Password Management 101

Passwords are an important part of the Internet. We all manage a multitude of accounts and each one of them requires a password. The greater the number of accounts to manage, the harder it gets to have a unique password for each. Here are a few tips for you if you either use passwords (who doesn't) or if you're a programmer and need to store passwords for the accounts of your users.

Using passwords

There are a few things that you should be aware of when entering a password for a new website. Most people tend to use passwords that are easy to remember, however such passwords are often easy to guess or easy to crack. Here are a few things to think about before entering choosing a password.

How important is the account

This is very important because it's OK to have easy to guess passwords for accounts that you don't mind loosing or that people won't bother trying to steal. If you have to create an account for posting comments on a small blog, why bother having a super secure password? Losing it won't do much harm and no one will actually try to gain access to your account over there. If you're creating an account for your bank, then it's very important to make the password as secure as possible.

Don't use dictionary words or names

These are the easiest passwords to guess by hackers or by someone from your entourage. They are the first passwords tried by hackers. Adding a number or two in the mix does not help much (though it does a little) because hackers know people tend to do that. When people heard that using dictionary words were bad, a lot of them added "1" at the end, guess what the hackers try now?

Use long passwords

You don't necessarily have to use random letters, numbers and symbols to have a secure password. You can use a sentence that contains a few numbers and symbols that will be very easy to remember and very hard to crack. These sentences are also known as passphrases and are very good at securing your account.

Unique passwords for critical websites

As I said in the first point, if you're creating an account for a banking website, for an email service or anything else critical: use a unique password for each one of them and especially don't use a password that you use for a non-critical website.

Remembering passwords

If you follow all these rules, then you probably are overwhelmed by the number of different passwords you have to remember. Hopefully, there's a tool that can help you store your passwords for you.

The tool is KeePass and it can generate strong passwords for you. All you have to do is remember one password that will let you access all your other passwords. Combine KeePass with a USB key that you bring along with you everywhere or with Dropbox and you'll have access to your passwords from anywhere.

Storing passwords

If you're creating a website that will handle accounts for users, there are also a few things to be aware of. The best tip I ever read about storing passwords is this one: don't do it.

Don't do it

Now you're asking me how the hell you can have accounts and not store passwords. Of course, this is not always feasible, but if possible support OpenID instead.

OpenID is a free and easy way to use a single digital identity across the Internet.
With one OpenID you can login to all your favorite websites and forget about online paperwork!

Sadly, OpenID suffers from some usability issues and may not be appropriate for your website if your users are not too technologically savvy. Hopefully, many major players now support OpenID (Google, Yahoo, Facebook to name a few) and people are going to be accustomed to using an OpenID in a few years.

If you must

In case you really have to store passwords, at least don't make the rookie mistakes:

Don't store passwords in plain text in the database

If you don't have access to an expert, here's great post that you MUST absolutely read before storing passwords in a database (cached version).

Don't use password reminders

Password reminders are not worth it. They are easy to guess from people in your entourage and you often forget them. There are better ways to reset a password.

Always offer to send a new password by email

That is the most secure way to reset a password. Plus, since you're not storing passwords in plain text and password reminders are bad, that's the only way to do it. An email account should be secure. Hopefully, the user used an email address that will always be valid.

Let me enter whatever I want in my password

Let me put as many characters as I want (for passphrases for example) and let me use capital letters, numbers and any symbol (including space). If a user chooses to use a symbol that's hard to input on foreign keyboards, that's his problem.

However, you can help them make sure their password is what they think it is by showing it to them while they're typing it (as Freckle does).

freckle signup 1

Limit the number of retries

This is simply a matter of protecting your website against hackers. Twitter failed to do this and compromised many accounts. Just reset a password and send the new one by email if two many attempts were made in a short time.


That's it, if you follow these simple guidelines, the Internet will be a more secure place and fewer accounts will get hacked. It's harder to be secure, but in the long run it's easier than losing an account (or accounts) and having to handle all the problems that may arise from losing it.

Michel Billard's profile picture

A web developer's musings on software, product management, and other vaguely related topics.