I'm a cybersecurity professional who has some degree of specialty in password security. I've been providing password advice to people for over 20 years at this point and have some of the earliest published passphrase advice on the web, first published in 1999 in the form of the Generating a key section within the SSH tutorial for Linux, long predating XKCD's commonly cited passphrase advice.

Passwords are security by obscurity

There is a lot of password advice out there provided by professionals, institution's IT departments and so on, but some of it is quite simply misguided, wrong or out of date. Below is my attempt to provide you with the latest advice that will help you personally protect your digital life.

The thing to keep in mind is that in the end it's not about complexity, it's about guess-ability and this is where a lot of people provide the wrong advice. You have to ask yourself how easy would it be for a friend, enemy, stupid hacker, clever hacker, government or a supercomputer trying a billion combinations per second to guess your password. Chances are, it's only a matter of seconds in the case of most people.

After reading through all this you may feel overwhelmed and helpless and you'd be correct. But don't worry, awareness and making good efforts will help you a lot.

#0 Your account doesn't matter, except that it does

I've heard this excuse from countless people over the years. You're probably right, they don't care about you, they only care about your money or using your account to get at other people's money or to escalate their privileges to a superuser account.

#1 Never reuse passwords

Don't ever reuse the same password for more than one resource (computer, website, account, etc) This is super important, which is why its #1.

The Threat: Attackers a compromising websites all the time, they then use those cracked passwords to break into your other accounts on other websites. For instance, a user who uses the same password for their bank account and also for JimBob's online truck forum is putting the security of their bank account in the hands of JimBob's online truck forum's security. It's basically a weakest link in the chain issue. Recently when Disney+ was launched, it was found that many people's Disney+ accounts became compromised even though Disney found no evidence of a vulnerability or compromise of their own system. The most likely explanation for this is that the attackers were sitting on a trove of passwords that had been compromised on other sites and were simply using passwords that users had reused across multiple sites.

#2 Use a password manager

Use a mature, established and well reviewed password manager such as LastPass or 1Password (don't just use anyone out there because they may be doing it wrong). This will help you fulfill #1

The Threat: Some password management systems were not designed properly and do things like store clear text passwords in the service's own platform, making it a target for compromise. Without getting into the technical details too much, you want to use a password manager that keeps the data encrypted on your end such that the company that designed it doesn't have the ability to access the clear text passwords. I've checked this in the case of LastPass and know that 1Password uses a similar technique. Lastpass did have a security compromise, however it did not provide the attackers with access to the plaintext passwords for their customers. This is a critically important feature.

Personal side note: I wrote an online password manager back in 2004 before they became more popular. I even was in talks with a venture capitalist about making a product out of it such as LastPass or 1Password and may have ended up rich as a result. In the end I chickened out because I didn't trust my ability to get it right, because I know this is a very hard problem to get right. Learn from me that you don't want to just go with anyone who is new on the block on this matter. Make sure they are well established, have had some security review by the information security professionals that know what they are doing.

#3 DO NOT save your password manager password

DO NOT click on the "save master password" checkbox where you login to your password manager itself. If I had my way, that wouldn't even be an option. Having been a sysadmin and business owner for a long time, I'm guessing that it comes down to high level business execs pressuring the companies into leaving this option in.

The Threat: I've only tested this with Lastpass and Firefox, but it probably works with others. When you click "Remember my password" within Lastpass and others, it has to save that data somewhere. Even if it's encrypted on disk, it still has to save the encryption key for that and it's turtles all the way down. You can simply copy someone's browser preferences directory to another machine and load it up and you'll have access to their cleartext password database. The best place to save your master password is in your brain until we have a way to read them from there, at which point we'll be screwed anyways.

#4 Don't use guessable info

Never use a password based on your personal info, opinions, preferences, favorite sports team, drink, where you live, work, etc.

Jimmy Kimmel, of all people, does a great public service by demonstrating how easy it is to guess people's passwords here and here and given the wide audience, it's likely he's provided better cybersecurity advice than anyone in the infosec community. Jimmy, I'd like to make you an honorary member of the information security community.

The Threat: It doesn't matter if you meet all the complexity requirements if someone can simply guess your password. Not only are people providing a wealth of information about themselves through social media, work profiles, online forums and just when asked, but a lot of information can simply be inferred by knowing a few details about a person. For instance, if I know you grew up in Chicago, I can guess that Bears, Sox, Cubs or Windy City might be in your passsword. You can quickly create a dictionary of targeted information for a password cracker to use and quickly try millions of combinations.

