How to
Jonathan Crowe
Oct 2016

How to Choose and Manage Better Passwords

Editor's note: This post is a excerpt from our new free guide, The Amazing Security Awareness Playbook: How to Make Training Engaging, Practical, and Actually Effective.  

Password management has been a problem since the days of “open sesame” (not a good password, by the way). Despite years and years of training and effort, the stubborn fact remains: People are stupendously bad at creating and remembering strong passwords.  

That’s a big issue, because no matter how good your security is, if your users are using easy-to-guess or crack passwords, they’re essentially leaving the keys to your kingdom under the doormat. Is there one magic answer that will fix poor password use once and for all? Probably not. But here are three tips that can help.

1) Teach users to use “secret sentences”

The password problem really boils down to friction caused by having two requirements in direct opposition with one another:

  1. Passwords need to be complex and/or random enough to make them difficult to guess.
  2. Passwords need to be simple and/or relevant enough to make them easy to remember.  

Pete Herzog’s solution? Use a “secret sentence” — a password that is a complete sentence with capitalization and punctuation that means something to you so you’ll remember it.

Secret sentence password: a complete sentence with capitalization and punctuation that means something to you.

  • A secret sentence for Facebook might be: I just wasted 2 hours on Facebook!
  • For your VoIP provider, it might be: Boss says, “No more big bills.” (complete with spaces and all the punctuation, if possible)

Herzog is co-founder of ISECOM, the Institute for Security and Open Methodologies, and an expert at helping organizations and their users make sense of security. He explains secret sentences fulfill both core requirements for good passwords: As long as the sentence is long enough (think five words or more), mathematically it will be extremely difficult to guess. And by taking the form of a story that’s relevant to the user, it will be easier for them to recall.

Note: In some cases, users may be required to add numbers or refrain from using spaces or certain types of punctuation, in which case they’ll need to adjust their sentences accordingly.

2) Use different passwords for every account

As Herzog puts it, “Reusing passwords across vendors is the fastest and easiest way to get accounts compromised.” You don’t have to search long for good examples that drive that point home. Take your pick of any one of the “mega breaches” recently come to light (Yahoo, LinkedIn, Tumblr, Myspace, etc.). Despite the fact that the passwords stolen in these breaches were 3-4 years old, hackers were still able to use them to access user accounts for those services and others.

Explain to your users that using the same password for Facebook, their email, and their bank account could land them in big trouble if and when Facebook gets hacked. The best approach is to use a different secret sentence for any account that stores sensitive information. Slight variations and patterns (password1, password2, etc.) are not the answer.

Tip: Brian Krebs suggests encouraging users to create a list of all the services they have passwords for. Next to each, they should write a clue to the password that only has meaning for them.

Of course, if the thought of creating secret sentences for every account seems daunting or unrealistic, that brings us to tip #3.

3) Use a password manager

Another option is to take the pressure of creating and remembering strong passwords off users’ shoulders by showing them how to use a password manager. Password managers are online third-party services like 1Password, Dashlane, and LastPass that generate and save strong passwords for you. All you need is one really good master password to rule them all.

Password managers aren’t the perfect solution for everyone, but they’re certainly a good option for most. Just remember, if you’re going to expect users to use them you’re going to have to train them how. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.