The most secure passwords are the ones you can't remember

This was exactly what I tweeted earlier today. And I got some interesting reactions which made me decide to do a short write-up.

Some people were taking this quote quite literal.

What I meant is that when you want the most secure passwords you should generate random ones. Like this one for example...

Which is indeed way too difficult to remember. That's all great such a secure password but if you can't remember it's not really useful, right?

Not if you use a password manager that can generate and store these passwords for you.

There's no reason anymore to remember your passwords except for the 1 master password that gives access to your password manager. Most password managers can automatically fill in credentials in the browser which is a serious improvement in terms of user experience.

But what if your password manager gets hacked?

All software has vulnerabilities and can be hacked. But imagine your password manager account or the servers of a cloud based password manager vendor get hacked. That would be a horror scenario, right?

I'm not going through the details here but good password managers should encrypt your secrets on the client and never store your password and additional secret key(s) on their servers. There are a lot of misconceptions around password managers which I tried to debunk in this blog. People often don't trust a password manager but their current alternative might be a lot less secure.

If you want to get more insight in the criteria I used for selecting a password manager you can read this blog.

And how much everyone would get rid of passwords, it's just the reality we have to live with. This is from a a recent blog from Dashlane:

'Dashlane data shows the average internet user has over 200 digital accounts that require passwords, a figure projected to double to 400 in the next five years.'

Other benefits of a password manager

Except for managing your secrets, passwords managers have some other benefits that less people realize.

  • There's the usability improvement and time savings because you don't have to type your credentials all the time.
  • Password managers with auto-fill capability also help to detect phishing attempts.
  • Several password managers will detect whether you're using weak or previously breached passwords.

Finally, I suggest you to watch this video by Sean Wright in which he explains, among other things, the above mentioned benefits of using a password manager.

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life