Tech Talk Live Blog

Passwords: What Is the Best One?

Roy Hoover

How many passwords do you have?

One – Yeah, single sign-on has arrived (finally)

Ten – I wish

One Hundred – Perhaps

Are they all complex, unique, secure, and not written on a sticky note stuck to your monitor? Passwords are a form of authentication based on something you know and that you keep secret. They are frequently used around the world, and usually fairly easy to hack. There have been lots of discussion about two-factor authentication, and it is finally being implemented for some applications. Two-factor can be expensive because it might involve a biometric scanner of some kind or some additional hardware for the second form of authentication.

Some existing hardware may be used for the second form of ID. This might be the camera built into your laptop, or the keyboard (sensing the way you type in addition to the keys you hit), or perhaps sending a text message to your cell phone. These and other methods for second factor authentication will improve over time; until then we are left with plain passwords for logging in to the many items that require them. So how can you pick a good password?

Here is where the terminology causes problems. Your password should NOT be a word. You may have heard them called passphrases, which is better, but still not the best. The length of the password, not its complexity, is what makes it harder to crack. There is a great xkcd comic that describes this. The second, fairly simple passphrase is easy to remember, while the first passphrase in the comic is difficult to remember even though the first one can be brute forced in 3 days and the second one takes 550 years to brute force.

So now you know how to pick a good pass-phrase, just pick a unique set of four random words for each of the accounts you have and you are good to go. The catch is that you need to remember which password goes with each account and you cannot write any of them down.

At a recent SANS training that I attended, Keith Palmgren gave a talk entitled “Debunking the Complex Password Myth.”  His primary point was that password length is the most critical factor in making it secure. Even repeated sequences of characters and common words are OK, if the length is sufficient. His definition of “long enough” was greater than 20 characters. Even with repeated character sequences you still need to remember which password belongs to which account. Perhaps embed the service name in the password? There must be a better way.

The only viable solution I heard mentioned at the SANS training for managing passwords is a password manager. Yes, put all your eggs in one basket, and protect that basket the best you can!

A password manager uses a single password, er passphrase, to access your password “vault.” It stores your encrypted passwords in the vault with the service that uses that password so you do not need to remember which password is used with each service. Furthermore, the password manager can create the password for each site and you do not even need to know what the password is for any particular site. The password is really just a long random string of characters for each account. No password would ever be shared between accounts so that a compromise on one website does not affect the probability of your account on another site being hacked.

Password managers may be the best option to protect your accounts until two-factor authentication is used everywhere. Even then, password managers will probably still have their place. So what is the best password? It is a long random sting of characters that no one, not even you, has ever seen. It only exists inside an encrypted vault for which you hold the key.

To learn more about password managers, read Brian Steigauf’s post, Using a Password Management Application:  KeePass vs. LastPass​.

Tech Talk Live Blog Comment Guidelines:

One of our main goals at Tech Talk Live is to build a community. It is our hope that this blog can be a forum for discussion around our content. We see commenting as an integral part of this community. It allows everyone to participate, contribute, connect, and share relevant personal experience that adds value to the conversation. Respect counts. We believe you can disagree without being disagreeable. Please refrain from personal attacks, name calling, libel/defamation, hate speech, discriminatory or obscene/profane language, etc. Comments should keep to the topic at hand, and not be promotional or commercial in nature. Please do not link to personal blog posts, websites, or social media accounts that are irrelevant to the conversation. This is considered self-promotion. We welcome links that help further the conversation and reserve the right to delete those we deem unnecessary. The appearance of external links on this site does not constitute official endorsement on behalf of Tech Talk Live or Lancaster-Lebanon Intermediate Unit 13. You are solely responsible for the content that you post – please use your best judgment. We reserve the right to remove posts that do not follow these guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *


Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.


1020 New Holland Avenue
Lancaster, PA 17601

(717) 606-1770