How To Remember Passwords
And Avoid A Password Leak¶
Last updated: March 2022. For beginners. No tech skills required.
Ever lived through a password leak? This is a beginners guide to creating strong and unique, yet simple to remember passwords for your accounts, devices and encrypted files. We'll discuss some password length best practices and review open source password managers such as Keepass XC, Keepass DX or Strongbox, as well as how to enable 2FA (which is a form of multi-factor authentication).
Diceware & password entropy¶
Diceware is a popular password generation method. All you need is a dice, a pen and a piece of paper. If you choose a password composed of at least 7 words, this is considered as virtually unbreakable by today's technology standard. Read on below to learn more.
Show me step-by-step guide
| Steps | Instructions |
|---|---|
| 1 | Select a Diceware word list. For example the original list, or the list provided by the Electronic Frontier Foundation. There are many others to choose from, in several languages. |
| 2 | Roll a dice 5 times and write down the numbers. |
| 3 | Look up the corresponding word in the Diceware list, and write it down. |
| 4 | How long should a password be? Repeat the previous steps until you have at least 6 words. Actually, 7 words are recommended – depending on the password entropy calculator, this achieves an entropy of approximately 90 bits. According to Diceware's FAQ, this is unbreakable with any known technology, but may be within the range of large organizations by around 2030. Eight words should be completely secure through 2050. |
| 5 | The combination of these words is your secure password. Make sure to separate the words by a space. |
Show me the 2-minute summary video
Courtesy of the Electronic Frontier Foundation.
Has my password been hacked?
| Where you hacked? | Description |
|---|---|
| Have I Been Pwned | Reverse search engine to check your email or password against a huge list of stolen data and hacked accounts. |
| Dehashed | Search for IP addresses, emails, usernames, names, phone numbers and so on to gain insight on security breaches, database breaches and account leaks. |
Keepass review¶
Keepass is a free and open source password manager, available on almost all devices. It stores your passwords in an encrypted database, which itself is protected by a master password — one password to rule them all. Obviously, you should never forget this master password!
We also recommend to keep your password manager database offline. Store it locally on your devices, and keep two remote copies as backup.
Keepass XC, Keepass DX & Strongbox¶
Keepass DX is a free, secure and open source password manager for Android. More detailed instructions below.
Show me the step-by-step guide for Android
Simply download the app from Google's Play Store, F-Droid or Aurora Store. It contains 0 trackers and requires 6 permissions.
At the time of writing, there was no free version of Keepass DX available for iOS. Strongbox is a secure and open source Keepass client. More detailed instructions below.
Show me the step-by-step guide for iOS
Simply download Strongbox from the App Store.
KeePass XC is a cross-platform, community-driven, free and open source password manager. More detailed instructions below.
Show me the step-by-step guide for Windows
Download the installer, double click on the .msi file and follow the installation wizard.
KeePass XC is a cross-platform, community-driven, free and open source password manager. More detailed instructions below.
Show me the step-by-step guide for macOS
Download the installer, it should open by itself and mount a new volume containing the Keepass XC application. If not, open the downloaded .dmg file and drag the appearing Keepass XC icon on top of the Application folder. For easy access, open the Applications folder and drag the Keepass XC icon to the dock.
KeePass XC is a cross-platform, community-driven, free and open source password manager. More detailed instructions below.
Show me the step-by-step guide for Linux (Ubuntu)
If you run a Linux distribution such as Ubuntu, open the terminal with the CTRL + ALT + T shortcut, or click on the Applications button on the top left and search for Terminal. Run the following commands to install KeePassXC:
sudo add-apt-repository ppa:phoerious/keepassxc
sudo apt update
sudo apt install keepassxc
Show me the 2-minute summary video
Courtesy of the Electronic Frontier Foundation.
How to enable 2FA & generate backup codes¶
Two-factor authentication (2FA) provides an additional security layer. It requires more than just a password to access services or accounts. For example, a single-use verification code sent by SMS or generated by an authenticator app or key.
While two-factor authentication is generally considered to increase security, it offers additional surface for cyber-attacks such as Phishing, identity theft (SIM swap attack) or SMS hijacking (SS7 attacks). It is also less convenient to the average user.
We're not going to describe the benefits of multi-factor authentication. All in all, we would advise two-factor authentication. Choose for yourself if this brings additional benefits, depending on your threat modeling. If you go for it, don't forget to safely store the backup codes that some services provide. They can be life savers when you loose access to your phone or authentication program.
AndOTP, Tofu & Yubico Authenticator¶
AndOTP is a free and open source two-factor authenticator for Android. More detailed instructions below.
Show me the step-by-step guide for Android
Simply download the app from Google's Play Store, F-Droid or Aurora Store. It contains 0 trackers and requires 1 permission.
Tofu is a free and open source TOTP authenticator for iOS. More detailed instructions below.
Show me the step-by-step guide for iOS
Simply download Tofu from the App Store.
Yubico Authenticator is a cross-platform and open source authenticator app. It requires a physical hardware key. More detailed instructions below.
Show me the step-by-step guide for Windows
Download the installer and follow the installation wizard.
Yubico Authenticator is a cross-platform and open source authenticator app. It requires a physical hardware key. More detailed instructions below.
Show me the step-by-step guide for macOS
Download the installer, it should open by itself and mount a new volume containing the Yubico application. If not, open the downloaded .dmg file and drag the appearing Yubico icon on top of the Application folder. For easy access, open the Applications folder and drag the Yubico icon to the dock.
Yubico Authenticator is a cross-platform and open source authenticator app. It requires a physical hardware key. More detailed instructions below.
Show me the step-by-step guide for Linux (Ubuntu)
Open the terminal with the CTRL + ALT + T shortcut, or click on the Applications button on the top left and search for Terminal. Run the following commands to install Yubico Authenticator:
sudo add-apt-repository ppa:yubico/stable
sudo apt update
sudo apt-get install yubioath-desktop
