I am not a cryptographer or a security guru. All I know is the very basics of password safety. Turns out, this is enough of a step up from what most people are doing that I think it’s worth sharing.
Perhaps the single worst thing you can do with a password is share it with people you don’t trust. Don’t email your passwords or reveal them over the phone. Don’t put them on a sticky note in a public place. This should be obvious….
However, I used to live in a place where there were government buildings where you could see a few sticky notes on desks just from walking by the window. Some of these had strings of characters on them that looked suspiciously like passwords. Not a great idea.
Using English words in passwords isn’t as bad as using short passwords. There are well over 100,000 words in English. Let’s say there are 72 characters to choose from for a randomly-generated password (26 uppercase letters + 26 lowercase + 10 digits + 10 symbols).
If you choose three English words completely at random, your password is chosen from a bigger space than if you choose 8 characters at random, simply because \[ 100000^3 \gt 72^8\]. This very roughly corresponds to an idea called “password entropy”, but because this is a dead-simple guide, just think of it as being harder to guess a password that comes from a bigger space of possible passwords. This reference is almost obligatory here.
Even though English words are easier to remember than random characters, they can be hard to type, and hard to associate with certain services in your memory. I heartily recommend using a password manager like LastPass or 1Password. I’ve used LastPass for the past five years—it’s hard to beat something that’s both safer and more convenient.
How do password managers provide extra safety? A big way is they help solve the problem of password reuse. Even if the sites you use have great security, you are throwing this all away if you reuse passwords. Imagine you use more than one service on the internet (just imagine!). They all have decent security, but one of them has some weird glitch happen, or something. An attacker gets access to your password. If you use the same password on all sites, you have just allowed a single breach to turn into a breach of every site you use. Password managers allow you to use different, secure passwords on every site by storing them for you. It saves your memory and it helps stop problems from spreading when (not if) breaches happen.
Finally, I recommend checking out services like haveibeenpwned.com. If you decide that you trust the site, you can enter your email to see if there are data breaches out there containing your information. This will help you make sure you aren’t missing any old passwords that you should migrate into LastPass/1Password/your password manager of choice.
There are tons of amazing techniques and counter-techniques for breaking into and securing services. If you’re interested, I recommend first learning more about cryptographic hashing, including MD5 (and why it’s disfavored) and SHA, as well as password-specific algorithms like bcrypt and why they’re better for this use case. You might also want to look up “rainbow tables”, and the prevention mechanism against them called “salting”. Learning how to calculate the number of bits of entropy for a given password could also be fun! Maybe someday I’ll write a less-simple guide….