords (12 characters is probably a minimum length, the exact number is debatable) defeat brute force guessing attacks.

Unique passwords defeat two other types of attacks. In one, bad guys guess your password using lists of popular passwords. In the other attack, bad guys use a leaked or stolen password of yours at other websites, hoping that you re-used it. The official term for this is "password stuffing" or "credential stuffing".

It is generally agreed that people can not, on their own, create dozens of passwords that are reasonably long, reasonably unique, and yet, still memorable. Thus, the recommendations to seek the assistance of either a computer or pencil and paper.

What everyone has gotten wrong, up till now, is thinking of a password as a single thing. My idea/suggestion is to consider a password as a two part thing.

One part never changes, its something meaningful to you that you will never forget (trust me on this). The other part does change but can be very simple and also meaningful to you. That's it. A constant and a variable. This should help you create dozens of unique, yet easily remembered, passwords.

SIMPLE EXAMPLES

Say, for example, that you are a fan of the New York Yankees and your favorite player is Babe Ruth. Fine. Start every password with "BabeRuth". That's your constant. You should write it down in case amnesia sets in, but I doubt you will have any problem remembering that all your passwords start with the name of your favorite baseball player. It should not take too long for this to get burned into your brain.

Or, perhaps you use the name of your pet dog as a password. Then instead of it being the entire password, use it as the constant part of every password. Now, all your passwords start with "Fido" or "Rover" or "Daisey".

The variable part of your passwords does not need be any more difficult. You can pick what has, up till now, been considered a miserable password. For amazon.com, you could, for example, use "jungle". For Barnes and Noble, you could use "book". For Gmail you could use "geemail".

Putting it all together, our fictional Yankee fan, would have passwords of "BabeRuthjungle", "BabeRuthbook" and "BabeRuthgeemail".

Not the most secure passwords in the world, but probably better than 98 or 99% of those currently in use. And, speaking as computer nerd, I can not stress enough how important it is to not re-use passwords.

MORE SECURE EXAMPLES

These passwords could be made more secure fairly easily.

Just replace the "BabeRuth" constant prefix with "Babe-Ruth" or "BabeRuth--" or "babeRUTH". Many passwords that consist of a single capital letter have it as the first character. So, don't do that.

Likewise, "Fido" and "Rover" can be made more secure by adding a special character or two ("Fido=" or "Rover//"). Heck even just repeating the pet name twice ("RoverRoverjungle"), is a huge improvement.

If you are really ambitious, break up the name into a prefix and a suffix such as "Babe-jungle-Ruth" or "babeBOOKruth". For pet lovers, consider "Fido-geemail-Fido".

And, Joe DiMaggio is better than Babe Ruth - not because he hit more home runs, but because his name is longer (11 letters vs. 8). And Mickey Mantle beats them both; his name is 12 letters long. Lou Gehrig? Barely better than Ruth.

Baseball players come and go, but team loyalties do not. So, Missouri residents can create great Amazon.com/jungle passwords such as "STLcardinalsjungle" or "St.Lcardsjungle" or "StLouisjungleCardinals" or "st.louis.junglecardinals" or "STLjungleCardinals".

Finally, let me note that while you might use an extremely simple word ("book" and "jungle" in our examples) as the variable half for some accounts, your most important accounts deserve something better. If you depend on Gmail, for example, then "geemail" is a bit too simplistic, even as only half the password.

These formula-generated passwords are virtual unicorns: easy to remember, long and, almost definitely, unique.

Want still more security? Just pick a variable component that is a bit more complicated than the simple examples (jungle, book, geemail) I used above.

It's the best password advice in the world.

TWO TYPES OF FORMULAS   (Added August 31, 2019)

To sum up the above, I suggest a formula with a fixed prefix, hopefully a fixed suffix too, and a variable middle of your choosing. For the lack of a better term, I will refer to this as a soft formula, in that you can always change the variable portion.

Some criticism of formulas assumes another type, which I will call a hard formula. This type, like a mathematical formula, creates one and only one output, for any given input.

For example, assume a hard formula based on a website name. Perhaps the first two letters of the site name and the suffix. So, Amazon.com would generate a password of "am.com" and yale.edu would be "ya.edu". This would then be appended to a fixed constant, yielding something like "BabeRutham.com". Better yet, it would be combined with both a constant prefix and suffix, resulting in something like "Babe-am.com-Ruth".

I know of two problems with hard formulas:

  1. If the formula is for a website that gets hacked and the website forces users to change their passwords, the formula can not be used to create a second password.
  2. If anyone sees two or three of the generated passwords, they may figure out the formula.
So, to be clear, hard formulas bad, soft formulas good.

