Passwords - A Necessary Pain

“Overall, there are many options to help people protect themselves...and you should use as many as makes sense”

The debate on passwords has been around since their inception, and continues to be a topic of contention in terms of what is best practice. And even this best practice constantly shifts, which in these times is absolutely expected.

One aspect of password management that hasn't really changed though is the idea that all passwords need to be sufficiently complex. The problem comes down to managing that complexity. XKCD has a wonderful comic strip that describes this in my opinion.

While the comic strip is entitled 'Password Strength', which it does cover, other facets are more closely related to Password Management and the idea of Psychological Acceptance, which I think is the key issue behind determining Password Strength and ultimately depends on how you use the password.

Everyone should by now be familiar with password management practices primarily through work, perhaps through reading, friends, family, overly familiar strangers that have opinions they must share with the world. These usually consist of a combination of Upper case, Lower Case, Numbers and Special characters, with the length of said password I think depending on current best practices as described earlier. The main difficulty with this approach is that it provides a new definition for 'set and forget'. In all likelihood, you'll set a password using this combo and promptly forget it 5 minutes later, only to curse yourself for not writing it down, but you didn't want to write it down because its bad practice….hopefully you can see where I'm going with this.

Another concept that has gained traction in recent years is the idea of pass-phrases. Pass-phrases should be a combination of unrelated dictionary words that form the basis for a password. The key here is unrelated. No numbers, no special characters, don't even need upper case letters should you feel the need. But unrelated. This simply requires a sufficient number of words to create entropy, again something the XKCD comic touches on very well. In basic terms, entropy in this case relates to how difficult the password would be to determine via brute force.

For example, a 4 word pass-phrase will be less secure and have less entropy than a 6 word passphrase due to the number of characters. Pass-phrases are great in that they can be highly memorable. The caveat here is that they really do need to use unrelated words or risk losing their effectiveness. In other words, 'correct horse battery staple' is technically more effective than 'this is the easiest password' as there is no grammatical structure to it; it's just a series of words with no reference.

Good passwords and pass-phrases have their uses depending on the situation; passwords for sites you don't use everyday but still require security, and pass-phrases for when memorising is more important.

The difficulty here is understanding your use case. Is this something you use everyday or something you use infrequently? The choice is yours.