It’s abundantly clear from the numerous recent data breaches that the most secure password for a website is one that isn’t used anywhere else. And while there are mnemonics for making memorable, unique passwords, the best way I’ve found is to use a password manager like LastPass.
Before LastPass I used the common, but very insecure, method of having different “levels” of passwords. One password was throw-away and used on sites that I didn’t care about. My medium-security password was used more rarely and only on sites that were important but did not hold financial or medical data. My high-security password was only used on financial and medical sites. Periodically the high-security password sites would be changed and the password demoted to medium password sites, etc. That’s a pretty dumb way of doing it, because all it takes is for one financial company to get hacked for that password to be at risk1 and open the door to all your financial and medical accounts.
The most secure way is for every site to have its own password. That way if a site is hacked, the only place that password can be used is the already-hacked website, not your bank account2. Memorizing a unique, secure password for every website you visit is impossible for mere mortals however.
Enter a password management tool like LastPass.
LastPass is a browser plugin for all major browsers on all major platforms. You have one master password to log into LastPass and it then keeps track of all of your usernames and passwords in a vault, automatically filling in those form values when you visit the website again. LastPass uses your master password to encrypt/decrypt your vault and only sends the encrypted vault to its servers, so your data is never accessible outside of your computer.
You can have LastPass installed on multiple computers and devices, including your mobile device, and have access to all your usernames and passwords whenever you are using a hardware device that you trust.3 The only password you have to remember is the master password to your LastPass vault. Accordingly, that password should be both strong and memorable.
You can share individual username/password entries to other LastPass users for them to use. This is perfect for giving multiple people in a household access to a single resource — like utility company website credentials — without duplicating that information when the web site requires you to change the password every 6 months.
Also, just because you use LastPass doesn’t mean that all of your passwords have to be an unintelligible mishmash of characters and symbols you can’t remember. While I let LastPass create such completely-unmemorable passwords for most sites, I still create strong but memorable passwords for a few accounts that I want quick, direct access to. LastPass will happily remember those passwords just as easily has ones it creates, so don’t let that dissuade you from using it.
I’ve found LastPass useful for other things as well. For instance, within LastPass you can use secure notes. These are great for putting information like your frequent flyer numbers, known-traveler numbers, passport information, private key passphrases, and other data that you want to have secure and generally available.
If you aren’t using unique passwords everywhere, I strongly encourage you to do so. A password manager like LastPass is a great tool for easily moving to that paradigm and I highly recommend it after using it for 2 years.
1 For some definition of “at risk”. See also hash strength, salting, and rainbow tables.
2 In the biz we call that isolating the failure domain.
3 It’s important that you trust the device you are accessing LastPass from. Untrusted devices can be using keyloggers and other technology to swipe your passwords. Never type in a password on a device you do not trust.