Like a good set of keys, one's passwords should be strong and kept secret. This article delineates some techniques to doing so.
The below paragraphs contain links to outside websites and sources of data; we maintain that the individual must verify the links therein.
One's passwords should be different for every account, long (at least 20 characters) and containing no words; in short, one's passwords should be random collections of letters, numbers and symbols. It should be said, also, that the longer a password is, the more secure it is (for the general case). Ignoring efforts with dictionaries, brute-forcing (or guessing) a long password is more difficult than doing the same for a short password. The following may reinforce the importance of a long, random password for the reader: modern consumer computers can brute-force guess millions of passwords in a matter of seconds; enterprise or scientific computers can do this much faster.
Generating Good Passwords
In this section, the generation of good passwords is covered. Refer to the next section for methods on storing passwords. The first, and most simple, means of generating passwords is to do so manually. We do not recommend doing it this way, but it can be done well enough, if appropriate measures are followed.
- Have a length of at least 20 characters (more is better)
- Use no real words
- Use numbers (uppercase and lowercase), letters and symbols
- Randomize the password by smashing one's keyboard, clicking a place in the password, and doing it again, and again, etc.
- Try not to interject any definable "scheme" into this process, so your separate passwords cannot be "guessed" from a scheme
The second means of generating passwords is to use a password generator. Applications exist to facilitate this process. It should be noted, however, that we absolutely do not recommend using any Internet pages to generate passwords. Many of these seemingly good sites possess a log/store of all passwords generated, and may be selling this information to nefarious third parties. Use a plain application, like KeePassXC. KeePassXC is also a password storage mechanism, which leads into the next section, below.
Storing Passwords
Storing long passwords can be a pain, since memorizing them is difficult. For normal Internet use, shorter passwords, with a bit more memorability (not including "password123" and other dictionary-attackable passwords), are fine. However, for anything sensitive, we define this law, which should be taken to heart and never forgotten:
- The security of a thing increases with the difficulty of using the thing.
This applies to passwords, operating systems, disk encryption, etc. One's most sensitive data should be protected behind very difficult to remember, produce and use passwords and hardware. Make it long and make it strong. Below are some methods for storing passwords.
- Write them down and store them physically, with several duplicates. We do not recommend this technique as it is usually unscalable and physically insecure. Follow the procedures outlined in DHitMA: Backups, Backups, Backups! to preserve physical copies of your passwords. If this method is chosen, we recommend writing the passwords down with their characters reversed, which is intended to confuse the uninformed thief who has stolen one's password sheet. Other schemes, using some simple cipher (like moving each character "up" or "down" one character) and simply memorizing the scheme, then applying it when a password needs to be used, can be implemented as well. In general, this is not necessary, and the reverse-order scheme is a decent level of security for paper password storage. However, once this scheme is known well enough, it is ruined for everybody; but we prefer it over simply storing the passwords plainly.
- Use a password manager. Several exist, but we only trust a few of them. The applications that only store passwords locally are infinitely more secure than cloud-based ones, but lose cloud-based backup and ease of use. One must decide what will fit their particular use case, though it should be stated that we recommend local password managers over cloud-based ones. Below are listed some password managers.
- Do not use browser extension password managers, since browsers are often subject to JavaScript attacks.
- Keep a very strong master password that one can remember. Do not preserve this password digitally: make physical copies and backups of it. Follow the same procedures for writing it down as described heretofore.
- Install the password manager onto an encrypted drive.
- KeePassX: KeePassX is a plain password storage application with a password generator built in. One's database of passwords is stored in an encrypted file, which can only be opened with a master password.
- KeePassXC: KeePassXC is a fork of KeePassX, maintained by a large community. It contains all of the features of KeePass, and some more. We recommend KeePassXC over its predecessor.
- NordPass: NordPass is the only cloud-based password manager we fully recommend. It has a password generator. Its encryption is in keeping with the standard (AES-256) and it is additionally based in Panama, like its mother VPN, and as such Nord is not subject to any laws that may violate privacy. It can be used offline.
- Bitwarden: Bitwarden has the best user-interface of any password manager, and is highly-customizable. We recommend NordPass over Bitwarden simply because NordPass is based in Panama, whereas Bitwarden is based in the USA (a Five Eyes country). Bitwarden is on par with every standard of encryption and password generation.