Creating unlinkable email accounts, verifying pseudonyms, and using encryption to protect your communications doesn’t do any good if your accounts get hacked or someone gets access to your private key, which is why the heart of all good security practice is the use of strong, unique passwords on all your accounts and on the software that protects your private key.
On its surface, this recommendation seems simple enough, and it’s advice that most of us have heard before. But in practice, it presents two primary problems. First, what is a “strong” password? Where guidance is offered (often along the lines of “must include at least one number and one uppercase letter”), the results are often difficult to remember and the actual “strength” is not clear. Meanwhile, sites that grade the quality of the passwords we create are often opaque about how to create good ones. In this scenario, we’re lucky to remember what we typed by the time our entry receives a strong grade.
Fortunately, these issues have both digital and analog solutions, and you can mix and match the strategies according to your preference. Since at least some situations, however, will require that you remember your password, we’ll start with simple recommendations for creating strong and memorable passwords.
The strength of a password comes is determined by two attributes: its length and its complexity. Length, naturally, is the number of characters; complexity relates to the randomness of those characters, in terms of both order and type (e.g., punctuation, numbers, and uppercase characters). Increase the strength of either (or both) characteristics of your passwords enough, and you have a set of characters that would take some number of centuries for a computer to figure out.
The trouble is that increasing complexity is both hard to do well–common number-for-letter substitutions are well known by hackers–and makes passwords hard to remember. Increasing length, on the other hand, is very straightforward when you think in terms of phrases instead of words.
Take, for example, your favorite quote from a television show or movie. This is likely to be both pretty long (in terms of characters) and you already have it memorized. As long its source isn’t associated with any of your digital profiles and it isn’t a well-known “catch phrase,” it’s probably a pretty good choice. Even better, pick a phrase or quotation from your “guilty pleasure” canon–movies, television shows or songs you don’t even like to admit you enjoy, so that even someone close to you might not think to guess it. Longer phrases and irregular capitalization help improve the strength of the password, meaning it will be pretty tough to hack programmatically, as well as hard to guess.48
There’s obviously no way for someone to steal a passphrase that only lives in your memory, but trying to remember the dozen or more we may need for all of our various devices and accounts can still be overwhelming–leading to the risky temptation to use the same password in multiple places.
A great way to deal with this is to use a password manager, like KeePass or LastPass, which stores your passwords (and can also create them for you) in an encrypted file that you unlock with a master passphrase. KeePass is open source and can be stored on a USB key; LastPass is cloud-based but crucially only stores the encrypted file, so the service doesn’t have access to any of your passwords.
In some cases, even writing a passphrase down on a piece of paper can be suitable, as long as it’s kept in a both legally and physically secure location, like a locked drawer in your desk at home. Obviously this limits your access to them, but as long as the place it’s kept is yours (so it can’t be searched without a warrant) and it’s not just lying around, this is still a better approach than using weak passwords. Just make sure never to carry it with you!