Storing and Remembering Passwords Securely

Tips and Tools To Help You Keep Track of Passwords Without Yellow Sticky Notes

Pensive businessman with hand on chin
Caiaimage/Chris Ryan Getty Images

Hundreds of millions of passwords were breached by hackers in 2017 alone. Don't think you weren't breached—odds are good that at least one of your username/password pairs is floating around, being sold to the highest bidder. Protect yourself by ensuring that you have robust passwords that are too rare and too complicated for most hackers to bother trying to crack.

Memory-Based Techniques

You need not memorize a hundred different passwords: One way to generate unique passwords for every site you visit, yet remember them all in your own head, is to use a set of easy-to-remember rules.

Different sites specify different minimum standards for a password—minimum character counts, use of special characters, use of numbers, use of some symbols but not others—so you'll probably need a base structure that differs for each of these use cases, but your algorithm can remain the same.

For example, you could memorize a series of fixed letters and numbers and then modify that string to focus it on the specific website. For example, if your license plate is 000 ZZZ, you could use these six characters as a base. Then, add a form of punctuation and then the first four letters of the site's official name. To log in to your account at Chase Bank, then, your password would be 000ZZZ!chas; your password at Netflix would be 000ZZZ!netf. Need to change the password because it expired? Just add a number at the end.

This approach isn't perfect—you're better off using a password manager—but at least this method will ensure that your password isn't among the estimated 91 percent of all passwords that appear on a Top 1,000 list.

Application-Based Techniques

If remembering rules isn't your thing, consider using a dedicated application service to generate, store and retrieve your passwords for you.

If you welcome the convenience of having your password manager in the cloud, try:

  • 1Password includes a travel option to let you wipe passwords when you travel, so that if your device is confiscated by authorities at the border, your passwords are safe
  • Dashlane generates and secures passwords on your behalf
  • LastPass works as a free-standing application as well as a browser plug-in
  • RoboForm includes a secure-sharing feature so you can share passwords with friends and colleagues

If you prefer a solution that's tied to your desktop computer, try:

  • KeePass supports download as a portable application, so it doesn't even need to be installed on your computer to run
  • Password Safe was designed by a noted security researcher; the tool is simple but effective

Password Best Practices

The rules for password best practices changed in 2017, when the National Institute for Standards and Technology, an agency within the U.S. Department of Commerce, released its report,  Digital Identity Guidelines: Authentication and Lifecycle Management. NIST recommended that websites stop requiring periodic password changes, eliminate password complexity rules in favor of passphrases and support the use of password-manager tools.

NIST's standards are widely accepted by the information-security profession, but whether website operators will adapt their policies based on the new guidance is unclear.

To maintain effective passwords, you should:

  • Use a password manager
  • Refrain from using "random" passwords using adjacent keypresses, e.g., qwerasdfzxcv
  • Avoid reusing passwords among websites
  • Pass on words that are in the dictionary
  • Avoid using commonly guessed passwords