💬 Calling all Developers and Security Enthusiasts, share your insights!

What have you learned about passwords and password security that you wish everyone knew? Share your insights!

I found this chart to be really helpful when choosing an appropriate master password that is both memorable and secure (Source: Are Your Passwords in the Green?):


Three things that come to mind:

  • As demonstrated by the chart @dh024 provided in his post, learning to use passphrases instead of passwords can be significantly more secure. Not only are phrases easier to remember than one or two words, but the length of characters in a password raises entropy exponentially on a given password dramatically making you less likely to have password cracked.

  • Many people will see something like a password book to be insecure and will inevitably mock or joke about someone who utilizes one. This ignores the user’s threat model as well as the accessibility needs of a given user. As an example, an elderly users who are not as technically savvy or feel overwhelmed by their computers are also the kind of user who would be difficult to get them to use a password manager or to have excellent recall of their passwords/passphrases. Writing them down in a password book (not just on a random sticky note) and putting it away in a secure location (like a locked desk drawer or cabinet) is better than a user that reuses password that could lead to credential stuffing and even other people in the infosec industry concur with this idea. The exposure of a user’s credentials in that scenario will be really small and fairly limited making them less prone to use the same password over and over again.

  • Despite what PCI-DSS compliance will force on your users based on NIST’s earlier recommendations, NIST has since rescinded those recommendations citing usability concerns that will likely lead to a user engaging in other bad security practices (e.g, predictable passwords, writing them down on sticky notes, storing them in a plain text document or spreadsheet).