Everyone talks about how your password needs to be better. It doesn’t have enough wacky symbols and numbers and capitals, it can’t have anything that looks like words, and it needs to be longer. If that’s hard enough, it can’t look anything like any other password you’ve used before. And every service needs their own, even the forum you used once to get tips on marinating tofu:
“Ridiculous,” you mumble. “Tofu marinade fanclubs do not need a 30-character password.”
And yet...the bad news doesn’t seem to go away. Every day there's another story of some idiot company that lost everyone's passwords, and how everyone needs to change again. And the truth is they're right. All the stolen passwords get passed around between criminals, and they know that you use the same password for everything. If they are smart (and they are), they can use your email and password they bought from the LinkedIn breach, and try to use it on major banks, PayPal, email sites, and even your tofu marinade forum. And you're hosed.
Maybe you're a clever one: you normal password is 12345, but your LinkedIn password is 12345LI. Pretty tricky.
Except you're not that tricky. 1 in 50 LinkedIn users did the same thing to their normal password, and a different group did LI12345, and the bad guys can see everybody's tricks as they look through 117 million LinkedIn passwords.
And then they undo your trick, and make a little change to their program that tries everyone's password on paypal so that it tries 12345, PP12345. 12345PP, 12345paypal, and 12345PayPal.
And they get in and all your money is gone.
Any trick you can come up with to help you remember your passwords can be easily reversed by clever jerks. The only solution is for every password to be hard and not shared with any other site.
"But it's not fair!" you say. "How on earth can I remember 50 completely random passwords? That's a full time job and I've got stuff to do!"
A password manager makes this problem go away. It is a little program that sits in your web browser and watches for passwords. If you tell it to remember a password, it gets added to a little list. When you sign up for a new service, it offers to generate and remember a perfectly complicated new password that no one will ever guess. And whenever you go back to one of those sites, it will remember everything so you can just click "ok".
But, but.." you say, "they always say that writing down your password is bad!"
And you're right. Sticky notes and and a file on your desktop are easy to find. But for lots of techno-jibber-jabber reasons, the good password managers are pretty safe. I don't recommend them for secret agents, mafiosos, or government officials, but for most of us, they're worth it.
When choosing a password manager, it's important to use a reliable and tested product. No Blue Light Specials or back-alley deals: you're going to entrust your life to this thing.
There are 3 top password managers right now. They have been tested for holes by passionate security nerds over the last 5 years and have come out in good shape.
LastPass (free version available)
KeePassXC (completely free)
Password managers have some unexpected benefits. If you use one consistently, it will protect you from phishing. It will also make each of your passwords much better than you ever could.
Password managers are not magic. If you use one:
do it right: put everything in there, even the boring stuff. Make a habit of never typing a password on a web service.
You may have to click on extra things when logging in, or even switch services. Some companies have a bee in their bonnet and make their sites hard to use with a password manager.
make sure everything with your password manager is locked down tight. Set up your computer or phone with a strong password or even encrypt it.
Choose a strong master password for your manager.