Everyone hates passwords. It's hard for people to come up with passwords that they can remember and which match the inconsistent standards set by websites. The result is that they figure out one password that generally fits the standards and then use that everywhere they can. Password expiration policies that prevent users from reusing passwords actually make the problem worse, since they encourage users to use simpler passwords than they would otherwise.
The function of any password is to prove identity and therefore determine authorization. A password is paired with a username to provide two pieces of information that only an authorized user of a system would know. The fact that usernames have shifted to being the same as the user's email actually makes the problem worse. It means that there are options to determine usernames rather than just guessing them, since people tend to have a very small number of email addresses they use. Most people have one personal address that they use for many years and a work address, and rarely more than that.
It's unlikely that email addresses will stop being used for authentication since they're guaranteed to be unique and users like them. That puts even more focus on making sure passwords are effective. The minimal characteristics that any password must have are:
- It can't be easy to guess.
- It needs to be able to be remembered.
- It must be unique for each website.
So what about password managers? They meet the first and last requirements and they remove the second requirement, but they introduce other problems. Synchronization between devices is non-trivial and requires the password manager to be present in each computing environment. It also requires integrations to allow passwords to be copy and pasted from the password manager into each application that it's being used with. It also provides a single point of failure. If someone has access to your password manager, or the password to your password manager, has access to all of your accounts.
Using the XKCD method, we've come up with a process of password construction that manages to satisfy the first two requirements. To supplement Randall's approach we should also add something unique for each website. The easiest way is to add something about the website (or application) itself.
Let's start with a unique core that we can remember: coppertrucks
Now let's add a number, an uppercase letter, and a special character to satisfy most password requirements: C0ppertruck$
Finally, let's say we're logging into facebook.com. We can have a universal rule that says we take the first letter and last letter from the URL and add them to the beginning of the password route: fkC0ppertruck$
For nytimes.com we can apply the same rule and come up with an entirely unique password: nsC0ppertruck$