How to Choose a Password
Why strong passwords are important
When choosing a password, it’s important to make sure that no one can guess it — that’s the whole point, right?
If we want to make sure no one can guess our passwords, we need to think about what adversaries might be trying to guess them and how they might do it. This is part of a process called threat modeling. Some adversaries we can think about are:
- People who know us. Our friends know a lot about us, like our birthday, our pets’ names, our favorite songs, and other personal information. Even if we’re not worried about friends guessing our passwords, an adversary might easily find these details on the Internet, so we shouldn’t use any of these things in our passwords.
- People who know a password we’ve used in the past. Unfortunately, it’s not unusual for passwords to be discovered by adversaries. This might happen if a website or app we use is compromised, or if a computer we type our password on has been infected with malware. This means it’s a bad idea to create a new password by making a variation of another one.
- People who know a lot of common passwords. Some adversaries have compiled “password dictionaries” containing thousands of commonly used passwords. Even if an adversary is not specifically trying to find our password, they might use lists like this to discover our password if it is one of the common ones.
The way to make sure that no one can guess our passwords is to make them completely random. When our passwords are randomly generated, they don’t have any information related to us that friends might be able to guess. If an adversary learns one of our passwords, they will be no closer to guessing any of our other passwords. And of course, randomly generated passwords are very unlikely to be listed in password dictionaries.
How to generate a random password
Being truly random is something that people are very bad at. Even when we think we are being random, there are often patterns associated with the “random” things we come up with.
When we want to create good, random passwords, one thing we can use is software (such as our password manager, more on this below) to help us.
Another method is to use a word list and dice to create a random passphrase. The Electronic Frontier Foundation, a digital privacy advocacy group, has created a wordlist you can download for this purpose. To use this method, you’ll need five dice (or you can roll a single die five times). Here’s how:
- Roll five dice (or one die five times) and read the number from each so that you have five digits, for example: 1, 6, 3, 5, 2.
to find the word next to the number you rolled.
In this case, we find the line
16352 comfort, so our word word is comfort.
- Repeat the first two steps until you have at least six words. You will end up with a random phrase like comfort tableful booth tulip dandelion stable which is your new random passphrase.
- Make up a little story to help remember the passphrase. For example: “The diner had a comfortable tableful in the booth with tulips and dandelions in a stable vase.”
If an adversary wanted to guess our passphrase, even if they had our wordlist and knew exactly how we created it, they would need to correctly guess 30 random die rolls in the right order. The probability of this is 1 in 221,073,919,720,733,357,899,776. It is extremely unlikely they would be successful, as it would take three billion years of making a million guesses every second before they would be likely to succeed.
How to remember your passwords
It’s also important not to use the same password twice. Imagine if we generate a completely random password and use it for our email account, and we also use it for a social media site. If an adversary learns our email address and password for the social media site, they could easily try that same password on our email account, and since we used the same random password, they would succeed easily. This is why you should only use each password for a single site.
When there are a lot of different things we need passwords for, it quickly becomes hard to remember all of them. Luckily, we can use a password manager to help us out. Password managers are software programs that help us securely store our passwords.
Imagine writing down all of our passwords on a sheet of paper, and then scrambling them all up according to a secret pattern. Even though someone might look at the paper, they won’t be able to figure out any of our passwords without knowing the secret pattern we used to scramble them. Password managers use a similar idea; they use a master passphrase to encrypt the list of all of our passwords. The master passphrase is like the scrambling pattern: an adversary can access the list of all our passwords if and only if they discover the master passphrase.
It’s very important to use a long, randomly generated master passphrase because all of our passwords are only as good as our master passphrase. When we use a password manager, we only need to remember our passphrase to unlock our list of passwords. The password manager stores all of our other passwords for us.
Another benefit to using a password manager is that they help us generate new passwords when we need them. Rather than rolling dice every time we sign up for a new account, we can let your password manager come up with completely random password for us. Since our password manager also stores the new password for us, we never even need to know what it is! We can just copy and paste it when we need to log in.
There are several password managers available. You should do some research to find one that will work for you. Here are a few suggestions to start with: