Listen to this story




It’s a Huge Mistake to Memorize Your Passwords

Here’s what to do instead — and which services you should use

Credit: Andrew Brookes/Cultura/Getty

YYou shouldn’t know any of your passwords. But there’s a decent chance you do — many of us fall into a default pattern of memorizing one or two and using them across countless websites and services.

That’s a mistake. If you’re still doing this, or if you know any of your passwords at all, it’s time to change it up. These days, the only secure password is one you can’t possibly remember. Studies have repeatedly shown that password reuse is the most common security blunder people make. When a single service gets hacked — which happens constantly — hackers are able to guess which other services you use and break into those with the same password.

This tactic, called credential stuffing, is used by hackers to target people’s most personal information. Say you signed up years ago for a service like, which was breached in 2012; if your banking password is the same, you might be kissing your identity goodbye simply because hackers are able to guess that the passwords matched.

If you’re lucky, you’ve probably been only caught up in a single breach, but the reality is that the majority of us have been affected multiple times over the years. All it takes to find out is typing your email address into Have I Been Pwned, a free service run by security researcher Troy Hunt.

You shouldn’t know any of your passwords for the services you use. Most importantly, every single site or app you’re using should use a unique password.

The site, which tracks publicly reported breaches, who was caught in them, and what information was breached, will reveal how many companies have failed to keep your data safe. I ran my own email address through it and found I’ve been breached more than 10 times. Thankfully, in most of these cases, the password I used for each site was unique.

In 2019, the only way to completely protect yourself from a password breach is to log off, delete all your accounts, and live a hermit’s life in the woods. If the offline lifestyle isn’t for you, then it’s time to manage your exposure.

What you should be doing

Here’s one fact you should memorize: every single site or app you’re using should use a unique password.

That’s where password managers come in. In a way, they’re similar to those little password books many families kept next to their computers in the ‘90s–they store all of your passwords for easy retrieval.

Unlike password books, however, these tools are much more secure, locked by a complex “master” password that only you know, which renders the contents of the digital safe accessible only by you. When you sign up for a new website, you fill in all of your details like normal. When you reach the password field, instead of typing in that password you always use, you click the manager’s icon in your browser, unlock it, and generate a new, random password. These should be longer and more complex than you would ever be able to memorize — and they’ll be stored for easy access later.

The next time you return to that service, you can click the password manager’s icon (or use a keyboard shortcut) to instantly log in. If you haven’t unlocked your password safe recently, you’ll need to type the “master” password again, which unlocks the safe for a set period of time and magically logs you into the service.

While centralizing your passwords in a single tool might seem like a bad idea, they’re designed to protect you. They use strong encryption and make it easier to practice better security in your daily life.

Which password manager should I use?

As with VPN services, there are a dizzying array of password managers out there. It’s important to choose a trustworthy tool, because whatever you settle on should work for the long haul — it’s not exactly fun to switch password managers.

Here are a few solid options.

My pick: 1Password

1Password is the gold standard in the password manager space, with apps available for macOS, Windows, web browsers, Android, and iOS. I’ve tried the majority of password managers out there over the years, and 1Password checks all of my boxes. It hasn’t been subjected to a serious data breach of its own, offers simple synchronization to all of your devices, detects which of your accounts have been affected by a breach, and quickly adopts new technology to make life easier — like unlocking your safe with Apple’s Face ID on your iPhone.

1Password costs money to use (starting at $2.99 per month), but it offers a family plan for multiple users, so you can secure everyone you care about. And paying for a password manager means the company behind it is motivated to protect you as best it can.

Out of all the tools I’ve used, 1Password offers the best balance of simplicity and strong security.

Runner-up: Dashlane

If you’re looking for a little more out of your password manager, Dashlane is a great, younger alternative to 1Password. It does the same basic things well but offers additional tools, like a feature that can automatically change passwords on supported services on a regular basis.

I really like Dashlane, but its apps don’t feel as polished as 1Password’s. The company is also slower to add new features, and the subscription is a little more expensive at $60 per year.

Honorable mention: KeePass

If you can’t swing a monthly fee, that doesn’t mean you have to miss out. KeePass is an open-source password manager with decent features and a community of developers working together to build a free tool for everyone to use.

Because it’s open source, the code behind KeePass isn’t a secret, so anyone can read it and be sure that it’s secure. That also means hackers can too, but historically that hasn’t been an issue.

One major difference, however, is usability. The polish you see in 1Password and Dashlane isn’t present here, so the app isn’t as user-friendly, nor is it as fast to come to new platforms. You get what you pay for.

Other tools

LastPass is a well-known option, but it was subject to a breach back in 2015, which gives me pause. Plus, its apps are largely browser-based, so they don’t feel as easy to use as the competition.

Apple Keychain, which is built into iOS and macOS, is convenient, but I don’t recommend it. While it’s better for your security than nothing at all, it’s far less sophisticated than a dedicated tool, and it’s tied to your Apple account — which makes it an easy target if attackers break into your Apple ID.

One last thing: choosing a master password

We’re almost there; the last thing you need to know is how to choose the “master” password to protect all of your individual logins.

Experts have varying advice on the subject, but many suggest that the best master password is difficult to guess and easy to remember. This approach was covered by the web comic XKCD, which suggested a password like “correct horse battery staple.” That’s strange enough to remember, but it’s also difficult to quickly guess at random.

Here’s my advice:

  • Think of a set of 3–5 obscure, unrelated words, like “octopus house quark medium.” Again, easy for you to remember, but hard for someone else to predict.
  • Tie those words together with an unexpected character, like a ‘-’ or ‘$’ instead of the space bar.
  • Combine the two into your master password. In this example, you would get “octopus$house$quark$medium” — which you can practice by repeating to yourself until you remember it.
  • Never, ever use this password anywhere else, and do not forget it.

Some writers disagree with this approach to password creation, because there technically are ways for a hacker to brute-force their way in. But it’s important to remember that security is a spectrum; you can’t fight every battle. For me, this trick works well, and balances human-friendly words with actual security.

Once you’ve locked a master password in, you can start creating new passwords for the services you already use and store them in your password manager for easy login.

I’d highly recommend changing the more important services you use immediately, like your bank, Apple ID, or tax login details, to increase your overall security. For everything else that you’re not using daily, make a habit of changing them as soon as you need to log in with a memorized password. It gets easier as you keep doing it.

Security practices like this aren’t fun or obvious, which is why so few people tend to use them — it takes time to set them up and learn why they’re important. (Perhaps not coincidentally, the two most popular passwords are “123456” and “password.”) But take it one step at a time and you’ll help yourself avoid a devastating hack in the future.

If you’re in the habit of using one of these tools, the next time that inevitable email warning that a company was breached comes in, you can sleep much easier: At least the attackers can’t get into absolutely everything.

Developer, accidental wordsmith. OneZero columnist trying to debug the why behind tech news. Follow: Blog: