Password Management

Last update: Oct 2023

Photo of hands in gloves on the keyboard of a laptop.

This page provides general suggestions and best practices for password management, including tips for creating strong passwords and using trustworthy password manager apps.

Table of contents

  1. Password Management
    1. General suggestions
    2. Length vs complexity
      1. Length is important
      2. But complexity matters too
        1. Length
        2. Complexity
        3. Combining length and complexity
        4. Conclusion
    3. An idea for creating strong passwords
    4. Testing your password strategy
    5. Considerations
    6. Image credits

General suggestions

Don’t use

  • words that can be found in dictionaries e.g. ‘Lemon’ or ‘love’
  • simple passwords e.g. ‘12345’, ‘aaaaaa’, ‘1234abcd’ or ‘password’
  • something that could be guessed from your social media profiles e.g. your dog’s name or your birthday
  • the same password on different websites e.g. on Facebook and Twitter
  • context-specific words e.g. ‘instagram-ILOVEyou’ on Instagram
  • physical notebooks or unsecured files, software to store your passwords

Do use

  • at least eight characters (but ideally more)
  • a mix of characters:
    • capital letters e.g. ‘C’ (perhaps not the first letter in your password as it is too common)
    • lower case letters e.g. ‘w’
    • numbers e.g. ‘7’ or ‘75’
    • symbols e.g. ‘<’, ‘+’, ‘>’ (some platforms prohibit certain characters)
  • try a twist on a personal affirmation (e.g. Dontevergiveupmyfr1end!667)
  • if possible, consider enabling multi-factor authentication (MFA) and biometric verification as they add extra layers of security
  • use a trustworthy password manager app e.g. Enpass and use very strong master password for it

Length vs complexity

Length is important

  • Longer passwords inherently have more combinations, making them more resilient against brute-force attacks.
  • Long phrases or sentences are more user-friendly.

xkcd password strength

The image above is from https://xkcd.com/936/.

But complexity matters too

  • Incorporating a mix of uppercase letters, numbers, and symbols enhances resistance not only against dictionary attacks, but also ‘smart’ brute-force attacks aka mask attacks, which apply patterns, rules, or masks based on common words, phrases, or structures.
  • Still, avoid making passwords too complex to remember.

Both length and complexity are crucial aspects of a strong password, and finding the right balance between the two can enhance password security significantly. Here’s a breakdown:

Length

Advantages: Longer passwords increase the number of possible combinations, making brute-force attacks more difficult. It allows for the usage of phrases or sentences that might be easier to remember.

Disadvantages: Extremely long passwords can be cumbersome to enter, especially on mobile devices or platforms that log users out frequently.

Complexity

Advantages: Adding a mix of uppercase letters, numbers, and special symbols makes the password harder to guess, providing resistance against dictionary and brute-force attacks.

Disadvantages: Complex passwords can be challenging to remember, leading users to either write them down or use password managers, which might also have vulnerabilities.

Combining length and complexity

Utilizing a passphrase with mixed-case letters, numbers, and special characters offers an effective blend of length and complexity. Such a password remains resistant to a wide array of attacks, including brute-force, dictionary, and rainbow table attacks.

Conclusion

Combining length and complexity doesn’t necessarily mean having a complicated password that is hard to remember. Using easy-to-recall phrases, substituting letters with numbers or symbols, and adding variation in letter casing can make passwords both secure and user-friendly. Remember, no approach is foolproof, and enabling multi-factor authentication (MFA) where possible adds an extra layer of security.

An idea for creating strong passwords

Create a base phrase and add service-specific modifiers:

  1. Base: going2uniIZgreatfunin2023
  2. For Facebook: FK_going2uniIZgreatfunin2023
  3. For ResearchGate: going2uniIZgreatfunin2023:re

Bare in mind that different services have different requirements for password composition. For instance, while some allow the character ‘:’ some don’t.

Testing your password strategy

Evaluate your strategy using online tools like howsecureismypassword.net. Avoid testing your actual passwords; instead, evaluate the methodology (your pattern).

Considerations

Consider simplifying your digital presence by minimizing the number of accounts where possible.

Image credits

Photo by Towfiqu barbhuiya on Unsplash.