Passwords, Two-Factor Authentication, and Security Questions

The password is the core of a lot of your online safety/security*, but also one of the biggest flaws in any security chain. The very factors that make good passwords are often the aspects that lead to failure to use them properly. A good password has the following qualities:

• Relatively long and complex (at least 10-20 characters with a mix of character types [a-z, A-Z, 0-9, symbols]),
• Unique to a given site/account,
• Not easily associated with the user who generated it or with the account where it is used,
• Changed often, and
• Not easily accessible by outside parties by being written down or stored in a way that third parties can access.

Combining these elements means that you need several passwords (ideally, one per account and per site) and you need to have each be fairly complex and each one needs to be changed out regularly and where none are stored in a system where someone else can (easily) access them. 

As you can see, this means it is hard to follow all of these guidelines effectively and consistently. Then, on top of this, you have a number of issues related to the accounts/sites where you use the passwords. Who has not been frustrated by

• websites having entirely different rules for what makes a good password;
• websites/services that occasionally expire passwords with little to no warning, requiring you to generate a new password with haste; and
• the fact that many security breaches have little to do with the end-user and are accomplished at a company/server side level?

What this page will do is give some advice on how to overcome some of these issues while making good passwords. It will cover password generation and other tips to manage some of the more onerous aspects of using passwords properly to stay safe. See also the pages about two-factor authentication and password managers for more information.

* Roughly 80% of security breaches are related to compromised passwords. 

Creating good, consistent passwords is not always an easy task to maintain. On top of this, there are several situations where you might find yourself needing to create/update a password off the top of your head in a short period of time and other tasks where you have plenty of time but maybe do not have access to a good way to store/retrieve the password (even from memory). These tips are meant to help by giving some dos and don'ts. None of these are sufficient on their lonesome, and all of these have exceptions. 

• DO look over a lists of common/bad passwords so that you can know the kind of passwords to avoid. However, just because your password is not in the top 100 bad passwords lists, does not mean it is good.  
• DO make your password longer. Think more in terms of 15ish (or more) characters rather than the minimum 6-8 characters. Instead of creating a password, consider making a passphrase. Try turning your base word(s) into a phrase/sentence (with punctuation and numbers) by adding in other elements (e.g., "Steve owns 3 different cocker spaniels."). Note: some websites have upper limits on password length (around 20 characters, though some are less). In this case, make your phrase one that can be shortened by a few words if necessary.
• DO add in random elements to your passwords. See Randomly Generating Passwords for ways to do this.
• DON'T rely only on the basic/common tricks as your only step to security. Things already well known by password cracking software and hackers include one-for-one character substitutions (p4ssw0rd), reversing some/all characters (drowssap), or using common misspellings (passwurd). This more so increases the complexity for you than it does for them.
• DON'T use easy/obvious "triggers" to remember passwords, including the site/service name, your account name, your name or the name of your children/pets/etc, birthdays, street address, job title, or personal information directly related to site/service. It might make it easier for you to remember your online banking account by using the word "money" or the "$" symbol, or to use your pet's name for an online pet store, but it also makes it easier to guess. The other examples are a bit more obvious.
• DON'T use common quotes or idioms, even if you really like them, even with substitutions. At least go for some obscure deep-cuts. Think more indie band lyrics rather than famous Mark Twain quotes.
• DON'T have all of your password base words/phrases be from the same source, such as all lyrics from the same song or all character names from the same show (even if you really like JoJo's Bizarre Adventure).
• DO learn from your mistakes. If you have a history of getting accounts compromised, or you lost a sheet of paper with all your passwords on it, or whatever, be honest about what went wrong and try something else. 
• Finally, DO try various tricks and methods (and modify them some) to find out what works best for you. While most of us could use some chiding to improve our online security and password strength, ultimately it is a good thing that not all of us use the exact same methods to generate good passwords. If all passwords were made in the exact same way, they would be easier to crack. Finding a method of good password generation that feels comfortable to you means you are more likely to keep up the good habit in the future.

See also:

• Mental Floss: 8 tips to make your passwords as strong as possible.
• ConnectSafely: Tips for strong, secure passwords...
• EFF: Creating strong passwords.