Stop me if you’ve heard this one before: you should use a different password for every account you have, and each of those passwords should be an extraordinarily long and complex string of characters that are easy for you to remember but hard for others to guess.
Unfortunately, that’s solid advice and equally unfortunately, it’s hacking season. And even more unfortunate, still: hacking season never ends.
However, there are two pretty lazy but secure methods to ensure you’re using sufficiently strong passwords. Here they are:
The easiest way: use a password manager
With a password manager, you really only need to remember one password. That password unlocks your password manager—the vault of your passwords, as it were—and your password manager does all the heavy lifting for you.
Each time you create a new account online, you can ask your password manager to create a complex password for you. It will do so by creating one that’s complete gibberish and then store it in the vault for you.
The next time you go to log into your account, the password manager will automatically fill in your username and password for you, so you don’t have to remember them.
Now, there are many password managers out there. Some are free, but most are not, and the big difference between free and paid is the number of devices you can use the password manager on.
This is important! Why? Because if you’re using a free password manager that only works on one device—say, your desktop computer—and you go to access an account on your phone, you’ll need to be in front of your desktop to access your password vault and then often type your password into your phone manually.
This defeats the purpose from a simplicity standpoint, of course. So be prepared to pony up a few bucks a month for a premium password manager or check out the very excellent and open-source Bitwarden password manager, which has a free personal version that can be used on any number of devices.
The other great thing about password managers is that they’re really good at thwarting phishing attack and related scams that try to get you to enter your usernames and passwords into bogus sites. The password manager will only autofill on sites it recognizes, so if you’re directed to log into a site called Fast-Company.com that looks like the real FastCompany.com, the password manager won’t offer up your actual credentials.
The still-kinda easy, manual way
OK, so maybe you don’t trust password managers or you don’t want to futz around with synching your credentials across devices. And let’s say that despite all prudent advice, you have little interest in using a separate password for every account.
This is something of a compromise, but it’ll do in a pinch. At a very basic level, the longer and more complex a password is, the harder it is to crack.
Of course, us being humans, remembering long and complex stuff isn’t really our forte. But what if you just had to remember one extremely long and convoluted thing and then append some context to that thing for each account?
You can use a site like PasswordMonster.com to see how long it’d take to crack any one of your passwords. You’ll notice that the more you type, the longer the time to crack your password grows.
So pick something superlong that only you’ll remember and that ideally contains a mix of letters, numbers, symbols, uppercase, lowercase, and punctuation.
In my case, I’d pick a base password like the following:
That’s long, it’s complex, it’s got a mix of a bunch of gibberish, and I’ll always remember that my first job was at Best Buy making $5.15 an hour. According to PasswordMonster, that alone would take a million-trillion years to crack. Ideally, I’ll be long dead by then.
Then, for my Fast Company account, I’d add something like F@stC0mp@ny and then a hyphen to the beginning of my super password:
That little extra bit extends the crack time to 862 trillion-trillion years.
Now, there are two catches here. First, you’re going to have to manually type a whole lot of stuff into your password field each time you log in.
Second, if you use a password like this on a poorly run website that doesn’t properly protect its passwords and that site gets hacked, a hacker would very likely be able to deduce that you’re using this super password for every site and just appending the site name and a hyphen to the front.
Why not both?
So, the absolute best course of action? Use a password manager and create your master password that protects your password vault as something extremely long and complex. That way, if the password manager somehow gets compromised, you’ll only have to reset your master password.
And no password manager on this planet should be improperly storing passwords, so you’ll have at least a million-trillion years or so to get things sorted out.