ARGUING AGAINST PASSWORD MANAGER SOFTWARE

The knee-jerk reaction of techies, is typically to use a password manager. I think a formula is better. Here is why:

  1. There is a learning curve with all software. Techies underestimate how much of a pain this can be for non-techies.
  2. No software runs on every Operating System or supports every web browser, so you are limited where you can use any one particular password manager.
  3. The most secure Operating System most people have access to is a Chromebook running in Guest Mode. A formula works there, a password manager does not.
  4. All software has bugs, password managers included. Not only might you be vulnerable to a bug, but you certainly are on the hook for keeping the password manager software up to date. A formula will never have a bug and never require an update.
    Update Aug 19, 2019: I was not aware of this password manager bug when I wrote this.
    Update Aug 30, 2019: LastPass has had 5 security issues according to Wikipedia.
  5. With a password manager you have to trust that it works correctly. The software is a black box to most people. With a formula, you do not need to trust anyone or anything.
  6. A formula lets you write down the variable part of the password - safely. That is, if you write down that your Amazon password is "jungle" and someone sees this, it's only half the actual password. No one is hacking a password written down on paper. You can put all your passwords in a book, and if the book is stolen, you are still protected, as long as the fixed part of each password was not written down in the book.
  7. When a password manager generates passwords for you, it may create a password that is too long for the target system, or, that contains characters the target system does not allow. It is much easier to deal with this sort of thing when using a formula.
  8. Some websites do not allow passwords to be pasted into the logon form. That's a problem for password manager software, not for a formula.
  9. A formula is free, some password managers are also free, but some are not.
  10. The security of web browser extensions. More on this below. (added Aug 28,2019)
  11. When using someone else's computer, the password manager software is not available (more below, added Aug 29, 2019)
  12. What if you want to switch away from a password manager you are currently using? (more below, added Aug 29, 2019)
  13. All your eggs in one basket? Really? There is a reason this phrase is popular. (added Aug 29, 2019)
  14. The people maintaining the password manager software may change (more below, added Aug 30, 2019)

In response to one of my tweets about this blog, ZDNet reporter Catalin Cimpanu tweeted: "I've always used password formulas. Password managers are on my threat model as a reporter. Can't use them. Unless it's some account on a no-name site that I don't care about, I have a formula-based password for it." Computer security is Companu's beat. He has been covering it for years. He is as well informed on security as anyone.

BEWARE OF BROWSER EXTENSIONS

Many password managers install a browser extension to handle passwords in web pages. These extensions have carte blanche. They see everything on every web page. And, they can change it. They are the Queens of the chessboard. This, to me, is an accident waiting to happen.

The permissions of browser extensions are usually hidden. Normally, you see them only when the extension is first installed. With the Chrome browser, the Queen-level permission is "Read and change all your data on the websites you visit". Let that sink in. I checked four Chrome password manager extensions (Avira, Lastpass, Bitwarden and Dashlane) and each required this permission. What if the vendor of the password manager gets hacked? Or, their supply chain gets hacked? Or, they make an honest mistake? With such a powerful extension installed, you are living on the edge of a cliff.

Dashlane Chrome browser extension permissions
Dashlane browser extension permissions

Plus, there are some Chrome browser permissions whose meaning is not at all obvious. Dashlane, for example, not only wants to read and change everything on every page, it also wants to:

Unless you fully understand what these permissions mean (I do not) you can not make an informed decision as to whether this lowering of normal browser security is worth the convenience offered by the Dashlane password manager. You will never see anyone make this argument. I very much doubt that anyone who recommends password manager software has thought things through to this level.

Update Sept. 16, 2019: LastPass bug leaks credentials from previous site by Catalin Cimpanu September 16, 2019. A bug in their browser extension exposed credentials entered on a previously visited site.

From a different perspective, consider why browser extensions exist for password managers. Convenience. I have been a computer nerd for more years than you would believe, and trust me, that convenience is the enemy of security. Nothing is both secure and convenient.

FLEXIBILITY

Finally, it is stating the obvious to point out that accounts and passwords vary in importance.

If, for example, your life savings are in one financial institution, that password clearly deserves special treatment. It would not be unreasonable to never save that password on any type of computing device. And if you do use a formula, that password should be an exception.

On the flip side we all have passwords for things we don't care about at all, and many people re-use a single password for these accounts. But with a formula, creating a unique password, for even these trivial things, should not take much effort.

