It's time to ask yourself an uncomfortable question: how many of your passwords are so absurdly weak that they might as well provide no security at all? Those of you using "123456," "abc123," or even just "password" might already know it's time to make some changes. And using pets' names, birth dates, your favorite sports teams, or adding a number or capital letter to a weak password isn't going to be enough.

Don’t worry, we're here to help. We’re going to focus on how to use a password manager, software that can help you go from passwords like "111111" to "6WKBTSkQq8Zn4PtAjmz7" without making you want to pull out all your hair. For good measure, we'll talk about how creating fictitious answers to password reset questions (e.g. mother's maiden name) can make you even more resistant to hacking.

Why you can’t just wing it anymore

A password manager helps you create long, complicated passwords for websites and integrates into your browser, automatically filling in your usernames and passwords. Instead of typing a different password into each site you visit, you only have to remember one master password.

Why bother? The algorithms and tools hackers use to crack passwords are becoming ever more sophisticated and powerful, as we explained last year in "Why passwords have never been weaker—and crackers have never been stronger." Even people with no experience cracking passwords can do so with the tools available today. And as Wired's Mat Honan discovered from personal experience, the interconnectedness of online accounts coupled with insecure password reset mechanisms creates gigantic risk. Once a hacker gets into one of your accounts, all of them may be vulnerable.

Too often people reuse a password across even their most important accounts, or use a base word and add a number or symbol for different sites. A weak password can be exposed by so-called "brute-force cracking," in which computers try all possible passwords until the right one is found. “Dictionary attacks” are more common, however. These use lists of millions or even billions of previously cracked passwords. Even worse, there have been numerous examples of vendors practically gift wrapping password information, storing users' passwords in plain text or suffering security breaches that expose cryptographically hashed password data for millions of people.

Even if your password is exposed only in an obscured, "hashed" form, it's vulnerable to hackers converting it to plain text. This is especially true for weak passwords, although we've seen that even relatively strong passwords can be cracked. If a password you use across many sites is exposed in this way, you could see hackers take access of your e-mail, financial accounts, and social networking profiles.

"Passwords are a terrible system. I mean, passwords are awful," said Jeffrey Goldberg, Chief Defender Against the Dark Arts (yes, that's his real title) at AgileBits. His company makes a password management software called 1Password.

So why does Goldberg spend his career helping users manage passwords? As bad as passwords are, no one has come up with anything good enough to replace them across the whole Internet. Goldberg hoped for some 15 years that client certificates (digital signatures to identify users and Web services) would do the trick, but the technological and implementation barriers proved too great.

Two-factor authentication systems combining passwords with a second verification method (like one-time security codes sent to your cell phone) are improving matters, but while they've been adopted by the likes of Apple, Google, and Microsoft, you won't find them on every site you care about. PayPal's top security chief is working on a plan to "obliterate passwords from the face of the planet," but that won't realistically happen any time soon.

"People have been trying to replace passwords for a long time, and they all run into the same handful of fundamental problems," such as challenges in setting up a network of trusted third parties (similar to certificate authorities) to sign user credentials, Goldberg said. Thus, the need for passwords and for users to practice good password security "isn't going to disappear over the next few years." Password managers make a terrible system less terrible in Goldberg’s view.

We recently gave three hackers a list of 16,000 hashed passcodes, and they cracked nearly 90 percent of them. To stay in the safe zone, we recommended that passwords contain a "minimum of 11 characters, contain upper- and lower-case letters, numbers, and letters, and aren't part of a pattern." Password managers will help you create truly random passwords that go well beyond 11 characters.

1Password is one of numerous password management systems. Others include LastPass and KeePass. Now, password managers aren't perfect—there is no such thing as perfect online security in 2013—and they aren't necessarily right for everyone. But if used properly, they would undoubtedly improve security for a large population of people using weak passwords. There may be dozens of websites that you have to log into; without a password manager or some other system, creating strong passwords for each one and remembering them would be a nightmare.

"The way our brain works, most of us, you won't be able to remember completely unique passwords for each and every site," Per Thorsheim, a security expert who organizes the annual PasswordsCon conference, told Ars. "We need some logic, we need something to make our brains able to remember those passwords."

Thorsheim is a user of LastPass. He notes that password managers often rely on cloud-based systems to sync logins across devices, introducing a small risk that criminals could target a single point of weakness by hacking into your password service. But the benefits of a system that creates ultra-strong, unique passwords for each site you visit outweigh this risk. And this risk is small. Your data is encrypted on your own computer before being sent to cloud servers and your master password is never stored by any cloud service. "I trust their encryption scheme," Thorsheim said of LastPass. "I also trust in what I see from AgileBits and others."

