You wouldn’t believe it, but there are things on the Internet that are not quite as true as their author makes them out to be. Shocking, isn’t it. So the other day, I came across this particular piece of bullshit advise.
Looks solid, doesn’t it? Strong passwords, who wouldn’t one of those.
Unfortunately, this advice is 10 years out of date. Nobody on this planet is attacking passwords through brute-forcing anymore, making 90% of these hints total bullshit. And yes, I’m a security expert with publications and keynote speeches on the subject under my belt.
Here’s what you really need to do: Pick a bunch of password, 10 or so, that you can actually remember, so you don’t have to write them down or store them in a password manager. Grab one of the lists of top-100 passwords leaked from actual break-ins and make sure yours are not in it. Use 2-3 for all the non-important blogs and forums and other crap where you lose basically nothing if it’s compromised. Use the rest for the important sites, one for each ideally, or grouped by class (e.g. one for Twitter and Facebook and G+ since it’s basically the same).
For all practical purposes, this gives you 95% of the security of even the most convoluted scheme, with 10% of the effort and the added benefit that you’re not fucked if you don’t have your password manager with you.
Lastly, be aware that your account can be compromised in many different ways, and someone correctly guessing your password is the least likely one, as long as you don’t use 12345 or “password”.
Lastly, use the password manager for those non-essential passwords. It’s just more convenient, and you’ve got little to lose. You see, real security is never about securing everything perfectly, it’s always about risk vs. cost. If your risk is low, don’t spend a lot (of money or effort) to secure it. Save that for the important things. The password or PIN to your online banking should never be stored in a password manager, for example.
Also, from this particular piece of nonsense you can learn that giving sources by listing only the domain name on an image is utterly worthless. It appears in the original file they were clickable links, maybe leading to the actual articles, but of course all that functionality gets lost when it all gets converted to .jpg – these small details are another hint that an amateur was at work, someone good at making infographics, but bad at checking the details. And in security, the details matter.