I started this article as a checklist for creating a strong master password for a password manager. I had to include some background information about passwords in general, so here we go!
I cannot stress enough about using a different secure, random password for each login. Unfortunately, the password of your email account is probably the same as the password of your social media account. If not, it’s probably a variation of the same password. It is hard to create a new password that you won’t forget, so you create a password and use it everywhere. It is understandable because password requirements these days are ridiculous.
- You are not allowed to include your name, username, or phone number in your password.
- Your password must include an upper-case letter, a lower case letter, and a number.
- Your password must include a number, letter, and symbol.
- Your password must not be in the list of top 1 million common passwords.
- Your password must not be in the list of previously breached passwords.
- Your password must include a unicorn’s horn. JK.
Unfortunately, service providers must enforce these kinds of password requirements to protect their users’ accounts from being compromised. Password re-use is one of the biggest problems in the world of information security. So is the use of short and sweet passwords. You must have re-used a password at least somewhere, or used a variation of one password in two different services. Everyone has done that because thinking of a new random password and not forgetting it for years is almost impossible.
That’s why you use password managers to create secure, random passwords. But password managers themselves need a master password to secure all other passwords. This brings us back to where we started. We cannot store a master password in the password manager because we need to enter a master password to access the stored passwords.
A master password is the only password that you need to remember. Even if you can’t remember a dozen passwords or two, you’re good if you are able to remember one great password. A good master password, the strongest password of all, is hard to guess but easy to remember.
A good master password meets these criteria:
- The password should be at least 20 characters long. Personally, I don’t count the characters; my passwords are usually 6-10 words long, obviously not dictionary words for added obscurity. Twenty characters is a safe minimum because even if someone tries to brute-force, it will take a long time to guess a password longer than 20 characters.
- The longer the password, the better. That’s because modern computers can guess millions of passwords per second. But they will still be trying for years if your password is long enough.
- The password should not be guessable. Easily or hardly, it should not be guessable. Some smart people can guess something like Nepal123 or secret123456 within a few minutes.
- The password does not need to include numbers, symbols and upper cases to be secure. That’s because ihaveacat.itsnameistom.itlikestosleeponmynap is better than Pa$$w0rd!@#.
- Replacing letters with numbers and symbols doesn’t make it more secure. If someone tried to brute-force your password, they would also try N3pal!@#, Nepal!@# and alike when they’re trying nepal123.
- Once more – onceuponatimetherewasakingnamedprithvinarayanshah is more secure than Nepal@123. The longer, the better.
- The password should come naturally to you, so you don’t forget it. Avoid using obscure words, symbols, and jargon that you might forget if not reminded of regularly.
When a sign-up form tries to enforce an obscure password requirement, you must comply. You can add a symbol and numbers here and there, and change a letter to uppercase only to get around their requirements. Here is how you do it:
Notice the added characters. The change makes sure your password now includes at least one lowercase letter, an uppercase letter, a number, and a symbol. It is a good idea to add such symbols at the beginning or end of your chosen password for ease. This doesn’t really change the strength of your password, but still checks out of obscure password requirements.
Let me know in the comments if I missed something.