Making a password manager part of your routine

I bought 1Password for myself several years ago to help me strengthen my security, particularly for banking and other financial accounts. So let’s look at how to use a password manager with 1Password as an example. Note that this is not an endorsement of 1Password over other systems, as we'll talk about how different password managers offer different approaches.

1Password comes in two parts, a desktop application and a browser plugin that automatically fills your passwords into Web forms such as your e-mail, Facebook, or bank site. 1Password stores all of your passwords in an encrypted file, which can only be accessed with a master password. The first step is choosing a master password that's ultra-strong and that you're capable of remembering. Tips on how to choose a master password are coming (on page 3) but for now, let's look at how 1Password and other password managers integrate into your workflow.

Each time you use 1Password, you'll type in your master password to get started:

Within the application, you'll see the list of sites for which you have saved username and password information. You'll also notice categories like "secure notes" and "wallet," the latter of which is a good place to store credit card information.

If you double-click a site name in that list (underneath where it says "144 items by Title") the website will open in your default browser, and your username and password data will be automatically entered.

Pressing the "Edit" button or double clicking on the right hand side of the 1Password application will bring you into an individual site's entry. Here you can edit username and password data or create a stronger password.

Next to the password field will be a button labeled "Generate." Clicking this will bring you into 1Password's random password generator:

The generator lets you adjust the rules for creating passwords. You can specify lengths from 1 to 50 characters and specify how many digits or symbols should go into the password. It's a good idea to make your passwords as long as possible, although some sites may limit you to 16 characters or some other amount.

You can even choose "pronounceable" passwords, which will give you something like "eck-vor-ev-ig-vin-jo."

The password creator offers no option for "random numbers of digits and symbols," so if you want each password to have different configurations you'd have to change the amount of digits and symbols each time. Goldberg explained that this small concession was made so that 1Password's browser plugin can more easily create passwords to fit the requirements of various sites (e.g. "password must contain at least two symbols and one number").

"The short answer is yes, we lose something here in strength, but when you do the math on realistic examples it turns out to be a small loss," Goldberg said. "The gain is that it is more likely for a generated password to meet the site's requirements on the first shot. Of course, as the kinds of requirements we see in sites changes over time, we might find that we can modify the Strong Password Generator to ditch the 'exactly N digits' business altogether."

(Goldberg discussed some of the more technical decisions AgileBits has made with 1Password in an Ars forum thread last year.)

The above screenshots are from a Mac computer. The Windows version of 1Password looks a bit different, but it operates in a similar manner:

Now, the desktop application isn't the most convenient place to generate and retrieve passwords. That's why 1Password and other password managers come with browser extensions that automatically detect sites in which you might want to save existing passwords or generate new ones.

From the desktop application, click "preferences" and then "browsers" to install the extension in your browser of choice. If you click the extension within the browser, you'll get an interface that’s like a stripped-down version of the desktop one:

If you're using Internet Explorer and don't see the 1Password extension, you may have to make sure the command toolbar is visible.

Like the desktop application, the extension provides a list of websites for which you have accounts:

And a password generator:

When you navigate to a site for which you have a saved login, clicking the browser extension will provide the option of filling the login fields. You can also take this opportunity to generate a stronger password for that site if you haven't already. If you navigate to a site for which you don't have password data saved, 1Password will (most of the time) offer to save it or help generate a new password.

The desktop application does allow you to copy passwords to your computer's clipboard and then manually paste them into a website form (using Control-V on Windows or Command-V on Mac.) By default, the password only remains in the clipboard a short period of time, such as 90 seconds. However, 1Password officials say it's more secure to let the browser extension fill in the data automatically to protect yourself from keylogging malware that reads keystrokes or text from the clipboard. You must always type your master password—do not store it in a file and copy and paste it—but 1Password uses a "secure input mode" to protect your master password from keyloggers by preventing applications from observing your typing. In the event your 1Password data file is stolen, AgileBits uses PBKDF2 technology to increase the amount of time it takes to run automated password guessing programs, making them impractical.

"Given how known keyloggers work, 1Password protects against them," Goldberg said. "This is all a bit of an arms race between password managers and keyloggers. Even though the good guys are ahead today, this is a game that is stacked against us in the long run. I think that the only reason that we remain in the lead is that the keylogger writers are content to keep their keyloggers simple at the cost (to them) of not getting the passwords from people who use well designed password managers."

Whether you use a password manager or not, the existence of keyloggers that can read passwords as you type them is just one more reason to practice good desktop security, using antivirus software and keeping your PC up to date with all the latest security fixes.