There’s no shortage of guides online explaining how you can maximize your internet security, or come up with strong passwords, or stay safe from hackers and snoopers—but few of these guides have any concrete advice or step-by-step plans that you can implement on your own.
This article is different.
Here, I’ll teach you exactly what you need to do in order to create, manage, and store your passwords properly and securely. No weird stuff, no wishy-washy arm-waving, no hidden fees, no jargon. Just a few simple steps that you should be able to carry out in less than 15 minutes.
I’ve compiled this guide based on a roster of recommendations from well-regarded information security experts (such as Bruce Schneier) coupled with my own experiences after years of implementing and testing those recommendations.
What follows is the safest and most effective password strategy I’ve been able to come up with. More convenient solutions do exist—they’re just less safe.
Without further ado, here are the steps you should take now in order to manage your passwords like a security pro.
Step 0: Collect Your Passwords
Where do you normally store your passwords? If the answer is “on a morass of post-it notes and tattered CVS receipts scattered around my desk” then this guide is definitely for you. Continue reading.
If the answer is “in my head” then, unless you’re a memory champion, you’re probably reusing two or three passwords across multiple sites, which is definitely Not Good. This article is also for you.
If the answer is, “I use a password manager” you’re already doing better than most—but, as I’ll explain later, most password managers are woefully vulnerable. In the next step, I’ll explain which password manager you should use to maximize your security.
Whatever, your case may be, you should start by collecting all of the passwords you use. You’re actually going to be changing all of them soon, so get ready.
Step 1: Download KeePassX
I mentioned that most password managers are vulnerable, and now I’ll explain why.
Most commercial password managers (think 1Password, LastPass, Dashlane) store your passwords in the cloud. This means that you need to trust a third-party to encrypt and transmit your passwords securely. If anything goes wrong (which has happened before), some of your private information may be compromised.
Cloud-based password managers, as repositories of so much personal data, make excellent targets for hackers, corrupt insiders, and government agencies. The last thing you want to do is to send your passwords to a third-party for safe-keeping.
So what’s the solution? Simple: use a local password manager that never leaves your computer and never communicates with the internet.
This is slightly more inconvenient than a cloud-based password manager, as you’ll have to copy-and-paste your usernames and passwords from the manager to your password forms, rather than relying on autofill or auto-login—but it’s much, much more secure.
The password manager we’ll be using in KeePassX. Other standalone password managers exist, but this is one is free, reputable, and has all the features you’ll ever need from a password manager. Download the version for your operating system here and install it.
KeePassX works by creating a file called a password database that contains all of your stored passwords in encrypted form. Using my method, you will only need to remember one password: the master password for your KeePassX database.
Step 2: Use Diceware to Create a Master Password
When you first open KeePassX, you’ll be able to create a new password database from the menu (Database > New database). The next step is to create a master password to encrypt this database.
You might be thinking that you need to make this a very complex-looking password, such as a#w*Q%1taG45. Unfortunately, that’s a Bad Idea. Not only will that be impossible to remember, but it’s not necessarily very safe.
In fact, cryptographers have shown that length is the most important factor in determining password safety. A longer password, such as IguanaGiraffeTomatoDriver, is far safer than a#w*Q%1taG45. (If you don’t believe me, test them here. Also check out xkcd for an explanation.)
Following this logic, we’re going to create a master password using a string of seven random dictionary words. This password will be practically impossible for any computer to crack.
To pick these random dictionary words securely, we’ll be using a method called Diceware. You’ll need some dice (like the type that come with board games). Don’t use a “virtual die” or anything other than a physical die.
You’ll need to make and record the results of 35 rolls. It sounds like a lot, but I promise it’ll pass quickly. Record the results of your dice rolls in order on a piece of paper, grouping them into rows of five. For example, your dice rolls could look like this:
6 1 5 6 6
6 6 3 3 5
5 2 3 4 3
4 2 1 5 3
4 6 1 2 2
1 6 5 6 1
1 1 2 5 4
Once that’s done, open up this PDF and search for the words corresponding to each 5-digit number combination (use Ctrl-F to help you). For example, the words corresponding to my rolls would be: tread, 8000, rrr, mel, plus, cider, and adagio. My resulting password is thus tread8000rrrmelpluscideradagio.
And that’s it. You now have a secure seven-word password that should be fairly easy to memorize. If you don’t like the resulting password (or if it contains a common phrase), you can scrap it and start over as many times as you’d like. Make sure to destroy the paper with the roll results when you’re done.
