This is a subject that has been extensively covered by many folks much smarter than I, but I still would like to give my humble contribution to the conversation. Let’s start with a few definitions.
Password: A series of characters that are used as a digital key to unlock/open/login/decrypt some sort of digital service. Also used to mean a single word or short series of characters (say less than 10) when compared to the term passphrase
Passphrase: Multiple words strung together as and used as a password. i.e., imakestrongpasswords29!!
Password manager: Some sort of program that generates and stores passwords so you don’t have to.
Now let’s look at the different methods that someone could use to gain access to your accounts or devices.
Bypassing the password: This is a service side problem. There is little that a user can do to avoid this besides choosing services with good policies and good cryptography.
Social engineering: This is things like phishing, where someone tricks you into giving up your password. Defend against this by not giving your password to anyone. (very, very rarely there might be a justifiable reason to give your password to a service provider, we’ll cover some basic rules on this below)
Human Guessing: Here I’m talking about a human just making a guess and getting it right. This is why you shouldn’t use things like your birthday, your pets name, etc. Defend against this by having long, random passphrases.
Computer Guessing: This is what’s usually called “brute forcing”. It is where a computer is used to guess many passwords at extreme speed (potentially 1000+ every second). Defend against this by having long, random passphrases. It can also be defended against by service providers blocking large numbers of guesses. For example, iPhone’s 10 guess then erase design*.
So, what do we need from a password/passphrase?
It needs to be long, this should be self-explanatory, but “long” at the moment means at least 11 characters if it’s a random collection like c2k$oi(8kly%r or 6 words if it’s a passphrase. We’ll get into those more a little later.
It needs to be random. While the idea of randomness seems quite straightforward, from a mathematical perspective it’s actually quite uncommon. If you or I just “randomly“ mash a keyboard, and end up with something like ;oiasddoigoinqwreeinin we might think that’s really random. In fact though, if we did that a few thousand times, and fed it into a computer program designed to look for patterns, the program could probably learn the patters we use unconsciously and predict our mashes with a fair amount of accuracy. (the string above is truly just me hammering at the keyboard, and you’ll notice that there are no numbers and a couple words in there. Obviously not truly random). What we really want is something called entropy by computer whizzes. Basically, this is just a measure of how many possible outcomes you could get from the process of creating a password. Let’s look at a few examples. First, take your initials, write them down. Now put your birth year, your mother’s initials (backwards) and the first name of the lead singer of your band. Now your graduation year. This would give you something like jds62smtjustin80. This looks like a pretty random string, right? If I asked you to memorize it, it would be somewhat difficult. However, the entropy on that is basically zero. If any of your facebook friends knew that was how you’d created your password, they could probably figure it out with no more than a dozen or so guesses. Alternatively, If I said take an old paper dictionary, let it drop open to any page, stab your finger down on it, and write down the word you’re pointing at, then put a character of your choice, then repeat that 3 more times, you might get something like balloon_voices_hullabaloo_arbalast. This is a MUCH higher entropy passphrase, and probably easier to remember to boot! Because you could repeat that same process over many thousands of times and get many thousands of different passphrases, it is more secure. This is basically the same concept as the diceware method which we’ll cover in the solutions section.
Finally, your passphrase needs to be something that you can use. A 99 character random string is an incredibly secure passphrase, but none of us would be able to manually enter that multiple times a day. Therefore something relatively easy to type and relatively easy to remember is key for anything that you have to type in yourself.
How do we get there from here?
Now that we know what we need from our passphrases, what is the ideal method to create and store passphrases? I believe that everyone should be using a password manager of some sort to drastically reduce their need to remember passphrases. For a long time I avoided a password manager, thinking that it created greater vulnerability. I have lately started using a password manager and completely reversed that opinion. While having all your passwords stored in one place does create a single weak point, that “weak” point is VERY strong. All reputable password managers have good security and privacy practices to ensure that your data stays safe. As long as you practice some basic safeties (such as not accessing your passphrase vault from an un-trusted computer) you are much safer using one than not. Passphrase managers come in basically two different flavors. The first is a cloud based service that is used via a webpage and/or browser add-ons. These store your passwords on a server, and allow you to access them from any computer, anywhere in the world. Obviously this is a more convenient method, though you are investing more trust in a service provider when you do this. These services also tend to be freemium, where you can get basics for free but pay for the full service. This makes sense as there are servers and such to manage and pay for. The best known of these is probably Lastpass. Dashlane is another well-known option.
