One password is not a problem, but using a lot of different ones… that can be challenging.
I want to share with you my personal opinion on the challenge of keeping multiple passwords safe.
First, let’s all agree that:
- Your brain is the safest space for passwords.
- You shouldn’t write down passwords, and definitely don’t use sticky notes to post them next to your computer.
- Changing your passwords frequently is important.
- You should never ever share your password with anyone (Including IT support).
- Keeping your passwords/sensitive data in an e-mail message is risky, because your email account can be monitored or hacked.
- You shouldn’t keep passwords in a text file, Word or Excel file, a PDF file etc.
- You can use applications that encrypt passwords and documents for heightened security.
- Using a 2-factor authentication when possible is highly recommended. You can do that on your Facebook, Google and Apple accounts, for example.
We have a complex password requirement policy on our company network. We all know the requirements that create a strong password: 8 characters, capital letters, numbers, one special character, and so on. Our system has a failed login count: if you mistype your password a few times, the servers will lock you out.
For systems that do not have this feature, we must use different password types.
The picture below shows what I am about to explain. (Source: https://xkcd.com/936/).
As IT professionals, we use applications to keep our passwords safe. One of those is Keepass, which can be installed on a computer or a mobile phone. https://keepass.info
Keepass is free, developed by the community, and the source code is public. Many other applications and services are available. Google it before you sign up for anything.
Keepass has a highly secure database with master password protection and easy to use functions.
My recommendation is to install it, or any other app that you can trust, with care. If the Keepass database is hacked, your passwords can be “recovered” with brute-force. Because of that, the long master password is preferred, and the picture above explains very well why.
To remember long passwords, you can use “memory keys”. For example: the name of the restaurant from your first date + best friend’s birthday + the best holiday location + your favorite movie star alias from a film where he/she was a co-star. Using all the first two characters from each word and putting them together in one string, will create a short “word” that you can place anywhere and nobody can guess it or use a word-list to hack it, since it’s a unique string of characters only you know of. My key in this case: Ro81amon and the password will be 22 characters long.
Related articles with different methods for creating a strong password:
If you use the application, then you need to remember only one password. Install it on your private phone, which is usually with you. I would avoid uploading the database file to Google Drive or Apple iCloud, but if the master password is long enough and you have 2-factor authentication enabled for these accounts, it will make the storage relatively safe.
Google how-to: https://www.youtube.com/watch?v=3ikZtGY-ezM
iCloud how-to: https://www.youtube.com/watch?v=WXufzNPciZs
Please make sure you have a proper antivirus solution on your mobile phone. Kaspersky, BitDefender, PandaSecurity, Avast and McAfee were tested by me and are well recommended. Kaspersky has its own password solution, which is good.
For an easy login to the Keepass mobile app, you can use a fingerprint reader, then you do not need to type a long password every single time.
To back up this database, I would recommend saving it on a USB drive and placing it in a safe at home. You can also give it to a trusted family member (if you have it on Google Drive or iCloud, as well) in case you lose your phone. Make sure your phone is locked with a password.
How-to video about Keepass. It also works if you create the database directly on your mobile.
Pros: Keepass is a safe place to keep your passwords and it’s easy to use.
Cons: you must have a backup, a lost master password can’t be recovered, there’s no support.
Some general information about passwords.