Security Expert Proposes Best Practices for Secure Passwords

By Wesley Fenlon

It's the correct horse battery approach: Though we've been trained to throw numbers and special symbols into our passwords, longer, phrase-based passwords are more memorable and more secure.

The common wisdom for passwords is changing. When we think of secure passwords, we gravitate towards nonsense jumbles of letters and numbers that services like LastPass generate for us. These passwords are long, impossible to guess, and the absolute antithesis of one-word favorites like "password" or "123456." They are also impossible to remember.

Writing for Wired, Principal Scientist of Consumer Security for PayPal Markus Jakobsson says these passwords just aren't the way to go because we can't remember them. If we can't remember our passwords, we take up bad habits: Re-using the same passwords on multiple sites. Falling back on something more predictable. Keeping the password written down somewhere vulnerable.

Worse, most websites are misleading when they label passwords secure, which reinforces bad password use. A capital letter and number will usually pass the test, but we use these elements predictably, placing a 1 on the end of a word or inserting 3s for Es.

Jakobsson's alternative is refreshingly simple: Use words. Just use more of them than you might be used to. In a proposal that may sound familiar to xkcd readers, he suggests using words--simple, common words--in a configuration that makes sense to you, but would be nonsense to anyone else. Words are much, much easier to remember. His recommendation of "JogStepRat" is pretty short--we like xkcd's "correcthorsebatterystaple" a little more (and it's funny), but the advice makes sense.

If hackers already know to check for common passwords when trying to crack accounts, they can easily figure out where you've substituted random numbers for letters. But are these simple phrases really better passwords than the randomized jumbles of password services? They're certainly more utilitarian--you don't need an app for them, and they're much easier to enter on touch screens.

Security apps also guarantee we won't remember our passwords, but Jakobsson's proposal isn't yet practical, anyway. As long as websites demand numbers and symbols in our passwords, we can't fully embrace the phrase-based approach. And even then, we're still at the mercy of large-scale security compromises and social engineering, where the human element enters the equation. When major corporations like Sony get hacked and give up millions of passwords, the strength of your own password becomes irrelevant.

The benefits of an easy-to-recall password also break down a bit when you add in the importance of using different passwords on different websites. If you use a password manager, there's no reason to abandon it and start memorizing phrases to serve as new passwords. But if you still find yourself using single words for new passwords, try making your next pass a little more batterystaple-y.