How to Choose a Password

- - - -

- - Why strong passwords are important - -

- -

- When choosing a password, it’s important to make sure that no one can - guess it — that’s the whole point, right? -

- -

- If we want to make sure no one can guess our passwords, we need to - think about what adversaries might be trying to guess - them and how they might do it. This is part of a process called - threat modeling. Some adversaries we can think about - are: -

- -

- People who know us. Our friends know a lot about us, - like our birthday, our pets’ names, our favorite songs, and other - personal information. Even if we’re not worried about friends - guessing our passwords, an adversary might easily find these details - on the Internet, so we shouldn’t use any of these things in our - passwords. -
- People who know a password we’ve used in the past. - Unfortunately, it’s not unusual for passwords to be discovered by - adversaries. This might happen if a website or app we use is - compromised, or if a computer we type our password on has been - infected with malware. This means it’s a bad idea to create a new - password by making a variation of another one. -
- People who know a lot of common passwords. Some - adversaries have compiled “password dictionaries” containing - thousands of commonly used passwords. Even if an adversary is not - specifically trying to find our password, they might use - lists like this to discover our password if it is one of the common - ones. -

- -

- - The way to make sure that no one can guess our passwords is to make - them completely random. - - When our passwords are randomly generated, they don’t have any - information related to us that friends might be able to guess. If an - adversary learns one of our passwords, they will be no closer to - guessing any of our other passwords. And of course, randomly generated - passwords are very unlikely to be listed in password dictionaries. -

- -

- - How to generate a random password - -

- -

- Being truly random is something that people are very bad at. Even when - we think we are being random, there are often patterns - associated with the “random” things we come up with. -

- -

- When we want to create good, random passwords, one thing we can use is - software (such as our password manager, more on this below) to help us. -

- -

- Another method is to use a word list and dice to create a random - passphrase. The - Electronic Frontier Foundation, - a digital privacy advocacy group, has created - - a wordlist you can download - - for this purpose. To use this method, you’ll need five dice (or you can - roll a single die five times). Here’s how: -

- -

- Roll five dice (or one die five times) and read the number from each - so that you have five digits, for example: 1, 6, 3, 5, 2. -
- Look at - - the wordlist - - to find the word next to the number you rolled. - In this case, we find the line 16352 comfort, so our - word word is comfort. -
- Repeat the first two steps until you have at least six words. You - will end up with a random phrase like - comfort tableful booth tulip dandelion stable - which is your new random passphrase. -
- Make up a little story to help remember the passphrase. For example: - “The diner had a comfortable - tableful in the booth with - tulips and dandelions in a - stable vase.” -

- -

- If an adversary wanted to guess our passphrase, even if they had our - wordlist and knew exactly how we created it, they would need to - correctly guess 30 random die rolls in the right order. The probability - of this is 1 in 221,073,919,720,733,357,899,776. It is - extremely unlikely they would be successful, as it would take - three billion years of making a million guesses every second before - they would be likely to succeed. -

- -

- - How to remember your passwords - -

- -

- It’s also important not to use the same password twice. Imagine if we - generate a completely random password and use it for our email account, - and we also use it for a social media site. If an adversary learns our - email address and password for the social media site, they could easily - try that same password on our email account, and since we used the same - random password, they would succeed easily. This is why you should only - use each password for a single site. -

- -

- When there are a lot of different things we need passwords for, it - quickly becomes hard to remember all of them. Luckily, we can use a - password manager to help us out. Password managers are - software programs that help us securely store our passwords. -

- -

- Imagine writing down all of our passwords on a sheet of paper, and then - scrambling them all up according to a secret pattern. Even though - someone might look at the paper, they won’t be able to figure out any - of our passwords without knowing the secret pattern we used to scramble - them. Password managers use a similar idea; they use a - master passphrase to encrypt the list of all of our - passwords. The master passphrase is like the scrambling pattern: an - adversary can access the list of all our passwords if and only if they - discover the master passphrase. -

- -

- It’s very important to use a long, randomly generated master passphrase - because all of our passwords are only as good as our master passphrase. - When we use a password manager, we only need to remember our passphrase - to unlock our list of passwords. The password manager stores all of our - other passwords for us. -

- -

- Another benefit to using a password manager is that they help us - generate new passwords when we need them. Rather than rolling dice - every time we sign up for a new account, we can let your password - manager come up with completely random password for us. Since our - password manager also stores the new password for us, we never even - need to know what it is! We can just copy and paste it when we need to - log in. -

- -

- There are several password managers available. You should do some - research to find one that will work for you. Here are a few suggestions - to start with: -