#5 Use long passphrases when possible

Use a passphrase for your password manager master password and other passwords when possible that is at least 4 words long and follows rule #4 above. When it comes to strength of passwords, length increases the strength more than variety of characters. Unfortunately not all systems you encounter are written with sufficient sophistication to recognize when you are using a password that is strong enough to protect your account. They instead have to rely on checking a set of complexity rules, which is where the whole upper/lower/symbols thing comes from.

The Threat: Attackers have access to advanced tools and technology. They also don't usually try all the combinations, they use password cracking dictionaries based on common phrases, names of sports teams, drinks, music, etc. They may even target a specific person using a dictionary based on a set of words related to the person.

Explanation: The number of combinations that an attacker must try is based on the total number of permutations that must be tried. To calculate this you can think of an exponential function such as 26⁸ = 208,827,064,576. The exponent (8) represents the number of positions that must be considered and the base (26) is the total number of possible values in that position. In this case 26 being the number of characters in a lowercase alphabet and 8 being an 8 character long password. So to try all the possible combinations of this set would require checking over 208 billion combinations. Attackers often have access to password cracking systems that can try over a billion combinations per second, so this is not as frivolous an attempt as it may seem. If you've forgotten your math I'll remind you that an increase of the exponent will increase the total value at a much greater rate than increasing the base. When using a passphrase there are a few ways to thing about the total permutations, either think of it as a string of characters, a string of diphthongs (simular to syllables) or as a string of words. As a string of characters for a 16+ character passphrase (4 or words of length 4 or more), you get 26¹⁶ = 43,608,742,899,428,874,059,776, which is more than any any password cracker will be able to try even considering the advancement of computing power and techniques over the next couple decades (this was written in 2020). Thinking of it as a string of words you have to consider how big the dictionary you are pulling words from is or the average person's vocabulary. Let's make an estimate of 5000 words in a dictionary. Then the formula for total combinations for 4 words would be 5000⁴ = 625,000,000,000,000. While this is less than if you consider it by characters, it is still sufficient enough considering that password crackers don't work as well on word combinations because they can't use GPU based systems and the cracking speed is closer to tens thousands of combinations per second, meaning it could take a decade for a system to crack a four random word passphrase.

#6 Don't use website based password generators

I don't care if they don't submit anything back to the site from your browser. Don't use websites that generate passwords for you. There are a number of attacks that could be used to "sniff"/record the password that it gives you and ties that with your browser and makes the whole exercise pointless.

As Einstein said, "Everything should be made as simple as possible, but no simpler." What I'm saying is that secure password generation doesn't have to be as complex as your college math homework. Just open a dictionary to 4 or 5 different words and try to use the whole dictionary, not just the middle (Don't use an online dictionary of course) Under Linux I trust certain offline tool such as the pwgen command and using the 'dict' command to find words to use. You can also just come up with a nonsensical sentence that you're fairly certain is not a quote from a movie or book. For example "those red clock hands jump trashcans" or "ice toast makes a bad laundry kite". But don't use those.

The Threat: Websites such as these can become compromised and inject additional javascript code that can monitor what you are doing on the page and send those results off to another website. In addition to this, not everybody is located in the same country and some countries have oppressive regimes that monitor network traffic and are even capable of intercepting encrypted traffic by installing root level SSL certificates that your browser has to trust. What this essentially means is that you can't trust the network in such places. Of course you may end up submitting your password over the network if it's for a website, but maybe you're generating a password for an encrypted data store or for an encryption key of some kind.

#7 Use your password manager's password generator

Use the password manager to generate 16+ random character strong passwords. You won't need to remember them because that's what the password manager does for you. I'm not going to endorse every password manager's password generator out there because they may not be implementing something correctly.

The Threat: Generally without training and practice, people suck at coming up with secure passwords. Plus it can be hard to come up with sufficiently secure passwords on the spot so many people make the mistake of taking a password they already used before and mutating it.

#8 Use two factor authentication

Use two factor authentication where possible and double check the two factor auth notices that you get to make sure they really are yours. (Check the city/state, IP and consider context of what you're doing). For websites that support it, Duo is a good option at the time of this writing. When you receive a two factor request, you should consider the context and verify the information that the alert requests. For example, If you're not in China, don't approve a request that comes from China.

