M-209 cryptographic device.

Cybersecurity Basics:
Protect Your Identity With Strong Passwords

Maintain Good Passwords

So now your software is up to date and your data is backed up. Now we have to deal with passwords.

Passwords Password

As I said, I work in cybersecurity. If you really want to know how passwords are stored and analyzed, or even how to crack passwords, I have plenty of details on other pages.

But our goal here is "just enough" for the typical user to be safer on the Internet. What do you really need to know? It's time for another cybersecurity insight:

If one human can think up and remember a password, another human can guess it.

This is especially so when the attacker uses ever-growing dictionaries along with password-cracking programs that have been tuned and improved since the late 1980s.

So, the solution is to use highly random passwords that no person could possibly remember. Use a different password for every account. This sounds hard but it's easy: Use a password manager. Have it generate arbitrarily long and random password strings. Copy and paste those crazy strings into graphical and command-line password interfaces.

You don't have to type the long and complex passwords. Just copy and paste! You don't even see what they contain unless you ask the password manager to show them to you.

I use KeePassX. It works on Linux, MacOS, Windows, BSD, Android, and Apple iOS, and you can copy its encrypted database from one platform to another to keep all your devices in sync. And, it's completely free:

Alternatives include:

LastPass Encryptr Mitto Pasaffe Password Safe

Built into the graphical desktop environment — included with the operating system:
Keychain (macOS) KWallet (Linux, BSD) Seahorse (Linux, BSD) Revelation (Linux, BSD)

"Freemium" — free for limited functionality, pay for all features:
Dashlane Enpass Intuitive Password Keeper

Proprietary — you must pay:
1Password mSecure SafeWallet

These tools store everything in an encrypted database, and so you have to enter a master password to decrypt and access the database (more on this below). That way, if you lose or someone steals your smart phone or tablet or laptop, no one has access to your password and PIN database.

Here's what KeePassX looks like on a computer. There's a much simpler view on a smart phone.

The KeePassX password manager is easy to use.

I can create new categories and sub-categories. I can move entries to other locations with simple drag and drop.

For the below example I went into the Financial area and created a new entry. I asked it to generate a random password. I can make that longer and shorter, and I can select the character classes it uses. Normally the password contents are hidden, I have clicked on the "eye" buttons to show what it has done.

KeePassX password manager generates a random password.

You can also make entries that exist just for their "Notes" areas. I have an entry named "Credit Cards". Its "Notes" block contains the number, expiration date, CVV number, PIN, and 24-hour customer service telephone number for each of my cards. The "Username" and "Password" fields are empty, the data is all down in the "Notes" field.

As for website passwords, both Chrome and Firefox include password managers. You can ask your web browser to remember your passwords for sites. If you do that, set a master password. Unless, of course, it's on a computer you never take out of your house, and you trust everyone in the house.

Nothing is perfect

A password manager doesn't eliminate the security risk, it changes it.

Now you must enter one master password to access the collection of stored passwords. That master password must be adequately strong.

What does "adequately strong" mean? Well, that depends!

In order to try to guess your master password for either a password manager like KeePassX or your browser, the attacker must have physical access to your computer, or be able to run hostile programs on it.

If you're careful about "malware" or malicious software, as I'll explain later, all we need to worry about is the physical access, and so...

Especially if you are trying to protect your privacy and/or personal identity from a potentially jealous or suspicious spouse or lover, or from dangerously curious children or siblings or parents or roommates, or any other threat with access to your devices, realize that the master password for your password manager or browser is truly the master key to everything.

My advice for do-it-yourself password design

Let's say you share a home with nosy people. You need a strong master password, one that you can remember but someone else can't guess even with high-speed password cracking software.

Think of a sentence. You have to remember this sentence, but no one else should be able to guess it. So do not use your personal slogan or a quote from your favorite movie or TV show or music or literature or scripture or anything that someone who knows you or knows about you would ever guess. Good luck with that.