- -

- - -

How to Choose a Password

+ + + +

+ + Why strong passwords are important + +

+ +

+ When choosing a password, it’s important to make sure that no one can + guess it — that’s the whole point, right? +

+ +

+ If we want to make sure no one can guess our passwords, we need to + think about what adversaries might be trying to guess + them and how they might do it. This is part of a process called + threat modeling. Some adversaries we can think about + are: +

+ +

+ People who know us. Our friends know a lot about us, + like our birthday, our pets’ names, our favorite songs, and other + personal information. Even if we’re not worried about friends + guessing our passwords, an adversary might easily find these details + on the Internet, so we shouldn’t use any of these things in our + passwords. +
+ People who know a password we’ve used in the past. + Unfortunately, it’s not unusual for passwords to be discovered by + adversaries. This might happen if a website or app we use is + compromised, or if a computer we type our password on has been + infected with malware. This means it’s a bad idea to create a new + password by making a variation of another one. +
+ People who know a lot of common passwords. Some + adversaries have compiled “password dictionaries” containing + thousands of commonly used passwords. Even if an adversary is not + specifically trying to find our password, they might use + lists like this to discover our password if it is one of the common + ones. +

+ +

+ + The way to make sure that no one can guess our passwords is to make + them completely random. + + When our passwords are randomly generated, they don’t have any + information related to us that friends might be able to guess. If an + adversary learns one of our passwords, they will be no closer to + guessing any of our other passwords. And of course, randomly generated + passwords are very unlikely to be listed in password dictionaries. +

+ +

+ + How to generate a random password + +

+ +

+ Being truly random is something that people are very bad at. Even when + we think we are being random, there are often patterns + associated with the “random” things we come up with. +

+ +

+ When we want to create good, random passwords, one thing we can use is + software (such as our password manager, more on this below) to help us. +

+ +

+ Another method is to use a word list and dice to create a random + passphrase. The + Electronic Frontier Foundation, + a digital privacy advocacy group, has created + + a wordlist you can download + + for this purpose. To use this method, you’ll need five dice (or you can + roll a single die five times). Here’s how: +

+ +

+ Roll five dice (or one die five times) and read the number from each + so that you have five digits, for example: 1, 6, 3, 5, 2. +
+ Look at + + the wordlist + + to find the word next to the number you rolled. + In this case, we find the line 16352 comfort, so our + word word is comfort. +
+ Repeat the first two steps until you have at least six words. You + will end up with a random phrase like + comfort tableful booth tulip dandelion stable + which is your new random passphrase. +
+ Make up a little story to help remember the passphrase. For example: + “The diner had a comfortable + tableful in the booth with + tulips and dandelions in a + stable vase.” +

+ +

+ If an adversary wanted to guess our passphrase, even if they had our + wordlist and knew exactly how we created it, they would need to + correctly guess 30 random die rolls in the right order. The probability + of this is 1 in 221,073,919,720,733,357,899,776. It is + extremely unlikely they would be successful, as it would take + three billion years of making a million guesses every second before + they would be likely to succeed. +

+ +

+ + How to remember your passwords + +

+ +

+ It’s also important not to use the same password twice. Imagine if we + generate a completely random password and use it for our email account, + and we also use it for a social media site. If an adversary learns our + email address and password for the social media site, they could easily + try that same password on our email account, and since we used the same + random password, they would succeed easily. This is why you should only + use each password for a single site. +

+ +

+ When there are a lot of different things we need passwords for, it + quickly becomes hard to remember all of them. Luckily, we can use a + password manager to help us out. Password managers are + software programs that help us securely store our passwords. +

+ +

+ Imagine writing down all of our passwords on a sheet of paper, and then + scrambling them all up according to a secret pattern. Even though + someone might look at the paper, they won’t be able to figure out any + of our passwords without knowing the secret pattern we used to scramble + them. Password managers use a similar idea; they use a + master passphrase to encrypt the list of all of our + passwords. The master passphrase is like the scrambling pattern: an + adversary can access the list of all our passwords if and only if they + discover the master passphrase. +

+ +

+ It’s very important to use a long, randomly generated master passphrase + because all of our passwords are only as good as our master passphrase. + When we use a password manager, we only need to remember our passphrase + to unlock our list of passwords. The password manager stores all of our + other passwords for us. +

+ +

+ Another benefit to using a password manager is that they help us + generate new passwords when we need them. Rather than rolling dice + every time we sign up for a new account, we can let your password + manager come up with completely random password for us. Since our + password manager also stores the new password for us, we never even + need to know what it is! We can just copy and paste it when we need to + log in. +

+ +

+ There are several password managers available. You should do some + research to find one that will work for you. Here are a few suggestions + to start with: +

+ +

+ + +