I saw a note this week from CNet about a system built to crack passwords (also on ArsTechnica). It reminded me of the story of the guy that cracked Googles DKIM key at 512bits. Not insignificant, until you get to the point of renting that power from AWS for tens of dollars.
Here’s a great comic on the subject of passwords: Password Strength. It’s got some good advice, but there’s more to it than just having a good strong password. You need to manage your passwords, as in you need to have lots of them.
Doubt that? Here’s a good piece from Troy Hunt.
You need a password manager. Whether you use 1Password, KeePass, or PasswordSafe (my choice), choose one and set the defaults to something long. I’ve been using 12characers, but I’ve moved to 16 for my passwords. All of these work cross platform, and you can sync your files between devices.
One more thing: you need to rotate passwords. Not just on your password manager, but on your various sites. If someone gets a copy of your password manager file, then it’s just a matter of time before they can crack it. Within months, they could have all the passwords in your file if they were determined.
Lots of passwords I’m not overly worried about, but some I am. Banks, mail, a few of my profiles, these are important to me, and so I rotate the password periodically on them, using new passwords from my manager.
Security is hard, and passwords aren’t going away anytime soon. Tell your friends, family, and make sure they all consider using some type of password manager and improving their security.