Passwords are stupid. Many of us choose weak passwords because they're easy to remember, and we use the same one or few everywhere, which is risky. Also annoying: each account that needs a password has different requirements ("Use six or more characters, a capital letter, a number, and any special character except % and @). Your resulting password is more secure than "pa55w0rd" or "12345," but some security analysts think passwords that meet standard requirements are still pretty easy to crack, and we should use biometrics like Apple's Touch ID. But for now you can't sign in to websites, log on to a protected network, use social media or email, or make online payments without passwords, so the key is to build a better password strategy.
Strategy 1: Create stronger passwords yourself
A password is no good if you can't remember it, so it's tempting to use words and numbers that are memorable. However, these elements are often easy for someone else to guess or to find. For example, you should not use birthdays or the names of immediate family members or pets. Don't use a street address where you live now or have lived in the past. Don't use a license plate number or your mother's maiden name. A whole cottage industry of websites mines this public information, and people who know your full name can access all of it. And because that information's frequently free, there's no cash transaction between the site and the prospective hacker or thief to create a trail for investigators.
The trick is to create a password that's difficult for a person or a computer to guess but fairly easy to remember and type. Length and numbers can strengthen password quality. For example, do you like Shakespeare? Remove the spaces from "To be, or not to be? That is the question" (you'd want to use a less common quote) to get: Tobe,ornottobe?Thatisthequestion. You can substitute numbers for letters, like turning "e" into "3" or "i" into a "1," but password-cracking tools look for common swaps like that, so it doesn't provide much protection. Capital letters can help, though. This method is still not as good as a completely random password that also incorporates special characters ($, &, #, !, *, and so forth). But it should be good enough for an offline password manager like KeePass.
You can also use online tools to analyze your password quality, but choose wisely: some of them aren't safe. We can recommend Microsoft's free password checker, which doesn't transmit your password. The website is encrypted, too.
No matter how strong your passwords are, you should reset them periodically, in case the website or app has security holes. Stores, banks, government agencies, even security companies get hacked, either through technical vulnerabilities or social engineering (tricking someone into giving passwords, personal information, or direct access).
Now you know how to create a stronger password, but you don't need a single password; you should have a different password for every log-in. For even stronger unique passwords, get a password manager.
Strategy 2: Use a password manager
A password manager generates complex random passwords and stores them, so you have to remember only one master password. Password managers can be a standalone app, a browser plug-in, or an online service, giving you lots of options.
Password management apps
Ideally, you want your password manager to work with all your devices, but not all password managers have versions for every platform. The developer of KeePass, for example, makes only a Windows desktop app but authorizes third parties to make the iOS and Android versions. Each of these platforms uses different navigation, so you must learn multiple user interfaces. Also, if you forget the master password for the library of passwords on your standalone app, there's no built-in system to reset or retrieve it. You would have to create your own recovery method or live with the risk of losing access to your password archive. To find out which apps we like, see our password manager roundup.
Online password managers
Some people prefer an online password manager like LastPass. Any device running a modern Web browser can log in to the service's site, and LastPass also has browser add-ons for Chrome, Firefox, Opera, and Safari. The advantage of using the website directly is that you're familiar with your browser's interface and don't have to learn the add-on's UI. Also, if your phone is stolen, lost, or destroyed, you can still access your passwords by logging in to the LastPass website on another device. LastPass has an offline mode for when you lack an Internet connection, which is handy when you want to open a password-protected file or folder on your device or local network. The mobile version of LastPass is part of the paid service, which costs $1 a month, and the Android and iOS versions have a free 14-day trial. The premium version is ad-free.
Add payment info to your password manager
If you use payment services like Google Wallet or PayPal, copy your log-in info into your password manager. That means leaving your credit card info with Google or PayPal, but their security is generally much tighter than average. Alternatively, create an entry in your password manager for credit card information.
Password manager vulnerabilities
While password managers are the best way to create and keep your passwords, they're not bulletproof. Watch out for these potential weaknesses.
Library file hacks
Your password manager saves all your passwords in a library file. It's possible someone could obtain your library file and guess its master password. However, this requires that the intruder get the file in the first place. As long as you don't put the file or your master password on the Internet -- such as in an email or on Google Drive or iCloud -- it will be difficult (but not completely impossible) for a password cracker to get it. And if you're creating a strong master password, it'll be harder to break in.
A password manager may not protect you against keyloggers, a type of malware that can sneak onto your desktop or mobile device and record all the keys that you press. Keyloggers periodically send recorded keystrokes over the Internet to would-be thieves, who sift through the data and try to identify passwords. Many keyloggers also scan your system's clipboard, where text is stored when you highlight it and press Ctrl+C. Password manager software usually uses the clipboard to transfer passwords and usernames from its password library to a log-in screen. Good password managers wipe the clipboard clean after a few seconds, but it's possible that a keylogger will scan the clipboard while it contains a password or username.
You can get software that claims to protect your clipboard from unauthorized access, but you can get caught up in an arms race between the hackers and the people trying to protect your data. If you run good antivirus software and avoid suspicious websites and email attachments, you have reasonable protection against keylogging.
Malicious websites and phishing
A password manager can't guarantee that the website you're visiting is legitimate. Clicking the wrong link can take you to a fake website pretending to be your bank or another important account. Then when you enter your username and password, it's stolen. This is called phishing. You can usually detect this behavior because the website URL is slightly misspelled. But more sophisticated phishing may trick your browser into showing the URL of the real website when you're on a fake one. Google's Password Alert extension for Chrome detects when you've entered your Google account info into a fake website. When the extension is triggered, it offers to reset your password. But this works only for your Google account.
Be mindful of password entry in public. Many mobile devices pop up every pressed key on a virtual keyboard, and many mobile-optimized websites briefly display the characters you enter in the password field, so an onlooker doesn't even need to watch where your fingers tap. Password managers can help. For offline password managers, would-be hackers would need access to the device itself before they could get into your account. If you've given nicknames to your accounts, that will also slow down intruders, probably long enough for you to change your passwords using another device.
When you forget a password, you must attempt to recover it. Unfortunately, that process can have weak security.
The worst password recovery option is the preset security question. You select a question from a drop-down menu --often the city where you were born or your mother's maiden name -- answer the question, and get a reset notification in email (or the system may reset your password on the spot).
The problem: place of birth, maiden name, and similar information is not difficult for a digital thief to find in public records on the Internet. If someone has your account name, they can use it to trigger a password reset, then answer the security question to get access. Most recovery systems will let someone keep guessing as many times as they like, as frequently as they like, until they strike gold. And if you use those same security questions and answers elsewhere, the intruder can get into those accounts, too. Did you use the same account name for your email and your bank? You could be in for a long week if you're doing business with a major institution like Wells Fargo or Bank of America. A smart thief checks the most popular services first.
The solutions: First, if you can opt out of security questions and use a better password-recovery method like two-factor authentication, do it. Second, when you must use security questions, let your password manager create and store randomly generated answers. Third, if you want to go old-school, Google can provide one-time-use passwords that you print out and store in a safe place (preferably a safe deposit box, if you need to protect personal financial info or other sensitive stuff).