The most secure passwords are the ones you can't remember
This was exactly what I tweeted earlier today. And I got some interesting reactions which made me decide to do a short write-up.
The most secure passwords are the ones you can’t remember.
— John Opdenakker (@j_opdenakker) December 6, 2020
Some people were taking this quote quite literal.
Not true, i found passwords i forgot with passwords leaks lmo
— Jamjar (@jamjar__) December 6, 2020
What I meant is that when you want the most secure passwords you should generate random ones. Like this one for example...
Which is indeed way too difficult to remember. That's all great such a secure password but if you can't remember it's not really useful, right?
security 100% functionality 0%
— Losbol (@bolnr1) December 6, 2020
Not if you use a password manager that can generate and store these passwords for you.
The ones you don't need to remember, because they're in your password manager.
— DrewDad (@tx_drewdad) December 6, 2020
There's no reason anymore to remember your passwords except for the 1 master password that gives access to your password manager. Most password managers can automatically fill in credentials in the browser which is a serious improvement in terms of user experience.
Very true and often forgotten it’s a ux improvement and time saving as well when you use a password manager with autofill capabilities. https://t.co/svkc68QQUY
— John Opdenakker (@j_opdenakker) December 4, 2020
But what if your password manager gets hacked?
I've had the same thought before. Where if you can't remember your password, it must be strong/secure enough, and perhaps using a password manager. But what if your password manager gets hacked?
— ShaBrazil (@4n6lady) December 6, 2020
What about a world where passwords are obsolete?
What would that look like?
All software has vulnerabilities and can be hacked. But imagine your password manager account or the servers of a cloud based password manager vendor get hacked. That would be a horror scenario, right?
I'm not going through the details here but good password managers should encrypt your secrets on the client and never store your password and additional secret key(s) on their servers. There are a lot of misconceptions around password managers which I tried to debunk in this blog. People often don't trust a password manager but their current alternative might be a lot less secure.
If you want to get more insight in the criteria I used for selecting a password manager you can read this blog.
And how much everyone would get rid of passwords, it's just the reality we have to live with. This is from a a recent blog from Dashlane:
'Dashlane data shows the average internet user has over 200 digital accounts that require passwords, a figure projected to double to 400 in the next five years.'
Other benefits of a password manager
Except for managing your secrets, passwords managers have some other benefits that less people realize.
- There's the usability improvement and time savings because you don't have to type your credentials all the time.
- Password managers with auto-fill capability also help to detect phishing attempts.
- Several password managers will detect whether you're using weak or previously breached passwords.
Finally, I suggest you to watch this video by Sean Wright in which he explains, among other things, the above mentioned benefits of using a password manager.