Writing down passwords on paper is another solution that can help people no re-use passwords. Two techies, who tried to get people onto password manager software, finally realized that paper and pencil is where some people belong. See What I Learned Trying To Secure Congressional Campaigns by Maciej Cegłowski (May 2019) and SECURE PASSWORD MANAGEMENT PART 4 - WHY PASSWORD MANAGERS ARE NOT THE BEST SOLUTION FOR EVERYONE by John Opdenakker (June 2019). That said, they did not consider a formula either.

We all have different needs and abilities. But whatever you do to manage your many passwords, consider a formula. For many people it should be a great approach.

For some other opinions, see Let's debate password managers at the Forums of AskWoody.com. A couple people there suggested an approach a 4th approach: keeping passwords in a file, but encrypting that one file. One person said they use both a formula and a password manager, as different passwords have different requirements.

In summary, the main approaches for dealing with passwords are:

  1. Write them down on paper
  2. Password manager software
  3. A formula to generate easy-to-remember passwords
  4. Store them in a file and encrypt just that one file. Perhaps Word. Perhaps Excel.
  5. For websites, store passwords in your web browser

Any who suggests that one approach is the best is a fool. Different approaches are a better fit for different people with different needs. And even for a single person, different approaches may make sense for different passwords. My main point here is that people consider a formula. It is the Rodney Dangerfield of solutions - it gets no respect.

- - - - - - - - - - - - - - - - -

ME vs. THE NEW YORK TIMES   (section added August 29, 2019. Updated Aug 30, 2019)

Now I know how Al Pacino felt in the last Godfather movie. Just when I thought I was done, they drag me back in.

They, in this case, is the New York Times. On August 27, 2019 they published: Why You Need a Password Manager. Yes, You by Andrew Cunningham. The story was originally published three weeks earlier at the Wirecutter which the Times owns.

The article in the Times does not allow comments. The Wirecutter does allow comments, and I made one pointing to this very blog. It was quickly removed, which, in a nutshell, tells you everything you need to know about the Wirecutter.

A tweet of mine about this, generated a response from Andrew Cunningham the author of the article: "I’m not going to go point-by-point here but I don’t think this is workable advice for the vast majority of computer users". By not debating, he helps makes my point for me. I don't pretend to know what is best for the vast majority of computer users. Fortunately for them, Cunningham does know.

Perhaps the most offensive thing about this article is the total belief in the one true solution. It does not consider, or even mention, using a formula to generate passwords. I have listed 14 problems above with password management software, yet the article mentions none of them.

STILL MORE PROBLEMS WITH PASSWORD MANAGERS

Three arguments against password manager software, that I had not considered, were raised by people commenting on the Wirecutter article.

Someone calling themselves Joe said: "So what happens if I set up a password manager and then find myself needing to log into a site/account from a machine that is not mine? Perhaps a family member's whom I'm visiting? Since the password manager has created all the passwords for me, how can I hope to know what the password is when I'm not using the manager?" Good point.

Someone calling themselves Rick said: "What happens when you decide you no longer wish to use 1Password, Lastpass, Dashlane etc. as your password manager? Can you transfer your password vault to another provider? Can you transfer them back to the sticky note filing system you used to have?" This generated a link to a possibly helpful article, but still, it would be a hassle that does not exist when using a formula.

Someone calling themselves Michael Rooney cited a glaring exception to the article: " ... who owns the various password managers and how is the user protected from them being purchased by someone else?" This is not a theoretical issue. LastPass was purchased by LogMeIn Inc. in 2015. What was a small start-up is now part of a large conglomerate. This is a cause for concern. Being part of a large company there is no way to judge the quality of the software. When a product is developed by a small group, or a single person, you can form an opinion of how good and trustworthy they are. This is not possible when the software is in the hands of faceless programmers who, likely, rotate into and out of it. Current Lastpass users are trusting both LogMeIn and, perhaps, their corporate partners too. Maybe, you can insulate yourself from a change in ownership, if the software only runs locally, has no on-line component and never gets updated. If, if, if.

Reader Richard Belew was hesitant to use password manager software and wrote: "... please create a list of other plausible mechanisms, and publish again".

And these are the comments the Wirecutter let stand. Since they deleted my comment, chances are they deleted others too.

- - - - - - -

For more Defensive Computing advice, see my DefensiveComputingChecklist.com website.

 

 

 @defensivecomput TOP Home => The BEST password advice   
 michael--at--michaelhorowitz.com   Last Updated: September 16, 2019 3PM UTC  
  License Plate
Copyright 2001-2019
Copyright 2001-2019  
Printed at:   September 18, 2019 10:13pm   ET
Viewed 2,725 times since August 16, 2019 (82/day over 33 days)