Get insightful engineering articles delivered directly to your inbox.

— 6 minute read

Passwords don't have to be hard

There sure seem to be a lot of people and organizations getting their emails hacked lately, aren’t there? While they all love to blame “sophisticated hacking techniques” wielded by “powerful nation-states” I’m going to let you in on a little security secret: Many of these hacks happen at least in part due to poorly chosen passwords. So simple. So embarrassing! Better to play it up as if it was inevitable, unavoidable, like it basically came down to force majeure, right?

But yes, it often comes down to something as simple as poorly chosen passwords. Sure, two factor auth is great and always recommended but it isn’t available with most services. And experience has shown that we over-estimate how difficult it would be to guess our password. I know, you’ve all heard about passwords and the necessity of picking good ones for years. But I’m going to overturn some conventional wisdom and suggest to you a way of not becoming a victim to password (or “Security question” answer!) guessing.

We all know we need to have a long ugly random password to make it hard to guess. But we can’t remember such things and they are a pain to type in. It’s so tempting to choose something simple or to re-use a secure password on many sites. And ever since passwords were first created and then promptly snooped from the post-it note under the keyboard we have been told to never write down our password. I still see this password advice given out regularly. This advice is not only wrong but it is now counter-productive. This advice comes from back before the Internet connected all of our computers together. The biggest threat to your password back then actually was someone snooping around your desk and finding it written down. Now that your account is online and every miscreant in the world can constantly guess at your passwords things are a lot different. In risk-management speak we say the “threat model” has changed.

You must write down your password if it is a good and unique one, as it must be. But it is best to do it in a particular way. The best way to do it is to use a password manager and let it generate and “write down” (aka save) the passwords for you. I’m partial to LastPass but there are several good ones. A good password manager will generate very strong passwords for you, prevent you from re-using the same password on multiple sites, keep track of the site they belong to, automatically fill them in for you (so you don’t have to type in those ugly passwords), and keep them encrypted so that only you can access them and nobody else ever has access to the unencrypted passwords. A good password manager will not only make it safer but easier to use your passwords such that you will actually prefer to use it rather than choosing weak but memorizeable passwords or re-using the same passwords on multiple sites (which we all know is a very bad idea).

But we seem to have a chicken and egg problem: your password manager requires a password to encrypt all of those other passwords! Yes, it’s true: A master password. So now what? Generate one of those ugly hard to remember passwords either randomly (your password manager can do this) or potentially use another method which is more memorizeable but still reasonably secure. I like the first letter of each word from a line or two which you can remember from your favorite book. “From now on the enemy is stronger than you. From now on you are always about to lose.” (from “Ender’s Game”) becomes “Fnoteisty.Fnoyaaa2l.” which makes for a secure and memorizeable password which can be typed in quickly with just a small amount of practice. You could probably even get by with something somewhat shorter but I recommend at least 12 characters. You’ll only ever need to type this in when you first fire up your computer and the password manager starts. And because the chance of exposure of this password is so low (it never leaves your computer) you will very rarely have to change it.

But even that password is far from trivial to remember. What if you forget that one? You would lose access to all of your other saved passwords! The solution: Write it down! Yes, physically with pen and ink. Famous information security guru Bruce Schneier tells us to write down such passwords and then protect them just like we protect our cash. If you really have to it’s even ok to carry it written on a slip of paper in your wallet next to all of those other slips of paper with pictures of dead presidents. It’s still safer than not using a password manager at all. If you have a small safe at home write the master password down and stick it in there. Wherever you would be comfortable keeping your cash will do.

How about those security questions like “What’s your mother’s maiden name?” or “What’s the name of your first pet?” that are often used as password recovery questions? The real problem with such questions is that a lot of this sort of information is publicly available. And plenty of people have been compromised in this way. So I typically don’t answer these questions truthfully unless somehow absolutely required to. In most cases it makes no difference what you answer as long as you can come up with the same answer later. So I have created an alter-ego with made up answers to these questions. Nobody else knows these answers. And I use the “Secure Notes” feature of LastPass to write it all down and keep my story straight. I’ve got an alternate high school mascott, first dog’s name, street I grew up on, etc. Whenever a new security question comes up I just make up a new answer and add it to the list. And my password manager’s note keeping feature keeps it safely encrypted for me to look up should I ever need it.

For an excellent explanation of how passwords are cracked and how to choose good ones check out these videos:

These are produced by Brady Haran who has a number of other very interesting YouTube channels which I suggest you check out, especially if you are the sort of person who likes to know things. He does such excellent work that he recently earned an honorary doctorate for his YouTube videos!

Security doesn’t have to be hard. Using a password manager actually makes your life easier compared to what you are probably doing now. Consider the added security a bonus.

Tracy Reed is a Sr. Security Engineer at InVision.

Like what you've been reading? Join us and help create the next generation of prototyping and collaboration tools for product design teams around the world. Check out our open positions.