Step 3: Create Your KeePassX Database
Now that you have a master password, you can go ahead and create your password database. Once you’ve created the database, you should see a window that looks like this:
Go ahead and save this database to any location on your computer (Database > Save database). Later, you can move this database to a safe location, such as a thumb drive, and even back it up to another disk.
Now is a good time to make sure you’ve memorized your master password properly. Close the database (Database > Close database) and reopen it by entering your password. Do this a few times over the span of 10 minutes or so until you’ve completely memorized the master password. Don’t write it down anywhere. Memorize it!
Step 4: Change Your Passwords and Store Them. Enable 2FA
Now it’s time to add your passwords to KeePassX. To add a new entry, select Entries > Add new entry.
In the window that opens, you’ll enter a title for the password, your username, and the URL of the corresponding site. However, instead of using your old (and probably insecure) password, you’ll have KeePassX generate a new, secure password for you.
Select the “Gen.” button, select an appropriate length (at least 17 characters, but more is always better). Make sure that A-Z, a-z, and 0-9 are selected (special characters aren’t allowed by some websites). Press “Accept.”
Now visit the site in question. Let’s say you’re changing your Facebook password. Visit the appropriate page in your Facebook settings to change your password. Copy-and-paste the password that KeePassX generated for you. You may need to press the eye icon to copy it properly. Submit the new password. If everything goes well, go back to KeePassX and press “OK”.
Voilà! You’ve created your first properly secure password. Now repeat this step for every single site that you’re a member of.
While you’re at it, make sure to enable 2-factor authentication (2FA) with every site that offers it. With 2FA enabled, it will be impossible for someone to log in to your accounts unless they have both your password and access to your mobile device.
The next time you need to log in to a website whose password is stored in your KeePassX database, simply open the database, select the appropriate entry from the list, and hit Ctrl-C (or Cmd-C for macOS users). The password will be copied automatically.
You might decide to have some passwords memorized for emergency reasons. For example, I keep my main banking, email, and Dropbox passwords memorized. Instead of using KeePassX to generate these passwords for me, I simply use Diceware.
Step 5: Sync Your KeePassX Database (optional)
There’s much more you can do with KeePassX. You can use it to store bank account numbers, credit card numbers, social security numbers, a secret diary…
The possibilities are endless. I won’t go into them here, but I do want to point out that it’s probably a good idea to keep your KeePassX synced somewhere in the cloud.
I know what you’re thinking: if we’re not supposed to use cloud-based password managers, how could it be a good idea to store your whole password database in the cloud?
The short answer is that your password database is an encrypted file that’s almost impossible to crack, no matter who has access to it (assuming you’ve used Diceware properly) whereas cloud-based password managers use complicated protocols to store and transmit your passwords, which means they have more points of failure.
At minimum, I would suggest keeping your KeePassX database synced in your Dropbox folder. That way, you’ll be able to access your passwords from anywhere (assuming you’ve memorized your Dropbox password) and you’ll have a backup available in the cloud in case something goes wrong with your computer.
Step 6: Download a KeePassX App (optional)
I find that I rarely need to enter passwords on my mobile devices. My mail, messaging, and social media apps always keep me logged in, and I rarely use mobile banking apps. I trust my phone’s existing security, so I don’t feel the need to add additional protection there.
However, there are cases where you may need to log in to a website on your phone, and typing a complex 32-character password onto a mobile device is never a fun experience.
That’s why I’d recommend having an app on your phone that can open KeePassX files. If you have your password database synced on Dropbox, exporting it to an app on your phone is remarkably easy.
On iOS, I like MiniKeePass, which lets you export from Dropbox quite easily. However, I would advise you against relying on mobile apps too much, as they create additional points of failure. Better to stick to the secure, desktop-based version, and avoid storing your passwords in any additional files or password managers.
Congratulations! If you’re still here, and you’ve followed all of the steps above, you’re now a password master. All of your passwords are unique and virtually uncrackable, and there are no third parties that could possibly compromise your security.
Well, that’s not entirely true. You still have to watch out for your physical security, and communicate securely, and stop using Facebook and eliminate Google from your life. If you really want to be secure on the internet, you’ll also have to use Tor or a VPN.
If that sounds like a lot, I agree. The internet is extremely complex, and there are many threats that we need to watch out for. But by taking just a few steps every day, you’ll be able to maximize your privacy and security in no time.
Feel free to throw away those post-it notes now.
Looking for safe VPN recommendations? Check out our curated list.