I don’t think anyone really likes passwords, at least not with as many as we each have to carry around these days. A password is just a fairly unsophisticated way of telling a computer that you are who you say you are, a process known as “authentication.”
The problem with passwords as an authentication mechanism is that anyone with your password appears to be you. And because people tend to choose simple passwords—the most common being “123456” or “password”—and don’t tend to keep them super-secure, passwords don’t work nearly as well at preventing someone from masquerading as you as you might hope.
A strong password is one that’s unlikely to be guessed, or hacked by brute-force methods. It’s at least 10 characters long (longer is better), and should include uppercase, lowercase, digits, and special characters. And it shouldn’t look like a word. A password like “p@ssw0rd”, with common substitutions for the “a” and “o”, is hardly better than “password” itself. Using your phone number, or any other piece of public information, isn’t such a good idea, either.
What’s more, you should use a different password for each site or application that requires one. Otherwise, disclosure of your password in the nearly-inevitable data breach opens up all of your accounts, rather than just one. But people persist in using a single password for everything, or use a simple pattern for their passwords: if Facebook*1234 is your Facebook password, it’s easy to guess that WellsFargo*1234 might be your online banking password.
One approach to make sure that a password identifies you (and *only* you) is to use a program called a “password manager,” which basically creates a cryptographically-secure password (i.e. one that is hard to guess or compute, when you visit a site that requires one for the first time). On subsequent visits, it helpfully provides that password for you, so you don’t have to remember it, or write it down someplace). So, now you only have to remember one good password: the password that manages your password manager and also encrypts all your saved passwords.
You should be using a password manager. It’s just that simple.
And you don’t even have to spend money. LastPass (lastpass.com) offers a free personal version, which PC Magazine just awarded its Editor’s Choice Award for free password managers. If cost has been your sticking point, you have no more excuses.
PC Magazine awarded Editor’s Choice to two not-free password managers as well: Dashlane (dashlane.com) and Keeper (keepersecurity.com). Why pay for a password manager? The paid versions offer more features, some of which may be useful (like support for multiple family members). And paid doesn’t mean expensive: even the priciest ones cost about $5 a month and that usually covers your entire family.
The best security comes from using more than one “thing” (like a password) to authenticate yourself, a practice called multi-factor authentication (MFA). A popular form of MFA is two-factor authentication (2FA), where you must provide another piece of information along with your password, such as a number sent as a text to your phone. You know the password and you have the phone that received the text, making it more likely that you are who you say you are.
You might think that biometrics (face recognition, fingerprint, voice, etc.) will ultimately spell the end of passwords. After all, what is more you than your face, or a fingerprint? The problem with biometrics is two-fold. First, the recognition is not as perfect as you might believe. I’ll omit the Bond-movie tropes about removing a person’s eye or thumb to bypass biometric security, but biometric recognition is not 100 percent reliable (just pretty good and convenient).
Second, you can’t change your biometric data if it is compromised. And biometrics are easy to steal. We leave our fingerprints and DNA everywhere we touch. Biometrics are unique identifiers, but they’re not secrets.
As security expert Bruce Schnier wrote in 2009, “Biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there’s a guard with a large gun making sure no one is trying to fool the system.”
The fingerprint reader on your phone is pretty secure, since verification takes place securely on the phone, not over a network (where there are no beefy guards trying to deter imposters). But, biometrics are just another authentication factor, not the end to passwords.
In the end, passwords—strong ones—have a number of advantages. First, they’re easy to change if compromised. Second, you can have a unique password for every service, to limit exposure. Finally, password managers make them convenient to use in a world where we seem to need dozens of them just to get by.
Still think you don’t need a password manager? Tell me why at email@example.com.