Addendum: Passwords

This is a follow-up to my write-up on passwords.

It was really helpful to me to write that—I actually noticed a significant flaw in my scheme in the course of writing it up. Maybe it was also helpful to some of you who lean more towards the extreme end of the technical literacy spectrum. But despite all its merits, I can’t recommend it for general use. It just requires too much console hackery and tolerance of doing weird, complicated things on occasion.

So if you’d like to use secure passwords everywhere but don’t want to have to use the command line, I recommend the following approach:

  1. Using the method I described, generate two master passwords, one for your email account and one for LastPass. The email password can be 4 words long. The LastPass password should probably be at least 6 words long.
  2. Use LastPass’s built-in generator to generate your passwords for everything else.

Now all your passwords are unique and unguessable, you can use them more or less everywhere using LastPass’s various web and mobile apps, and if you ever don’t have LastPass around for some reason, you can just use any given site’s password recovery form to get access to it via your email.

I recommend actually writing down the two passphrases you generate and carrying that piece of paper around with you for the first couple weeks of using it. LastPass won’t let you reset your password, so if you forget it, you’re hosed. After you’re confident you’ve memorized the passwords, burn the paper.