Passwords are inherently insecure.
Any password easy enough for you to remember is too short or simple to be effectively secure, whereas any password long and complex enough to be secure (and of course, unique per website) is too long and complex to remember. Yet, we use passwords everywhere.
For security reasons, you need a long, complex, unique password for every app and website you log into.
Passwords have to be long so it takes longer for a computer to guess it. It gets more and more difficult to guess a string of characters for each character you add. Passwords have to be complex so they don’t appear in dictionaries or rainbow tables. Passwords also have to be unique so if you lose your password to one site, you don’t lose your password to the rest.
Password management apps like LastPass and 1Password attempt to solve this problem by generating and managing very secure passwords for users. They make secure passwords that are incredibly long and utter gibberish. However, a password management app is a hackable single point of failure that you can be socially engineered into losing access to. Lose your password management app password, and you lose your passwords to every single site you cared about securing enough to use a password management app.
I’m not a fan of password management apps, but I like the idea. I don’t want to have to remember passwords, but I want my passwords to be secure.
I stumbled on a way to have my cake and eat it too on LinkedIn. I rarely use LinkedIn, and as a result, can never remember my LinkedIn password. Because I can never remember my password, every time I use LinkedIn, I use the “Forgot Password” link and make a new password.
From here I open my email, which has a link.
Which takes me to a password reset page, into which I enter yet another password I won’t remember 6 months from now when I check LinkedIn next.
After doing this 3 or 4 times I realised I could keep doing this forever, and just not bother to try to remember my LinkedIn password ever again.
Most sites have a similar reset function so by extension, I can do this on every other site and never remember any password except my email’s. If I don’t have to remember passwords, and they’re only used once, I can make them insanely long and random. LinkedIn allows up to 400 characters in their passwords. Twitter and Facebook don’t appear to have limits. Here you have it – secure passwords with no memorization.
But this seems to create the same problem as password managers — your email is your new single point of failure. I’m willing to concede this, but if you enable two-factor authentication, lie in your recovery question answers, use a strong password, use separate emails to communicate publicly and register for sites, hide your registering email like you would a password, and look at the URL bar of your browser to make sure you’re actually on your email provider’s site when you’re logging in, you should be fine.