Passwords are perhaps the most important protection we have in the digital era. But how do you pick a good one, and keep it secure? And remember it?
In theory, a good password should be impossible to guess. It should be at least 8 characters long, and contain at least one number and one capital letter. Don’t use cities, streets, people, pets, words found in a dictionary, phone numbers, birthdays or anniversaries, or letters found together on the keyboard. Avoid writing down passwords or typing them in a document on your computer. Those are security risks. Use Apple’s Keychain function instead.
Whenever a Macintosh offers to save a password it’s stored in a secure, encrypted file called a keychain. The keychain itself is protected by a master password, normally the same as the login password you use to access your desktop. If you forget a password, you can look it up in Safari or the Keychain Access utility as long as you know your login password. You can even add passwords to the keychain manually.
We recommend enabling iCloud Keychain on all your personal Macs & Apple devices. This allows Safari to suggest cryptic passwords that no one can guess. And you don’t have to worry about remembering them either. Your keychain passwords are encrypted and transmitted securely to all your Apple devices, so whether you visit a site on your Mac, iPhone or iPad, Safari can automatically supply the password.
Or use the Password Assistant. It's built right into the Mac. When you set a password, look for the key icon and click it. Choose a password type (Memorable and Letters & Numbers are good choices) and let it generate a password for you. Click the arrow for more suggestions, or alter the password a bit to your liking. You’ll see a quality meter below. You can bring up the Password Assistant anytime with the Keychain Access utility, then type the password on the site or wherever you need it.
Finally, make up a password system of your own. Perhaps I’m a Madonna fan and Lucky Star always takes me back to my second grade class. I might use the password Mdna2umbml*. That’s an abbreviation of Madonna's name, 2 for second grade, and umbml* refers to the first line in the song, “you must me my lucky star.” See, there are no words and it’s impossible to guess… but it’s still something I’ll remember.
Ideally, the password for each site or device should be different. iCloud Keychain is a big help here since few people can remember all those passwords. But if you chose to reuse any passwords on several sites, we strongly advise taking their usage into consideration. Don’t use the same password for work and a bank account – unless you really want your boss to have access to your personal finances!
At a minimum, each of these categories needs a different password – increasing levels of security
- Shared resources. You’ll need to give your wi-fi password to visitors and coworkers. Don’t make it the same password you use for personal items.
- Work. You might need a password for your work email or computer, and management may keep this password on file. Don’t use it for personal items unless you want your boss checking your personal email or Facebook. (You didn’t friend your boss, did you?)
- Trusted friends & family. This might be the passcode for a smartphone or tablet you share with a spouse. You might share an Apple ID for Home Sharing or use it to buy music and apps for your household or workgroup.
- Personal. Your computer’s login password, personal email, Facebook and other web sites.
- Administration. Admin, server and routers. For IT or management personnel only.
- Financial. Passwords for your financial institution or ATM PIN are critical. Change them often and create different variations for each institution. Don’t save or write down passwords for financial sites – they should be kept only in your head!
Protect your passwords. Scam emails might contain links to fake web sites masquerading as the real thing – and they trick people into giving out their password or other details. If you receive an email requesting a password, don’t click a link. Open a browser, type the website address and sign in there.
Everyone who shares a computer should log into their own user account. If you share your login account password, you’re also sharing access to all email, documents, photos, web sites and stored passwords. Does your computer automatically log in and display your desktop? If so, your life is open to all the world. Put a password on it immediately. And add a passcode to your smartphone and tablet while you’re at it.
Testing and resetting passwords
The passwords stored on your computer or device must match the password defined on the web or server. This is the master (correct) password. If you’re not sure about a password, go directly to that site or server and see if you can log in. If so, you know this is the one to use on all your apps and devices to access that service. Most services also help you reset a forgotten password if you can reply to an email or answer security questions. So update your email address and choose security questions and answers you will remember so you aren’t locked out of your account should there be any issues in the future.
Common sites – click the links to check passwords
- Apple ID – iCloud, Messages & FaceTime, iTunes Store, App Store, Home Sharing, Find My iPhone, @icloud.com & @me.com mail
- Google – Gmail, Google Calendar, YouTube, Google Drive
- Yahoo – Yahoo mail, Flickr, Tumblr
- Facebook & Twitter – social media
- Vimeo – video sharing
Need help? Click for instructions on entering a new password in your Mac and iPhone/iPad. Also see security tips for Mac, iPhone & iPad.
Learn more about security & troubleshooting.
