How to Manage Passwords

tl;dr  Use a Password Manager and passwords or passphrases that are random and at least 12 characters or 6 words long.

At this point you probably have passwords that at the very least contain a mix of characters and case and are not part of your name, username, etc. if for no other reason than most places a password is required will enforce some basic policies regarding the composition and complexity.

What you should be doing, is using a password management application. Password managers generate and remember unique passwords for each and every account, application, website, etc you use and only require you to remember one. Most of the businesses I consult for have ‘password lists’ but don’t yet use a password manager. Password lists have several security problems the most obvious of which is that writing down your password(s) is a bad practice. Using a password manager allows uniqueness and complexity and eliminates the need to write anything down.

Most businesses also don’t have passwords that are actually strong. Even though they use upper and lower case letters, numbers and symbols, they are not random. A password like: “JoesSeafood9909!” has upper and lower case letters, numbers and a symbol but it is essentially as easy to crack as ‘qwertyuiop12345’ because it is not random.

Here is a good article on password cracking and a chart showing time to brute force guess a random password of given length and type. The upshot is that to be reasonably secure against cracking, your passwords need to exceed a minimum length and they must be random. Human brains are pattern oriented and anything we make up is not as proof against being cracked as we’d like to think it is.

It is also possible to use random words instead of letters/number/symbols to create passphrases rather than passwords. There are some differing opinions on the security provided as this article from Ars Technica illustrates. Generally this method is considered acceptable provided the words are actually selected randomly. The benefit is that a string of six or seven words may be easier to remember than a long string of random letters, numbers and symbols.

Businesses generally have some requirements beyond simply generating random passwords and remembering them. Most password managers have some ‘Enterprise’ level features to address those needs. They provide features like credential sharing/pooling, single sign on (SSO), auto provisionsing and integration with directory services that business users will need and expect.

My Password Recomendations:

  • Start using a password manager if you are not already
  • Let the password manager generate passwords for you so they are truly random.
  • Generate and use passwords that are 12 or more characters and draw from upper case, lower case, numbers and special symbols.
  • When creating your password vault password (the one you must memorize), use a random password or passphrase that is at least 12 characters or 6 words in length.
  • Create a written password policy for your business based on the above.
  • Use the enterprise version of password managers if you need advanced features and control over passwords.