Forget passwords: Secure yourself with a passphrase and these tools

Passphrases are much stronger than ordinary passwords -- and a heck of a lot easier to remember. But that's only the start to securing yourself on today's hostile internet. Here's how to protect yourself.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The FBI recently told us that we should use passphrases -- a long string of words -- instead of passwords made up of random numbers and characters. I could have told you that. Oh wait. I have. And so, more memorably, has cartoonist Randall Munroe.


Password Strength cartoon by Randall Munroe, who got it exactly right.

-- Randall Munroe

Here's how to use them. 

Instead of working your nerves into a frenzy trying to memorize what the cat wrote when he jumped on the keyboard, "dfu9sdf8," use an easy-to-remember but nonsensical phrase instead. For example, "FatCats$Trot...", "Steelers?Win!Cowboys?Lose!" or "Volt!Amp!Tesla!Edison?" are easy to recall and no one's likely to stumble over them.

You can't make it too easy though. For example, if your cat is named Kitty and your dog is called Fido, it wouldn't take too long for someone to guess you might use KittyFido as a passphrase. You should also avoid family names, your favorite musical groups, sports teams, and other things someone could easily guess from your social media posts. 

Instead be a bit clever about picking your phrases. For example, if you're a huge Beatles fan, Beatles1 is probably not a great choice, whereas George!Ringo$Paul still should stick in your mind and not be terribly obvious. 

That's all there is to it. 

The dumbest passwords people still use

Of course, it's never that easy. I have over 300 passphrases. Sure, I could use the same ones, but that's just asking for trouble. Sites are hacked every week and every time a new flood of user IDs and passwords enter the dark web. At last count, some of my identification information has been leaked in over two dozen breaches. 

Not you? I beg to disagree. Go to the aptly named Have I been Pwned website, enter your e-mail address and see just how often your information has been revealed. I'll wait. I'm not going anywhere.

Scary, wasn't it?

So, it's not enough to have passphrases. Unless you have a photographic memory, you need more. You need a password management program as well.

A good password manager enables you to manage your login credentials across all your devices while keeping your passwords secure and automatically fills in forms for you. Many web browsers, such as Edge, Firefox, and Google Chrome include these as an option. 

If you don't trust Microsoft, Mozilla, or Google with your data, or you want password management beyond websites, you need a standalone password manager.

Some of the best password managers include: 

LastPass: The free personal version enables you to store passwords, user login info and credentials and synchronize it on pretty much every operating system, web browser, and device out there. The business versions are also reasonably priced. They start at $4 per month per user for 50 users or less or $6 a month for single sign-on and password management for an unlimited amount of users.

Like all password managers, it's not perfect. A serious LastPass JavaScript bug was found in September 2019, but it was fixed before anyone was harmed. 

1Password: This password manager doesn't have a free version but it's well designed and also works on essentially every platform and device you're ever likely to use. You can try it for free for 30 days. After that, an individual subscription costs $36 a year. But, it comes with 1GB of document storage and optional two-factor authentication (2FA) for additional security. Business pricing starts at $3.99 a user per month. 

Whatever you use, keep in mind that you are putting all your password eggs into one basket. If the service goes down, which happened to LastPass, you're out of luck. To protect yourself you should still strive to remember your most critical passphrases. And, whatever you do, use a great passphrase for your master password-manager password. It doesn't matter how secure the system is if the key password to the lock is "password."

Another necessity these days is to use two-factor authentication (2FA) to further protect your accounts. With this, even if someone does get your passwords, you can still keep them at bay from your accounts.

2FA requires you to not only have a password, but a code from another source before you can log in to a service. The most common way to do this is set up 2FA with each service. Once done, when you need to log in to a website you'll first enter your password and then, when prompted, a passcode is then texted to you. After you enter it, you're logging into the system.

Now, this simple 2FA approach has its own problems. It's possible to break text-based 2FA. A better method is to use 2FA authentication apps. For Google accounts use the Google Authenticator app and for Microsoft accounts use the Microsoft Authenticator app. These generate Time-based One-time Password Algorithm (TOTP) PINs.

You should also look into universal TOTP authentication programs such as the free Authy app.This app works with most 2FA systems. In addition, it includes a secure cloud backup option. That makes  it much easier to use on multiple devices and to keep using your PINs if you lose your phone.

If you're really serious about 2FA, you need security hardware keys, which support FIDO Alliance's  FIDO2 Universal 2nd Factor (U2F) standard. These devices will cost you from $20 to $60, but they're the last word in today's personal ID security. Some of these devices to consider are the Google Titan Key, Kensington VeriMark Fingerprint Key, Thetis Fido UCF Security key, Yubikey 5 NFC, and YubiKey 5C.

Put all these together and you'll be as safe online as you can be today. But, if nothing else please start using passphrases, and never ever use 123456, admin, or abcdef as a password again. OK? OK!

Related Stories:

Editorial standards