I couldn’t agree with this more and if you’re not using a password manager at this point, then you’re just doing the Internet wrong.
I use 1password and recommend it. Yes, it’s pay but that’s good!
My default password generation recipe is 23 characters of upper and lower case letters. I use letters only in case I’m ever having to manually type the stupid thing on a touch screen.
There are still some passwords you have to remember. Obviously you need to remember the password to your 1password file! I also remember the password to my Dropbox account (and I use 2-factor authentication) because that’s what I use to sync my 1password file. I also changed my iPhone from a 4 digit PIN to a strong password since the 5s has the finger print scanner. It’s becoming harder and harder to pick good ones. I used the Diceware method of generating my passwords.
Again, I agree with all this:
Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them. Password Safe includes a random password generation function. Tell it how many characters you want — twelve is my default — and it’ll give you passwords like y.)v_|.7)7Bl, B3h4_[%}kgv), and QG6,FN4nFAm_. The program supports cut and paste, so you’re not actually typing those characters very much. I’m recommending Password Safe for Windows because I wrote the first version, know the person currently in charge of the code, and trust its security. There are ports of Password Safe to other OSs, but I had nothing to do with those. There are also other password managers out there, if you want to shop around.
There’s more to passwords than simply choosing a good one:
- Never reuse a password you care about. Even if you choose a secure password, the site it’s for could leak it because of its own incompetence. You don’t want someone who gets your password for one application or site to be able to use it for another.
- Don’t bother updating your password regularly. Sites that require 90-day — or whatever — password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it.
- Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
- One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It’s almost certainly a security improvement.