Ironclad passwords in 5 steps

Step 1: cater to the brain

Let’s quickly skip through the basics: the biggest challenge for a password is not for you as a user to make it impossible to remember a password. The challenge is to make it impossible for a (bunch of) computer(s) to guess the password.

The famous XKCD cartoon explains this better than I ever could. So I won’t waste more time on that one.

The hard part: computers get smarter

So let’s think what computers already can do… And use this little list to cross off common mistakes. Computers can really quickly run through a list. So the longer the list the computer has to go through, the longer it will take someone to get to past your password. Researchers and hackers have developed different techniques to shorten the list, we keep trying to make the list longer. Also, some passwords are more common than other passwords.

There’s a few things smart hackers use to guess your passwords:

  • Use lists of most common used passwords. If your password happens to be in the top 10.000 of most common passwords, odds are it will be guessed in minutes
  • Use lists of first names, pet names, maiden names, band names, … (remember all those Facebook quizzes?) and combine these with a few characters.
  • Use a dictionary (English, French, your language, …)
  • That same dictionary in l33t sp34k and RanDoM CaPiTAlisaTION s0mEt1M3s also is part of the collection
  • Try to collect your password for (less important) other sites – odds are you’ll be using the same password, or using a similar pattern for different sites.

Step 2: Don’t recycle passwords

Every now and then, sites get hacked and passwords get leaked. If you use the same ultra-complex 68 character password on all sites, this is a problem. You don’t want someone finding your username and password on a gaming site and being able to log in to your e-mail, social media or banking application with the same credentials.

While you should recycle as much as possible… do not recycle passwords. Every site deserves its own unique password.

Step 3: Don’t remember them

So how great would it be if you wouldn’t have to remember all your passwords? There actually are solutions for this. You could put them on a post-it note (why not?) in a spreadsheet in a specialized tool that safely encrypts your passwords and automatically fills them out for you. You could use a password manager that stores the passwords encrypted in a file on your computer. My recommendation here would be KeePassXC.

In current age, we more and more need a way to share passwords between devices. You’ll want access to your social media on both your computer and your phone – and maybe also on the computer of the public library.

With KeepassXC you could share your password file on some cloud drive (I’d recomment NextCloud). But this quickly gets messy, and especially if there’s more than one person or device accessing the password file at the same time… things tend to get messy and sometimes you end up losing passwords.

This is where cloud solutions come in. An online password vault will encrypt your secrets on your computer and send that garbled data to an online service. There are plenty of good ones out there. Once upon a time, LastPass was the gold standard here… but then they got bought out by investors. Especially for this reason, I’m sticking with an open source solution that I would also be able to host myself if I would want to. For now, I’m happy with BitWarden for storing and managing my passwords and other credentials: it is extensively security audited, it has a vibrant community and a professional team working on the product.

Step 4: a few passwords to remember

There are a few keys that you can’t store inside your password vault. For example the keys to log into your computer, or the password to open Bitwarden or your password vault of choice. For obvious reasons, you want these passwords to be really strong.

The XKCD approach using a passphrase is clearly a great one: pick a few random words and make this your passphrase. I tend to have a different approach…

First off, think of the lyric of a song you like and can easily remember, ideally a song that sings in some kind of dialect (if it’s not English, that’s an added bonus here). Phonetically write the lyric and let this be your passphrase.

Now you tell me what algorithm is going to find “HooohYaGonnaCall?Gostbustaz!!” in less then a 100 years? Is a digit required? Then find yourself a song where you could squeeze in a digit (YaDa1thatIwantOoohOoohOooh!).

Now every time you have to type in your password, you’re using a strong and secure password… Your mood always gets lifted up a tiny little bit because you’re singing your happy song mentally again :wink:

Step 5: The super powers of 2FA

Whenever a password is critical, you shouldn’t rely purely on a password. His name is 2FA, some call him MFA. It’s short for two-factor authentication or multifactor authentication. Through some smart algorithm, a new code gets generated every 30 seconds or so. Using a unique code, this “one time password” complements your password. This way, it becomes impossible to brute force yourself through a list of possible passwords. You can use an external tool like Google Authenticator, Authy or some other tool. Bitwarden also has an implementation built into its password vault. This makes it dirt easy to log into websites that support this feature super securely.


The newest development in security will try to combine the ease of a personal device with the strength of your MFA-approach. Once you’ve logged in to a site with a strong and unique password… you’ll store it to never use it again. If you enable WebAuthn, using the magic of private and public key cryptography, you’ll log in using the biometrics on your device (smartphone, FIDO-key, …).

And in case you don’t trust some online gizmo to manage your access… in the end you’ll always have your password that’s gathering dust in your password vault, just for that situation where you don’t have your biometric device around.


The top image was based upon 2 images:






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.