If I don’t have to memorize something, I prefer not to. Albert Einstein said, “Intelligence is not the ability to remember information, but knowing where to find it.” In Getting Things Done, David Allen wrote, “Your mind is for having ideas, not holding them.” I’m in good company.
I used to devote an inordinate amount of mental energy to remembering passwords. I tried to follow the recommended practices of incorporating numbers and punctuation and never reused passwords across sites. I would take something distinct about the site as a mnemonic and derive a unique-but-relevant password. I couldn’t tell you the number of times I reset a password only to retrace the same steps into the mind palace and arrive at the same password I had set before. (I know this because some sites don’t let you reset your password to what it was.)
Then I met 1Password. Now I delegate (almost) all of my password concerns to it, freeing up my attention to focus on what I need to do instead of the details of doing it.
Stop Trying to Make Memorable Passwords
The golden rule of passwords is to never reuse passwords. Never. Once one site is breached—this happens all the time—every other site that uses that same password is compromised. Bad guys know they’re not going to get access to your bank account by attacking the bank’s website. Instead, they break through the much weaker security at I-heart-fluffy-kittens.com and look for people that used the same password for their online banking.
Here’s the problem. We like memorizing patterns. They help us remember. We can form associations and our brain can reconnect the dots.
Patterns are easy to break. They’re predictable. Repeated numbers, runs of numbers (the most-used password in 2016 was “123456”, for the third year in a row), and even geometric sequences (“qwerty” was #6, “zaq1zaq1” #24) aren’t much harder to crack with a brute-force attack than words from a dictionary.
What makes a good password? Entropy. Lots of it. Entropy is hard to guess. It’s also hard to remember.
Unfortunately, xkcd’s method, which most security researchers agree will help you create a strong password, doesn’t scale. You need to create a different password for every site. You can’t hold that many passwords in your head.
This is where 1Password comes in. Use the correct-horse-battery-staple method to choose a strong password for your 1Password Master Password, then let 1Password create and remember the rest. (CorrectHorseBatteryStaple.net can help you make sure you’re picking random words, which is where the entropy is introduced; “letmeinfacebook” has zero entropy.)
One password to rule them all and in the darkness find them.
There are only a few passwords you really need to consider remembering:
- Your 1Password Master Password. This is the 1 in 1Password. Your vault is encrypted with your master password. Without it, you can’t retrieve any of the passwords or other information you’ve stored. AgileBits can’t unlock it for you. If you only remember one password, this is the one.
- Your computer’s login password. 1Password can’t help you enter your login password. You can store it in 1Password, but you’ll need to bring it up on your phone and type it in manually. It’s possible but might get old quickly. Using TouchID and your Apple Watch to unlock your Mac can reduce the number of times you need to enter it in a day, but even then, you’re going to have to enter this password a lot.
- Your iCloud/Gmail Password. I’ll be honest—I made my passwords for iCloud and Gmail more memorable because I have to type them in so often. I could use 1Password if I wanted to. These are just two of the holdouts from years ago, before I started using 1Password and strengthening my passwords.
- The Key to Someone Else’s Kingdom There’s a work-related password that gives me the keys to the kingdom. I don’t store it just in case my 1Password vault does get breached. I don’t expect that to happen. I entrust it with all kinds of sensitive personal information, not just passwords, but if something does happen, that one won’t be breached. This is the exception that defines the rule.
The Master Password is the only one you need to memorize. The rest, you’re trading a little comfort or security for increased convenience. For any passwords you do make memorable, be sure to follow the rules for making memorable-but-strong passwords. Your 1Password keychain is only as secure as its weakest link—you.
Your web browser probably offers to create and store passwords for you. That’s fine. I use 1Password to complement Safari’s built-in password management. It creates stronger passwords, remembers more kinds of information for me, and it’s easier to look up what a password is for those times where I need to type it in.
My favorite trick with 1Password? Creating insanely strong security questions.
1Password is available where you need it. There are native apps for macOS, iOS, Windows, and Android. There are browser extensions for Safari, Chrome, Firefox, and Opera. You can carry a handful of specific passwords on your AppleWatch. Still not covered? You can sign into 1Password.com from any browser. When you need it, it will be there.