Convert each word of the sentence to a character (or a few). Make some of them digits, or punctuation marks, or just drop the vowels. You can easily generate and remember a very long and complicated passsword. Something like this:

Sentence: This should not be too difficult.

Password: Tsnb2d.

Beware: password-cracking software tries combinations of two or three words with the vowels dropped, so don't rely entirely on that.

Replace some letters with "look-alike" characters: "3" instead of "E", "5" instead of "s", "!" instead of "i", "6" instead of "b", and so on.

Replace some words with "sound-alike" characters: "2" instead of "to" or "two" or "too", "@" instead of "at", and so on.

Replace other words with "means-the-same" characters: "=" instead of "is", "(" instead of "open", ")" instead of "close", and so on. If "^" can mean "up", then "v" can mean "down".

Make a game of concealing a phrase or sentence you can easily remember. How clever can you be? Maybe something like this:

Sentence: "Up, up, and away!"

Password: ^^&away!

More cautious:
Sentence: Superman says, "Up, up, and away!"

Password: SMs,^^&away!

Or, more extreme:
Sentence: Fools to the left, fools to the right, stuck in the middle with you.

Password: F2t<,f2t>,sNtmw/U.

Be careful with this. You can easily devise and remember a sequence that you can't type accurately when you can't see what you're typing.

Don't lock yourself out!

If you forget your password or delete your only copy of the database, you lose access to everything.

Keep a backup copy of the password database. I keep copies of my KeePassX file on my main desktop computer at home, and on my laptop, and on my smart phone. That way I don't have to go find the other device or wait until I get home to access sensitive data. And, if one device is damaged or lost or stolen, I still have all my passwords.

Record your master password somewhere. Or, if you're thinking up individual passwords yourself record all of them somewhere. (but why not use a password manager?) Depending on your situation, it might make sense to record your personal master password at your workplace. Or, on a slip of paper you keep with your cash.

A student in a class I once taught worked at the CIA. They were instructed to keep one-time password lists for Agency systems with their cash. Nothing is perfect, but you tend to be most careful with your personal cash, so your wallet or purse is probably the least dangerous place to keep something.

Separate your identities

Now that you have a tool that can generate and maintain highly complex passwords, take advantage of it. Use a different password on every site. "Compartmentalize your identities", to use the fancy terminology.

Or at least for the sites that matter. Sure, if the local newspaper requires that you "register an account" with your email address and a password just to see the local weather forecast, use "password" as your silly password on that silly site.

But if a site has any security or identity issues or sensitivity, use your password manager to generate and remember a complex password for it.

Be especially careful with your primary email identity. We have, perhaps unintentionally, drifted into this situation where your primary email address is the key to all your identities. It's the "recovery address" for your bank accounts, your health insurance, your utility payments, and much more.

Should I change my passwords every 90 days? 60? 30?

Don't bother changing your passwords every so often.

I have much more detail here and here. The short version: In the early 1970s, some U.S. Department of Defense contractors did some back-of-the-envelope calculations based on speculation about Soviet computing technology of the era. They figured that monthly changes would be helpful. Their wild guess became fossilized as U.S. government policies.

Policy is slowly becoming more reasonable.

The Chief Technologist for the U.S. Federal Trade Commission recently wrote about how mandatory password changes are harmful. I have links to more background here. Studies have shown that policies that enforce password change lead to weaker passwords.

Meanwhile, the author of the U.S. government policy dictating password complexity requirements has now retired. He has admitted that he wrote that guidance without knowing much about information security or how passwords work. See the articles in Wall Street Journal and Gizmodo.


  1. Use a password manager.
  2. Use it to generate your passwords, each one a long jumble of all character types.
  3. Have a unique password, a different complex jumble, for every account.
  4. Copy-and-paste them into place, good ones are hard to type accurately.
  5. Generate and remember a strong master password with my sentence trick above.
  6. Change a password when you have to.
  7. Definitely change a password if you suspect that their site may have been breached.

Next: Don't trust shared computers ❯