For any sort of brute force cracking effort, length is far more important than variety of characters. Instead of getting all 133+ @bout it, just add a couple more alphabetic characters and you’re entropy goes up more.
e.g.
Assuming it isn’t your own name, “JasperJamesSmith” is a bad PW, but not nearly as bad as “P@ssw0rd1!”. IMO “JasperJamesSmithJasperJamesSmithJasperJamesSmith” is a much better password. And probably plenty good enough for anyone who’s not targeted by the CIA.
As I and many others have already said above, the right answer is a password manager storing long and randomly generated PW strings, not “memorable” passwords. At least until somehow the IT industry moves everything away from PWs altogether. Which I probably won’t live to see.
I do have a password manager that is strongly protected. But there are ways to create memorable passwords. A random sample that is not my password. Not your address and middle name or anything but something like this -
Awtmlcsiiguadiaa!
Created in about 2 minutes. And I can remember it.
…
And when the morning light comes streaming in I’ll get up and do it again, Amen
With thanks to Jackson Browne.
The trick can be to find a line in a song that you can easily remember, and is long enough. Often in the chorus. Compound words can be a befuddlement. You need to set rules for how to treat them with case and special characters, but once that is done, you don’t have to make new rules.
Or, pick a line out of a book, page number and line number might be 40-12. Do something similar to just picking the first or second letter of a word. I think this type of encryption was used in WWII.
As an illustration, if you have one password constructed randomly from all of the possible characters on a standard American keyboard, and another one constructed randomly just of digits, but twice as long, the one constructed just of digits is more secure. There are 95 possible keyboard characters to choose from, but a pair of digits has 100 possibilities.
That said, that depends on randomness. If the attacker has any notion at all that you’re just putting in the same string multiple times, or even has a notion that you might be doing that, then the same algorithm that guesses “JasperJamesSmith” will also guess “JasperJamesSmithJasperJamesSmithJasperJamesSmith”. It’ll only take the algorithm three times as long to guess “same thing repeated twice or three times” as it took to guess the single thing. And a factor of three isn’t much at all.
300? Wow. The technique above is what I use for one pwd that changes every 6 weeks. I have a separate one for my pwd manager.
My technique may not be as good as a cat walking across the keyboard technique. But it is something you can remember.
There is a drawback though. Your pwd creates an ear worm that you keep singing to yourself in your head pretty much all day that you create it. But that helps you remember it.
I met someone recently who said she never memorizes passwords, and just uses the “forgot password” option on all websites. Apparently there’s no upper limit to using that, so she just clicks it and logs in via the email(s), and using any generated password that’s suggested.
I wonder if this is actually secure or not. It’s certainly a different take.
I used LastPass for a long time, but clearly hackers were targeting them with several notable successes that we know about, so I switched to Bitwarden.
It’s not quite as convenient in all the features, but I suspect all of the convenience features of LastPass were what was making it vulnerable. But I’ll happily copy paste from the app instead of having the app fill it in automatically if it’s more secure.
I worked for a major North America based investment bank, and I needed the physical key.
I was a consultant, so I traveled a fair amount. I simply attached the physical key to my laptop bag (in fact it is still attached, even though it’s been a while since I worked for them) which essentially makes that security feature useless.
I prefer 2FA, although I have 3 different 2FA apps on my phone because their protocols are not standard (one is Google, which does, at least follow a standard)
My password standard is some detail about the website, some symbols and numbers and some Afrikaans swear words - which are unlikely to turn up in rainbow tables, given the style of Afrikaans I know… “kaapse taal” is a very distinctive dialect.
I think it’s just my setup, and my work. At work I can’t install browser add-ons, so I have to website it, and on my iPhone the Bitwarden app doesn’t autofill into DuckDuckGo so I have to copy-paste. On my personal computer, of course I can install add-ons, but autofill still takes at least one click where LastPass just filled it in without doing anything.
I’ve encountered several places that make this the default method to login, instead of a password. Slack is the only one I can remember. The sites will email you a one time code or special link that is good for one login. So like a password reset, but without the bother of actually resetting your password.
It makes the security of that website the same as the security of your email. In practice, that is no different than any other site which uses email based password resets, and emphasizes the importance of guarding access to your email account. Anyone who can read your email can probably access any other site you use.
Well, if it’s not secure, then it’s also not secure for a user who doesn’t use the “forgot my password” feature. Because an attacker could always just hit that button, too.
Passwords are only part of the picture. One can create a password with the right “sweet spot” (length and characters) but if the transmission protocol isn’t secure, the password storage (on the server) isn’t secure, and the digital and physical security of the server are not secure, then there’s a problem. Only one weak link in the chain …
You can design a security chain to survive a few weak links. For instance, if a site uses good hashing and salting, and users pick good passwords, it won’t actually matter if the site’s password file gets compromised. But yeah, those are big ifs. Especially the “users pick good passwords” part, because sites can’t control their users: They can put in place password rules, but the only way to thoroughly test password strength is to try to attack it, which can take hours or longer.