Writing about passwords is like beating a dead horse. It’s not very exciting, I know. But this needs to be said, and repeated often: sorry, but your passwords just aren’t good enough.
In the words of Jeff Atwood:
Here’s what I know to be true, and backed up by plenty of empirical data:No matter what you tell them, users will always choose simple passwords.
No matter what you tell them, users will re-use the same password over and over on multiple devices, apps, and websites. If you are lucky they might use a couple passwords instead of the same one.
“No matter what“? I still want to try. I’m not getting paid to say this. I just don’t want to see bad things happen to people, in particular those I care about. That’s why I bother.
I cringe when I think of the Gmail passwords I know that people around me use, like “Thomas” or “Italy123”.
My Gmail password is something like this:
And obviously I don’t have a snowball’s chance in hell of remembering this. But see, the neat thing is that I don’t have to remember this. I use a password manager* to keep track of nearly 300 passwords like that one. (Here’s how that works.) And the only thing I need to remember is the master password to that password manager, and you can bet that is something I can remember – not because it’s simple but because I type it a lot. But I only have to remember one password and still my logins are secure, and that’s the beauty of it.
My master password is not quite as crazy as the example above, but it is still fairly long, nonsense, and contains all kinds of characters: uppercase, lowercase, digits, punctuation. It’s really not a big deal when it’s the only one I need to remember.
That password manager is a plugin to my browser on my home computer and my work computer, and I have an app on my smartphone too, so I really have it everywhere I need it. I can even access my passwords online, when I’m at a public or borrowed computer. (That’s also why the master password needs to be secure. It’s literally the key to everything else.) The software is clever enough to recognize when there is a login form and then it asks whether it should fill it out for me. Yes, thank you. This works in the browser and on the phone. Very handy!
You too have a hundred logins, if you think about it. Email, of course. Facebook, probably. Bank! Amazon. Ebay. Craigslist. Blog? Twitter? Pinterest? Library. Airlines. Phone company. Internet provider. You get the idea.
I very sincerely hope you don’t use the same password (or variations of the same) for all of those. Just imagine if someone gets access to any one of those passwords. They’ll test whether it works on all the other sites too. It can have very serious and very expensive consequences for you. Don’t make it that easy.
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised […] And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
In many ways, this was all my fault. […] Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened.
Now imagine if you only know one password, but all those sites are still safe. That’s what the password manager does for you!
I’m not saying that you need to remember long, complex, and different passwords for all your sites. No human can keep track of that. But I strongly urge you to try out a password manager and see if you might be able to persuade yourself to use that.
It’s really not that much of a hassle. Especially when you compare it to the risk of losing control of your email and Amazon and banking and so on.
Try it. Please.