I like the CorrectHorseBatteryStaple methodology. https://xkcd.com/936 !https://imgs.xkcd.com/comics/password_strength.png

My password is 'friend', should I change it? I feel like it keeps all the nasty visitors out while letting the good folk inside.

Just make one super strong password, use that to unlock you password manager and have it generate 30 character passwords for everything.

A much more secure password is "Mellon". I've used it as a door code for ages, and nobody can guess it.

Some great mind took hours to break this password. Hours! Spoiler: the pony survived!

Random passwords are good practice, what isn’t good practice is following _specific password requirements_ like 10 characters 1 uppercase, 1 symbol because that _reduces your search space_. A 30 or 50 character password generated by your password manager is _always_ the most secure option, the longer the better. I generate passwords that go to the maximum the service allows.

Ideally all lowercase letters to make them easy to type when you need to use them in another device. Unfortunately, a lot of places don't allow that, preferring less secure and more inconvenient passwords.

“Password must be between 8 and 12 characters” ‍️

Also: Reminder to enable 2 factor authentication, of you haven't.

This is what you get for making me admin, I've gone mad with power, muhahahahaha! crimes o-o

Password managers are OK but I have hesitations on them personally. I'm leery of putting all my most high-value stuff in one place behind one password. What I do instead is memorize a truly unreasonable amount of passwords, though, which I recognize is not a reasonable expectation for others. For threat models in which you're not worried about in-person attacks, it may actually be a good idea to just write your passwords down, maybe keep your password book in something with a lock on it. I'm not advocating for any particular method, just putting it out there so people can make an informed decision.

Diceware is a method of generating random memorable passwords.

Basically what diceware does. It's just that humans are really bad at picking random words ("banana" is over represented, for instance) that's what diceware helps with.

I would suggest a password locker rather than just a generated passphrase.

'Pass word1! Oh, ' and spaces aren't allowed?

I used to use words from different vernaculars or languages. Sometimes i double check they are too abstract and weird to correct horse battery staple easily just because I'm a contrarian asshole snd thst helps me remember. exquisitevibrattoacquittalbevelschaudenfreude

Horse: "That's a battery staple." Man: "Correct!"

these are called pass *phrases* and yes, they tend to be way more secure at least until quantum computers render all traditional cryptography meaningless.

> I'm leery of putting all my most high-value stuff in one place behind one password. Most password managers can be set up to also require a keyfile and/or physical passkey to unlock their databases. A keyfile means someone couldn't get into your password database even if it got leaked and they knew the password (assuming you stored your keyfile separate from the database - the file and its location should be treated like a password itself), while a physical passkey makes it virtually impossible to breach the database unless someone steals the USB device.

Over the years, nobody has ever guessed my passwords, but four sites I was subscribed to were compromised and my email+password got leaked anyway. The strongest chain and the weakest link...