But I still hate passwords. Even before the public internet became en vogue, I used passwords. Thanks to a couple of decades traversing the interwebs, I still hate passwords. These days I use three different password manager apps (work, personal, secret), and now I find out that complex passwords are passé and there’s a better way.
14 years ago, security expert Bill Burr wrote a report which recommended using numbers, obscure characters, upper and lowercase letters, symbols, to create long, complicated, and secure passwords– and then recommended we change the passwords every few months.
Burr is retired but expressed regret over what his recommendations have done to passwords. In effect, because his recommendations were so complex and complicated to setup and use, most people who needed passwords chose simple ones, and those were less secure. Worse, even following his advise produced passwords such as P@ssW0rd123! which is not a good password. In essence, we’ve created a culture of passwords that are difficult for human beings to remember, but they’re rather easy for computers to guess.
Instead of complicated, multi-faceted passwords that no average human could remember, the new age method should be somewhat obscure phrases of inexplicable or unexplainable words that are easy to remember but difficult for computers to crack. I use LastPass as one of my three password managers and it helps to create cryptographically secure passwords with ease.
A few years ago Kevan Lee explained how to make highly secure passwords. He was wrong.
- The longer the password, the harder it is to crack. Consider a 12-character password or longer.
- Things to avoid: Names, places, dictionary words.
- Mix it up. Use variations on capitalization, spelling, numbers, and punctuation.
See the problem? Those kinds of passwords are difficult to remember. Put bre7E$ret98:!aZ into Password Checker Online and it gets an Excellent evaluation and a Strength at 99-percent. But it’s also impossible for most of us to remember the password, and since reusing a password is bad practice, we need many such complicated passwords, hence we need password managers.
Is there a better way?
How can we be safe and secure as we traverse the interwebs, but have passwords that are or can be committed to memory?
I found some good advice online.
Maybe you can find it easy to remember a sentence like “The first house I ever lived in was 613 Fake Street. Rent was $400 per month.” You can then turn that into a password by using the first digits of each word, so your password would become TfhIeliw613FS.Rw$4pm. This is a strong password at 21 digits. Sure, a true random password might include a few more numbers and symbols and upper-case letters scrambled around, but it’s not bad at all. You just need to remember two simple sentences, so it’s easy to remember.
That’s actually easy to remember, relatively, and it scores 100-percent and an Excellent rating on the Password Check Online website. The only real issue is that such a password takes a little more time to create because it is tied to something only you know, hence, not easily guessed, and because it also is a mix of letters and numbers, difficult to crack.
Where does Apple fit into this?
Besides the three password manager apps I use, I, like many of Apple’s customers, use Keychain. While it’s a secure method to store passwords, usernames, and other information, Keychain is a clumsy and confusing app to use. It’s so bad it’s obvious Apple doesn’t want customers to open the app, but instead just use the interface in Safari and Mail et al to save passwords.
What we need is something like the above and it would be trivial for Apple to provide it on Mac, iPhone, and iPad. We enter a phrase we can remember and Apple’s Keychain app would provide a secure and matching passwords. This– TfhIeliw613FS.Rw$4pm– is a secure password that is also somewhat easy to remember but only by the person who created it.
Other password managers have built-in password generators but I have yet to find one that does what Chris Hoffman recommended in How-To Geek.