By The Safety Committee

Many sites, subscriptions, and tools require a login to function, and in most cases (we’ll get to that later), those logins require a password. So, in the shifting landscape of online security, what’s the best way to handle passwords? The answer depends on a few different factors. Let’s start with some basics that apply to everyone. 

First, the days when a combination of names and dates was enough to devise a secure password are over (if they ever existed). Even longer passphrases that mix letters, numbers, and punctuation (e.g., “take me out to the ball game” written as t@k3M30utT0Th3B@llG@m3) probably aren’t going to slow a hacker down. Such phrases and substitutions are now baked into most password-cracking programs. So your best bet is a passphrase that makes sense to you but seems like nonsense to anyone else, or even better, a completely random string of letters, numbers, and punctuation.

Second, you shouldn’t use the same password for everything. Because if a site/service you use is compromised, the hacker now has access to your everything. The more passwords you have, the less risk of systemic compromise. Ideally, you want a unique password for every single login.

Wait…does that mean you should have a bunch of different passwords, none of which are memorable?

You bet! But worry not, there are several options to manage your password system that (probably) won’t frustrate you beyond endurance. The right option for you will depend on your comfort level with technology, the systems you use, and the money you’re willing to spend.

Old School Method

Write your passwords down on paper. While it may seem antiquated, the surest way to keep something safe from hackers is to leave it off the digital space. But if you lose the paper/notebook, you’re in trouble.

Use Your Browser

Mainstream modern web browsers (Chrome, Safari, Edge, and Firefox) will offer to remember passwords as you enter them. If you need to remember additional passwords that aren’t site-related, you can add them manually in the settings menu. These browsers allow you to sync passwords across your devices if you’re using the same browser for all of them. However, not all browsers are available on all platforms (e.g., you can’t install Apple’s Safari browser on an Android device).

Is using your browser a safe option? Depends on your risk tolerance. Most data synced across devices via Chrome or iCloud is encrypted, but as of this writing, not “end-to-end” encrypted. Meaning it’s encrypted in transit when it might be intercepted by a hacker, but not on either end. Whether you consider this option “safe” depends on how comfortable you are with Google, Apple, etc., having access to your data. Additionally, not all browsers make it easy to export your passwords, if you decide to switch to a different browser or service.

Use an App

These apps generally fall into two categories: note-taking apps and dedicated password-management apps. You can simply enter your passwords in a list on a note-taking app such as Apple Notes or Google Keep on your phone. Some apps even offer password protection you can set for a specific note—to give you an added layer of security. These generally sync across devices, just like browsers. However, like browsers, most note-sync services (iCloud, Google, etc.) do not offer end-to-end encryption. A few do, such as Obsidian, but these are generally not free. You get what you pay for.

And speaking of getting what you pay for, the best way to manage passwords is to use a dedicated password management app like 1Password. In most cases, these services aren’t free (the notable exception being LastPass, which was hacked last year, so…yeah, you get what you pay for). These apps are built to be as secure as possible but also as seamless as possible, so they don’t hinder you. Most can generate random passwords, and some will even notify you if a site you use has been compromised, so you can change your password. It might feel strange to offload your entire password process to an app, but if you use it consistently across your devices, you’ll be surprised how painless it makes your internet security practices.

Two Factor Authentication (2FA)

An additional vector of security is Two Factor Authentication—something you know (password) and something you have (usually your phone). If someone obtains your password, they still won’t be able to access the service—unless they’ve also stolen your phone and gained total access to it, and then you have bigger problems.

Once you set up 2FA, whenever you login somewhere new, you’ll be asked for a second form of ID verification. Usually, a text message is sent to your phone with a randomly generated six-digit code you must key in within a certain amount of time. Some services, such as Google or Apple, allow you to approve or deny access directly via your phone notifications. And password-management apps can connect to the site’s authentication service to provide you with the code without waiting for a text message.

After logging in, some sites will allow you to “remember” that device so you don’t need to go through the entire process every time. Make sure you never enable that when using a computer that is public or shared with someone else.

The Beginning of the End of Passwords?

As support for 2FA grows and phones rely more on biometrics than on pins and passwords, the idea of a “passwordless future” has emerged. Instead of a password, sites create a “passkey” that is stored on your devices and accessed via biometrics. This idea is still in its infancy, with many hurdles ahead, particularly ensuring a free and open service for all, regardless of platform, location, or income. Promising developments include recent commitments from Apple, Google, and Microsoft to work with FIDO Alliance.

A Final Note on Phishing

Did you know that most accounts are hacked not because the hacker cracked their password but because the user gave it to them? Phishing scams, where a hacker poses as a person or company you trust so you hand over your login credentials are more prolific, complex, and convincing than ever before. This widespread issue requires its own post, but it’s important to remember that no matter how great your password management is, it means nothing if you’re not careful when and how you enter and share your credentials.

The SFWA Safety Committee maintains the Safety Resources on SFWA’s website at www.sfwa.org/safety. These resources contain useful information for creators maintaining an online presence and touch on safety considerations for in-person events for both attendees and event planners. We are here to help individuals and organizations navigate the speculative fiction publication industry with increased consideration for safety.