If you want maximum security, you can go with the other type of password manager which is “host-based” simply meaning that your passwords are only stored on your devices, and not on any offsite server. These require a bit more management, as you have to sync between devices, or manually transfer, and also have to provide for your own backups in case of theft, fire, etc. However, if you don’t mind doing those things, they’re certainly a more secure concept. Some popular versions of this are KeePass, and Password Safe. The password manager you choose will largely depend on your personal preference and which operating systems you use. There are plenty of options out there, so if you don’t like Lastpass or KeePass (the only two that I know enough about to recommend) then do your research and choose one that’s good for you.
Once you have a password manager, it can generate all but a few of your passwords for you. Since it is generating and storing them, you can use long truly random character strings (those are the very best passphrases remember) for almost all of your passphrases. You should probably use at least 15 characters, and often can do many many more than that. A word of caution though, there will be a few passphrases that you’ll need to enter manually occasionally. An example would be your google or apple account. If you get a new phone, you won’t be able to install an app for the passphrase manager till you’ve logged on to the app store…with your passphrase. So long as you have another device which allows you to read the passphrase, that’s not too bad. Unless you put a 99 character passphrase in that you now have to carefully copy to a phone keyboard…. So, I generally stick to 15-20 characters for those, and 15-25 characters for everything else. Since you’re using a password manager, you can (Should) have a different password for every single account that you have. This defeats the other great risk of passwords, which is that someone will get access to one account, and be able to access all your other accounts.
While a password manager will dramatically reduce the number of passwords you have to remember, you will still have to remember a passphrase for the manger itself and probably a few other things (like decrypting your computer). To get a secure passphrase for that you can either generate a random character string and memorize it, or use one of a variety of other methods. My favorite is the Diceware method. You use a word list and a set of dice to create a truly random phrase (like I discussed with the dictionary above). The website FAQ has a lot of good information on why this works, and what makes it secure along with other interesting info. In addition, the Electronic Frontier Foundation just this past summer (2016) came out with several new word lists for use with this technique. They all have their particular benefits (ease of typing vs ease of remembering vs ease of use on mobile devices, etc.). It’s exciting to see new work in this sphere!
There is also the well known “xkcd” method of coming up with unrelated (not really random) words.
The math in this is a little outdated, as a lot of password guessing systems are now guessing from word lists, not just letters. However, the principle still holds that those are MUCH harder to crack than a word with random characters thrown in. They are however, less mathematically secure than diceware passphrases.
I mentioned above that there might be cases where you end up giving your password to another person to get help from a service provider (for example, when upgrading a cell phone at a store I’ve had to do this). I’ll go out on a limb and say that this is ALWAYS due to poor design on the provider’s part. They should have methods in place to keep you from having to trust some random human being with your password. That said, it does happen on occasion. I’ll give some best practices for dealing with this. First, NEVER do it unless you have initiated the contact and are certain that whomever you’re talking to is representing the company AND needs your password for a legitimate reason. Second, if there are other people around, try to write it down, pass it to the person, then take it back, so everyone else in the store doesn’t hear what you say. Finally, if you ever do have to give your password to someone, change it as soon as possible. Thankfully this situation is becoming rarer and rarer. Hopefully in the next few years companies will abandon it completely.
One last question I want to address is writing your password down. We’ve been told for years to NEVER write our passwords down. Well, conventional wisdom has changed on this. The danger from writing down your passphrase is that someone will access that piece of paper and steal your passphrase. Generally, as long as you keep that passphrase well hidden (i.e., not under your stapler on your desk, but in a book in another room) then this risk is relatively very low in comparison to the risk of someone hacking your account due to a weak passphrase. So, while ideally you’d never write it down. If that helps you to have a longer, stronger passphrase, then by all means write it down and hide it somewhere, or keep it in your wallet. You can even take some simple measures to fool people who might find it. For example, put an extra word or number in the middle (like your birth year) that you just ignore when you’re typing it. If someone tried to use the passphrase as written, it would just appear that you’d changed it since you wrote it down.
In closing, just remember that this is really a hard thing to get your head around. When we try to think of complex, hard to guess passwords, it’s pretty easy to come up with things that would be difficult for a human, with our limited guessing ability to figure out. But when you think about a computer, guessing 1000 times a second, it could guess 60,000 4-word passphrases in a minute. 240,000 words is more than Moby Dick, or any of the Harry Potter novels. That makes it really difficult for the layperson to come up with good quality method for generating passphrases, which is why I recommend that you stick to a mathematically proven method like Diceware.
*I am VERY much in favor of software and hardware protections such as Apple’s secure enclave. However, as detailed here it’s still a good idea to use a long random passphrase because it’s possible that the provider has made, or will be coerced to make a backdoor. If that’s the case, a long random passphrase still protects you.