Practical advice about passwords management

Yohan Beugin - December 2023

The objective of this post is to list practical and actionable advice about passwords management: randomly generating long and unique passwords and using a password manager to keep track of them.

Advice summary

Have I Been Pwned? The need for unique and randomly generated passwords

The service Have I Been Pwned? keeps track of different known data breaches and lets you check if one or several of your account(s) have been compromised as part of these breaches. If so, you will see which personal information has been leaked. Their Notify me service allows you to be notified if your email address appears in future breaches.

Not having any known compromised account, does not mean that we should not always plan for the eventuality that some of our passwords will somehow get compromised at some point; whether we have made an error (i.e., falling for a phishing attack for instance) or not at all (i.e., the service we use does not follow best practices and gets compromised, etc.).

If one of your account is compromised, you should update its password and (where applicable) verify that the attacker has not added new recovery methods to your account. If you are reusing an identical or similar password across your accounts, you should modify these as well. This is the main reason why you should never reuse passwords but instead generate unique, complex, and unguessable ones for each of your account: preventing an attacker compromising one of your account from accessing many other ones.

So what should I do?

Use long, unique, complex, and unguessable passwords for each of your account. Obviously, it is unreasonable to ask from people to remember tens of different passwords, and that is where password managers come in.

A password manager is a vault where you safely store all your unique and complex passwords for all your accounts. That vault is secured itself with an authentication mechanism: most of the time some combination of a master password and multifactor authentication. This master password is one of the very few passwords that you should remember as it will give you access to the other ones once the password manager is unlocked. It goes without saying that you should use a complex and unique master password.

Password managers are very simple to use, cross-platforms (i.e., you can synchronize and have access to all your passwords from all your devices), they come with convenient browser extensions to log you in automatically on websites, and they will take care of randomly generating complex and unique passwords for you when you create a new account. Some even offer the possibility to use unique email aliases for each of your account which makes it harder to correlate that your accounts belong to the same person.

Which password manager to use?

You should pick a secure and vetted solution that you will find convenient to use every day. It is crucial that you create a strong master password that you can remember, enable multifactor authentication if your password manager supports it, and if you use the browser extension of your password manager, do not always be logged in by default. Finally, keep your account recovery mechanisms safe as most online services will send you a recovery or password reset link through email by default.

The first time you use your password manager, you will need to add all your accounts and password to its vault. While doing so, modify your passwords for each of your account to use a complex one randomly generated by your new password manager, take the time to do it for all your accounts; this is very important.

A few recommendations: