How to Remember a Strong Password, or: An Exploration of Security in the Digital Age

Oct 20, 20236 min readTagsAuthenticationBrute Force AttackIAMPassphrasePasswordPassword Manager
User sitting in front of a notebook and entering his username and password on a virtual login screen.

In the modern era, where digital activity has proliferated every aspect of our lives, the challenges of maintaining online security have never been more pressing. The growing number of platforms necessitates an increasing number of passwords. In today's technology-driven world, it seems like every system, device, and account requires its own set of unique password-creation rules. Some ask for a six digit, some for a 12-digit password. Others incorporate a mixture of lowercase and uppercase letters, numbers, and symbols while others exempt e.g., symbols. Amidst the backdrop of an expanding digital landscape, users are often encumbered with the task of managing a plethora of passwords. These alphanumeric combinations guard everything from our professional correspondences to personal interactions.

When it comes to password security, there is often a debate between using complex and long passwords versus simple ones. While some argue that complex passwords with a combination of uppercase letters, lowercase letters, numbers, and special characters provide better security, others believe that many different long and hardly to remember passwords are not the solution. The challenge with using longer and more complex passwords is that users often struggle to remember these lengthy sequences of random numbers and characters. For research oriented evaluation please see here.

Consequently, there is a potential risk that users write down passwords or use shorter ones. Alternatively, users often fall into the habit of consistently using the same password across multiple systems. Even worse, many individuals tend to adopt predictable patterns like using consecutive numbers (e.g., 123) or adjacent keyboard keys (e.g., qwerty). However, relying on such easily guessable sequences can compromise the security of personal information and accounts as well as expose them to various security vulnerabilities. Especially with the advancements in computing power, brute-force attacks rely on these common users' habits. The combination of powerful new machines and the predictability of certain character combinations chosen by users has made these attacks incredibly effective. It is essential for individuals and organizations to be aware of this growing threat and take necessary measures to protect their systems and sensitive information.

Additionally, it is important to use a password only once in order not to endanger all accounts in case a password is hacked or compromised.
But the difficult question arises: Is there a way to simplify and streamline this increasingly complex digital maze? How should a user remember dozens to hundreds of different passwords?

Does the answer lie in the conceptualization and implementation of a singular, unparalleled, strong password or rather in long and memorable passphrases or even a combination of both?

The Password Manager as First Alternative

The instrument that facilitates the one strong password solution is the venerable password manager.

A password manager is generally a tool which allows to store all user's usernames and passwords in one secure vault protected by one master password. As advantage, the user only needs to remember one very strong password. This allows to concentrate the security efforts on the creation and retention of one potent password and not on hundreds. To make user life even easier, a password manager can generally be used as browser extension for desktop use and as mobile app alternative with biometrics authentication on mobile devices.

Contrary, it is true that if someone were to gain access to a user's password vault, they would have access to all the accounts of the user. Nevertheless, security professionals still strongly recommend using a password manager. The advantages of utilizing such a tool far outweigh the potential risks. With a password manager, a user can securely store and generate complex passwords for each of their accounts, significantly reducing the likelihood of being hacked if used correctly. Additionally, password managers often provide additional layers of security such as two-factor authentication and encrypted data storage.

Are Passphrases more secure than Passwords?

Strong and secure passwords are generally complex and difficult to remember. A clever approach to managing and remembering passwords is to use passphrases as an alternative to traditional password managers. Passphrases can equally be long with high security strength but are easier to remember for users. If selected correctly, passphrases also can provide sufficient security strength against common hacking techniques. These phrases can be constructed by combining multiple words or using random combinations of unrelated words. Like passwords, it's important to avoid using words that are closely related or too personal, as this can potentially create vulnerabilities. Choosing such words and combining them into passphrases could make it easier for dictionary-based password tools to guess the correct sequence, even with a larger number of possible combinations present.

To increase the complexity and hence the security of a passphrase, users have the option to enhance their passphrases by strategically incorporating spaces, punctuation marks, and even intentional misspellings allowing to keep user-friendliness. This clever approach allows for an added layer of sophistication while still ensuring that the login process remains intuitive and straightforward.

Context-Based Passphrases

An interesting method to remember a passphrase is to consider using context-based passphrases as a more innovative approach. This method involves using clues from the account you are trying to access to generate unique and memorable passphrases. By doing so, you can enhance both security and convenience without the need for additional tools or software.

Here is an example to illustrate how convenient and secure a password can be generated and remembered for e.g., Amazon account:

A passphrase is generated consisting of the number of words of the account name with a certain minimum length criterion (e.g., Amazon, 6 words). This technique can be combined with several other ones, e.g.

  • Add certain numbers or symbols in between the words
  • Add periods at certain positions of the phrase
  • Reverse the word order

This technique adds an extra layer of security while still being easy to remember.

By consistently using the system, you'll effortlessly recall which passphrase is associated with each account. It's a straightforward process that becomes second nature with regular practice.

Even if a hacker manages to obtain one set of credentials, it would be highly challenging for them to guess which system you used. With numerous potential combinations to consider (assuming you have chosen a complex enough system), the chances of such unauthorized access are significantly reduced.

Does it make sense to combine Passphrases together with a Password Manager?

Many individuals and organizations rely on password managers to store and manage their passwords effectively. However, there is a growing discussion around whether it makes sense to combine a passphrase with a password manager. So, does it? The answer is yes! By using a secure passphrase as master password for the password manager and then managing all user credentials with said password manager, online security can even further be enhanced. This is mainly the case, as the user is freed from either choosing a weak password they can remember or writing it down. A good passphrase can enable the user to remember his master password using a mnemonic bridge and provides an extra layer of protection against dictionary attacks or brute force attacks since they are longer and more complex than traditional used passwords.

However, If a well-protected password manager is used, it does not make any difference if secure passwords or passphrases are used.

In conclusion, combining passphrases together with a password manager is an effective strategy to strengthen online security. It provides convenience using a centralized storage system while ensuring that all passwords are strong and unique. By leveraging both these methods, a user can better protect themselves against potential cyber threats in today's digital landscape.