The importance of a good password

We use passwords for everything these days: from important things, like Exodus, our bank and our email, to the most trivial, like this obscure blog we registered once only to never visit again. Our passwords give us access to all of our information online and offline, which is a testament to how important they are. And yet, we don't pay much attention to how secure they are when we create them. Yes, we make sure to use symbols and numbers and mixed capitalization here and there, but how good really are our passwords?

How do I create good passwords?

A strong password isn't necessarily a good password. More important than its strength is its uniqueness. This means that a good password must be different than any other password you use and ideally different than what anyone else uses. P@$$w0rd23 is a strong password, but it's definitely not good. 

The best password is a random password. And the best way to create those is by using a dedicated password manager app, like 1Password, LastPass or KeePass. These apps can create random passwords up to 64 characters long that they remember for you and fill out automatically. And because they are designed with security in mind, you can feel pretty confident that your passwords are safe.

If you decide against using a password manager (not recommended) or trying to think of a good master password for it, here are some tips for human created passwords:

  1. Don't use any information that is available to anyone, like birthdays, names or things like that.
  2. The best passwords, being both easy to remember and hard to crack, are random words. This may sound counterintuitive but it's true; even four, randomly selected words are stronger than the passwords we usually create. However, randomness is the key factor here, which is why we bolded it three times. Have a look here for the famous "correct horse battery staple" example: https://xkcd.com/936/
  3. If you have to (or want to) use symbols and mixed capitalization avoid using the expected ones:
    1. Don't capitalize the first letter, capitalize a random one. Instead of Password, use passwoRd.
    2. Don't append a number at the end, ie. avoid password1; instead use pas4sword.
    3. Don't use the usual letter symbol substitutions, like a = @ and s = $. Instead of p@ssword, use passwo%*rd
  4. Make it long, at least 16 characters long
  5. Use a non-Latin alphabet and non-English words if you can.

But remember: Creating a good, random password and then use variations of it on different sites undoes the whole effort! For more on that, read on.

Should I create the Email Backup in Step 4?

Short answer: It depends. The Email Backup can be a lifesaver if something happens to your 12 words when you need to restore your wallet. Also, it's more convenient than having to dig up your 12 words from their safe-keeping place and enter them one by one if you need to restore.

But unless your Exodus password is different than any other and your email account is protected properly, then it can become a liability. So, only create an Email Backup Link if:

  1. Your Exodus password is randomly generated by a password manager.
  2. Your email account password is randomly generated by a password manager.
  3. You have enabled two-factor authentication (2FA) on your email account using Google Authenticator or Authy, not SMS 2FA.

If you've done all that, then your Email Backup is an extremely secure restore method. If not, it's better if you skip it. Just make sure that your 12 words are written down correctly and are safely stored in more than one place.

Why you need all that protection? Read on to find out!

Why should my Exodus password be different than any other password?

Actually, all your passwords should be different between them, as we discussed, but for now let's focus on your Exodus password.

Your Exodus password protects your wealth in two ways:

  1. It prevents someone with access to your computer to open Exodus and send out your money. This is extremely important if you live or work in a place where other people may access your desk while you not paying attention.
  2. If in Step 4 of the backup process you choose to receive the email backup link, your password is what decrypts that backup link. This means that whoever has access to your backup link and your password can restore your wallet on any computer and access your funds.

This makes it clear why your Exodus password needs to be unique. In the first case, if your password is the same as your email or Facebook password, then whoever knows that can simply open Exodus and send your money to themselves. And remember: Blockchain transactions are irreversible.

The second case is admittedly the most important one. The backup link in your email is worthless on its own, only with the password can it give access to your funds. Unfortunately, though, online services get hacked all the time and login information stored on their servers, like emails and passwords, falls in the hands of the hackers. 

Exodus does not store any of your private information, which is why we can't recover your password, so if our servers were to get hacked the hackers would find nothing.

But! If that aforementioned blog is hacked then your email and your password would be compromised and if that password was the same for your email and Exodus, then your registration to "Mickey's blog for the daily accounts of his dog's walks" could prove disastrous.

The Chrome password manager conundrum 

To make things worse, if that password was the same as your Gmail password and you didn't have 2FA enabled, then it's likely that the hackers got access to many more passwords.

Google Chrome has a feature that asks you if you want to save your login credentials for the various sites you visit and automatically fill them in every time after that. It works like a password manager, but not as good. Because the thing is that whoever has access to your Google account can see all these passwords stored by Chrome plain as day! So, if your Gmail account was to be compromised then the threat would become way bigger, not only to Exodus but to all your accounts.

If your passwords are all different from each other, however, then even if one account is compromised the rest remain safe and so does your wealth in Exodus.


Want to learn more about how to secure your wealth? Have a look at our comprehensive security guide:
https://support.exodus.io/article/767-how-do-i-keep-my-money-safe

Got questions, suggestions or concerns? Don't hesitate to reach out: support@exodus.io