Creating Strong Passwords
Last Reviewed: February 02, 2021
Creating Strong Passwords Using Password Managers anchor link
Reusing passwords is an exceptionally bad security practice. If a bad actor gets ahold of a password that you've reused across multiple services, they can gain access to many of your accounts. This is why having multiple, strong, unique passwords is so important.
Fortunately, a password manager can help. A password manager is a tool that creates and stores passwords for you, so you can use many different passwords on different sites and services without having to memorize them. Password managers:
- generate strong passwords that a human being would be unlikely to guess.
store several passwords (and responses to security questions) safely.
protect all of your passwords with a single master password (or passphrase ).
KeePassXC is an example of a password manager that is open-source and free. You can keep this tool on your desktop or integrate it into your web browser . KeePassXC does not automatically save changes you make when using it, so if it crashes after you've added some passwords, you can lose them forever. You can change this in the settings.
Wondering whether a password manager is the right tool for you? If a powerful adversary like a government is targeting you, it might not be.
using a password manager creates a single point of failure.
password managers are an obvious target for adversaries.
research suggests that many password managers have vulnerabilities.
If you’re worried about expensive digital attacks, consider something more low-tech. You can create strong passwords manually (see “Creating strong passwords using dice” below), write them down, and keep them somewhere safe on your person.
Wait, aren’t we supposed to keep passwords in our heads and never write them down? Actually, writing them down, and keeping them somewhere like your wallet, is useful so you’ll at least know if your written passwords go missing or get stolen.
Creating Strong Passwords Using Dice anchor link
There are a few passwords that you should memorize and that need to be particularly strong. These include:
- passwords for your device
- passwords for encryption (like full-disk encryption)
- the master password, or “passphrase,” for your password manager
- your email password
One of many difficulties when people choose passwords themselves is that people aren't very good at making random, unpredictable choices. An effective way of creating a strong and memorable password is to use dice and a word list to randomly choose words. Together, these words form your “passphrase.” A "passphrase" is a type of password that is longer for added security. For disk encryption and your password manager, we recommend selecting a minimum of six words.
Why use a minimum of six words? Why use dice to pick words in a phrase randomly? The longer and more random the password, the harder it is for both computers and humans to guess. To find out why you need such a long, hard-to-guess password, here’s a video explainer.
Try making a passphrase using one of EFF's word lists.
If your computer or device gets compromised and spyware is installed, the spyware can watch you type your master password and could steal the contents of the password manager. So it's still very important to keep your computer and other devices clean of malware when using a password manager.
A Word About “Security Questions” anchor link
Beware of the “security questions” that websites use to confirm your identity. Honest answers to these questions are often publicly discoverable facts that a determined adversary can easily find and use to bypass your password entirely.
Instead, give fictional answers that no one knows but you. For example, if the security question asks:
“What was the name of your first pet?”
Your answer could be a random password generated from your password manager. You can store these fictional answers in your password manager.
Think of sites where you’ve used security questions and consider changing your responses. Do not use the same passwords or security question answers for multiple accounts on different websites or services.
Syncing Your Passwords Across Multiple Devices anchor link
Many password managers allow you to access your passwords across devices through a password-synchronizing feature. This means when you sync your password file on one device, it will update it on all of your devices.
Password managers can store your passwords “in the cloud,” meaning encrypted on a remote server. When you need your passwords, these managers will retrieve and decrypt the passwords for you automatically. Password managers that use their own servers to store or help synchronize your passwords are more convenient, but are slightly more vulnerable to attacks. If your passwords are stored both on your computer and in the cloud, an attacker does not need to take over your computer to find out your passwords. (They will need to break your password manager’s passphrase though.)
If this is concerning, don't sync your passwords to the cloud and instead opt to store them on just your devices.
Keep a backup of your password database just in case. Having a backup is useful if you lose your password database in a crash, or if your device is taken away from you. Password managers usually have a way to make a backup file, or you can use your regular backup program.
Multi-Factor Authentication and One-Time Passwords anchor link
Strong, unique passwords make it much harder for bad actors to access your accounts. To further protect your accounts, enable two-factor authentication .
Some services offer two-factor authentication (also called 2FA, multi-factor authentication, or two-step verification), which requires users to possess two components (a password and a second factor) to gain access to their account. The second factor could be a one-off secret code or a number generated by a program running on a mobile device.
Two-factor authentication using a mobile phone can be done in one of two ways:
- your phone can run an authenticator application that generates security codes (such as Google Authenticator or Authy) or you can use a stand-alone hardware device (such as a YubiKey); or
- the service can send you an SMS text message with an extra security code that you need to type in whenever you log in.
If you have a choice, pick the authenticator application or stand-alone hardware device instead of receiving codes by text message. It’s easier for an attacker to redirect these codes to their own phone than it is to bypass the authenticator.
Some services, such as Google, also allow you to generate a list of one-time passwords, also called single-use passwords. These are meant to be printed or written down on paper and carried with you. Each of these passwords works only once, so if one is stolen by spyware when you enter it, the thief won't be able to use it for anything in the future.
Sometimes, You Will Need to Disclose Your Password anchor link
Laws about revealing passwords differ from place to place. In some jurisdictions you may be able to legally challenge a demand for your password while in others, local laws allow the government to demand disclosure — and even imprison you on the suspicion that you may know a password or key . Threats of physical harm can be used to force someone to give up their password. Or you may find yourself in a situation, such as travelling across a border, where the authorities can delay you or seize your devices if you refuse to give up a password or unlock your device.
We have a separate guide to crossing the U.S. border that gives advice on how to deal with requests for access to devices while travelling to or from the United States. In other situations, you should think about how someone might force you or others to give up your passwords, and what the consequences would be.