The Threat: A compromised password often means immediate access to he resource it is for and as a user of it, you may have no way of knowing that your account password has been compromised until it is too late and your bank account has been drained (The bank says sorry by the way, good luck). Some attackers might know your routine and can guess when you are going to accept a two factor authentication request (such as when you start work on Monday) and will try to align their attack with your schedule, which is why you can't just blindly accept all two factor verification requests. There are recorded cases of attackers thwarting two factor auth by tricking the user in this way.

Another threat you have to be aware of is that of SIM Card Hijacking.

#9 Check the URL/address

Phishing attacks are probably the #1 threat to you. Check the URL address bar of any site you visit to make sure you're actually on the site you think you're on. Phishing attacks are the #1 attack and you can lose your life savings to them. Don't just enter your password in any site. A password manager will help you recognize that you're not on the right site by not providing the option to enter your password automatically on a fake site.

The Threat: Where do you think the following hotlink will go? https://www.facebook.com. If you answered Facebook.com then you may have just given away your actual Facebook password to an evil hackers. Phishing attacks through email and text messages rely on a victim's ignorance of how website addresses are formed in order to trick them into going to a website that they control. Their goal is usually to capture your username and password for the legitimate website that you thought you were visiting. Attackers are able to make the visual presentation of their phishing website appear identical to the legitimate site. For any popular website, attackers will also register domains and setup websites that hope to catch people who mistype or misspell a website address. For example, the following misspellings of microsoft.com based on letters around 'o' on the keyboard have been setup by various parties around the net:

• micrisoft.com
• micrksoft.com
• micrlsoft.com
• micrpsoft.com
• micr0soft.com
• micr9soft.com

And that's just the variations for one of the characters.

The internet is laced with booby traps.

#10 Change your passwords every few years

Change your typed in passwords every few years, such as for your computer and the master password for the password manager. The current general advice for implementing password policies at an institution is to NOT require password changes because it encourages worse passwords. However, you personally should consider changing the passwords to your phones, laptops, workstation, master passphrase, email account(s), bank account(s) and so on every few years to something harder to keep up with advances in computer technology, better cracking techniques and also the fact that at some point your password may have been seen or cracked somewhere along the way.

The Threat: Regardless of your best efforts, over time the chances that your password will be compromised in some way increase, not decrease or stay the same. This is just common sense. The potential threats here include both malicious and non-malicious activity and here are some examples:

• The password is cracked by brute force
• The password is discovered in an old backup of the service where it's used
• The password is compromised by phishing attack
• The password is exposed in clear text due to service vulnerability (This happens quite a bit in practice)
• The password shows up on a commonly used password list
• The password ends up in a log file due to debugging on service side or because you accidentally typed it in the username field or some other field, causing it to be logged in clear text.
• The password is transmitted in clear text over the network and is captured as part of a network capture
• Someone guesses your password because it's based on personal info.
• Someone or a some camera sees you type your password or finds it written down
• You share your password with someone (ie. spouse)
• You say your password in your sleep (ironically this might be the biggest case against using passphrases)

If you've been using the same password for 20 years, I'd estimate the chances of any of the above scenarios being very high and it only takes one to compromise your password. So what about 10 years or even 5? Some of the above scenarios have played out for me personally in just the last 5 years.

#11 Avoid insecure websites

Don't use websites that think your password is too strong for them (ie. they don't allow more than 8 characters, special characters, spaces, etc.) and let them know that you didn't use them because of that. You can send an email to webmaster@websitename to let them know.

The threat: Minimum length requirements are ok so long as it's at least 8. Websites that limit the length of your password to a maximum length are usually trying to work around some technical limitation on their end. This often indicates that they are using an antiquated and insecure system on their back end that cannot be easily upgraded. A compromise of a password database on one of these systems probably means that even if the password is encrypted, that either the encryption is weak and that the number of combinations that needed to be attempted to compromise a password is lower than on a secure system.

#12 Change password if it has been compromised

#13 Keyring use

#14 Never give out passphrases for encrypted databases, til death do you part

#15 Be aware of password stealing threats

It's more than just phishing. Cameras, microphones listening to keystrokes, keyboard sniffers, keypad skimmers (pin for debt card), over-the-shoulder attacks, etc.