How to Create Secure Passwords That Aren’t Impossible to Type
How do you create a strong password? Easy: You mash your keyboard for a few seconds until you have a 50-character hunk of gibberish, then you copy and paste that into a password manager so you don’t have to actually remember what it is.
There are other tricks for creating strong passwords, but there are only two rules you really have to remember: make it long and make it difficult to guess (or brute-force). “mycatiscute” is a bad password. “Sj12#8)23&$k51*as.x*3rffalwo@74d*23″ is probably a good password. (Please don’t steal that one.)
The problem with creating these super-strong passwords filled with crazy characters and the dreaded “capitalized I or lowercase l” issue is that they’re a pain in the ass to type when you’re trying to use your credentials to log into a third-party service.
For example, if you’re trying to connect your Nintendo Switch to Facebook in order to find friends to play with, you’re going to have to sit there and meticulously type out your uber-secure, 64-character password—and hope you got it all right. It’s even worse if you’re connecting your Smart TV to an online account and you have to manually navigate one of those awful on-screen keyboards with your remote.
Great passwords don’t have to piss you off
The two best password manager apps you can (and should) use are LastPass and 1Password, and they both make it easy to generate randomized passwords for any site or service. However, there are a few little features you can use to ensure that your password is both strong and fairly type-able, should you ever have to go in and hunt-and-peck it when logging into a service on a device.
You don’t have to create crazy-long passwords
When you’re using either service’s “auto-generation” capabilities, you don’t have to go wild. A 30-character password is going to be a lot stronger than a 16-character password, sure, but beyond the point at which it’s going to matter. As security architect Dameon “PhoneBoy” Welch-Abernathy notes, a 16-character password using just uppercase and lowercase characters—not even wacky symbols—is going to be tough to brute-force.
“The bottom line is, when you actually look at the math, you don’t need quite as long of a password as you think you do. Assuming the limit is at least 12 characters and all special characters are supported, you can make a complex enough password to sufficiently mitigate most brute force attacks. Even a 16 character password with just mixed case letters has a pretty large search space, assuming your passwords have sufficient entropy.“
Avoid symbols or other strange character traps
In both LastPass and 1Password, you have the option to set parameters when auto-generating passwords. Yes, this will make your passwords a little less secure. It will also make them a lot more convenient to type. If your app does a good job randomizing characters, they’ll still be practically impossible to brute-force guess (as noted earlier).
When you’re using 1Password to generate a new password, make sure you’ve unchecked “Allow symbols.” It should be fine to keep using digits, since numbers aren’t nearly as tricky to get to as weird characters that probably require you to switch between different keyboard screens when you’re manually typing them into a device. While you’re here, also make sure that your “Allow ambiguous characters” is unchecked, because it’s annoying to accidentally type an “I” when you meant an “l,” or a “O” when you meant a “0,’ et cetera.
LastPass gives you a little extra customization. You can set your auto-generated password’s length (of course), but you can also specify whether the password should use the following characters: A-z (sure), a-z (sure), 0-9 (sure), or wacky symbols (pass). You can set a required minimum number of numerals to keep your passwords extra-diverse, and you can also elect to avoid ambiguous characters, which we recommend doing.
What about passphrases?
Theoretically, it’s a lot easier for you to remember a lyrical line from one of your favorite songs—an 84-character password, let’s say—than 84 characters of gibberish. A strong passphrase should be incredibly difficult to brute force, and is a much better solution than simply trying to “mask” a short password in some silly way: “P@$$w0rd123,” instead of “Password123,” for example.
There are only two problems with using a huge passphrase: First, your device (or service) might have some stupid limitation that prevents you from entering a huge password. Perhaps you’re just limited to a maximum character count of 16 digits—still great if you use all 16, but not nearly as great as if you were typing in a 32+ character quote that you love.
Second, you’re still going to have to do a lot of on-screen typing if you’re using your favorite Shakespearean quote as a password. Pulling a passphrase out of a password-management app is easy; having to manually type “itwasthebestoftimesitwastheblurstoftimesitwastheageofwisdom…” a few times on your PlayStation 4 because you made a spelling mistake somewhere in the middle isn’t going to be very fun. That said, you’ll probably make fewer errors with a common, long phrase than a shorter string of gibberish, so a strong passphrase is definitely worth considering.
If you don’t have any fun phrases in mind, 1Password can help you create passphrases from random words. When auto-generating a password, select the option for “words” instead of characters, and assign your favorite separator to split the words up, such as a period or a hyphen. LastPass has an option for creating “pronounceable” passwords, but that won’t turn your gibberish into words. You’ll have to think of your own clever phrase.