Scope And Purpose Of This Post
Even after someone makes the very wise decision to start using a password manager so they can start having strong, unique passwords, they still have to decide what password generator settings to use. They have to decide stuff like whether to use digits and punctuation in their passwords, how long their passwords should be, and whether they should use passphrases.
The password generator settings you use should depend on how you're going to use the password. Passphrases are great for passwords you need to remember, but maybe not for your work password that you manually type >20 times a day. My recommendations depend on the "password use case":
- Remembered and typed <8 times a day.
- This would be your master password for your password manager.
- Use a passphrase. Six words for your master password. Five words are okay for passwords that are far less important than your master password.
- If your password manager doesn't generate passphrases for you, make it generate a bunch of digits and use the diceware word list or an EFF word list.
- Not remembered and rarely/never typed.
- Your most common password use case, for stuff like Facebook.
- I recommend a "1D+1U+15L" password: 1 digit, 1 upper case letter, 15 lower case letters, for a total length of 17.
- If your password generator doesn't support that, go for 14 alphanum characters (uses lower case letters, upper case letters, digits)
- Remembered and typed many times a day.
- This is possibly the use case for your work password, which you have to type to unlock your computer and log in to many services.
- Because you are typing this so frequently, you might not need the memorability of a passphrase, and you probably don't want the typing hassle.
- I recommend something like a "1D+1U+12L" password, even if you have to manually modify a password generated by your password manager.