P4ssW0rD5 !
They are an inherently flawed method of securing your information.
Don’t believe me ?
If your password is less than seven characters long, it can be cracked in minutes using relatively cheap, off-the-shelf computing hardware.
If it is longer than seven, but still a word that appears on a word list, even if you substitute e’s with 3’s and sprinkle capital letters in there, again it is rubbish.
There are publicly available wordlists out in the real word that have 60 billion words on them, while that number might seem high, a dedicated password cracking machine that costs less than $2000 will check 6 billion combinations per second. Those sixty billion words and all the combinations up to six characters will fall in less than an ten minute, Extend that out to seven characters and that too will fall in a couple of hours.
If virtually any combination that you can think of is a part of that list, it can be cracked in seconds. If you have a password that is a combination of short words, you are done, if it matches common password formulas, for example Capital letter, 3-4 letters, then 3-4 numbers, then game over in minutes.
Recently details on hundreds of millions of accounts at LinkedIn were dumped to the Internet.
The dump contained email addresses and a lightly encrypted version of the password for that account.
The vast majority of the passwords were cracked within hours of them becoming available.
The results are not a big surprise, ‘letmein’ and ‘linkedin’ are used by millions, as are qwerty, qpwoeiruty, qazplm, asdfg and many, many other keyboard patterns. Beyond that there are common pattern, Aaaaa9999 is common, names and dates are all over the place in there.
If you had a LinkedIn account and you used the same email address and password combination elsewhere, the elsewhere, those accounts are now open to the world.
Any level of re-use of that password needs to be assessed and the reused passwords need to change, right now.
The problem is not limited to the passwords, there are patterns that allow password crackers to guess your other passwords and to see trends in those patterns. We need a much better password strategy.
There is a major problem though, remembering multitudes of passwords and creating easy to remember but tough to crack passwords is very difficult.
Additionally you need to enable two factor authentication everywhere that it is available, this is perhaps the last hope that you have, you hope that this is good enough to keep out the bad guys.
Two factor authentication (2FA) is a very good tool. If a bad person tries to login to your account, they will need jot only your login and password, but also a secret, ever changing code that in theory only you have access to.
Which leads me back to the passwords, 2FA is great, but 2FA and a decent password, with zero password reuse is way, way better. So much better that this is pretty much the only way to stay slightly safe.
But this is really, really hard to choose a decent password.
Zero reuse means that no aspect of the password should be the same. If like me you have many accounts all over the place, this means that you need to come up with potentially hundreds of really, really unique passwords.
If you used password1 as your password, you should not use password2 or Password1 or p455word1 and any of the tens of combinations. They are, to all intents and purposes, equally useless.
A password manager is a great improvement then.
Lastpass is really rather awesome, but so is the Apple iCloud one. There are quite a few available, but…..
Remember, right at the top of this page, I wrote ‘Passwords are rubbish’ ?
Al of the password managers require a master password of some description  usually backed up with 2FA.
The second factor is usually your phone. Which sounds like a good idea, but I am not so sure.
If, for example, your phone has the imaginative PIN of 1234, because ‘hey it’s convenient’ then a malicious actor, or a law enforcement officer (I’m not sure which is worse), can get to all of your login/password combinations. Simply by leveraging the terrible password your chose to look your phone and the access via your phone to the vault
So, here is the problem.
Few humans can generate and remember passwords of sufficient variety and complexity to make them very hard to crack.
Two factor authentication only adds a single layer to the security of an account.
Password vaults and generators are only as secure as the password that is used to guard them and we all know how bad humans are at this sort of thing.
There must be an answer, but short of setting your phone up so that you have a very secure password protecting it, with a different but equally secure password protecting your computer and a third protecting your tablet, with yet another super secure password protecting your password vault (with 2FA), there seems few options.
Obviously this is all pretty inconvenient, but way less trouble than losing our phone and realising that the person that finds it can access every on line service you have and cause  ridiculous amounts of pain and chaos just because 1234 is a convenient PIN.
Its up to you, but I am going to setup my phone’s unlock code to
y89-bio-m8-4c3897-~(U@^£!91>23-79x<“.?wn98*!@37987b-;3428t~~~~`oilkadr9f90
At the very least it will stop me from being able to ever actually use it, but hopefully it will lock out the bad guys, unless of course they read this blog…..