The best password is memorable, contains spaces, numbers uppercase and lowercase letters and,
possibly, special characters. A phrase with the following characteristics is ideal:
- A memorable phrase of at least 32 characters (adds complexity)
- … which contains several words (adds complexity)
- … which is in imperative form or is a question (special characters)
- … with subordinate phrases (commas, etc)
- … with some words mangled to contain numbers or uppercase characters (adds complexity).
See this XKCD comic to generate strong, phonetically memorable passwords.
You should have one such password everywhere you have to type it by hand, without access to your
password manager (for example: iOS Passcode, EFI firmware password). All other passwords should be
generated and stored in a password manager and you shouldn’t ever need to remember any of those
since you can have the program type it for you.
Do not use the password manager to store your backups’ passphrase. That would create a catch-22
situation where your backup contains the keys to unlock the backup itself!
Refresh these memorable passphrases at least once a year.
iOS Security Checklist
- Turn on TouchID and enroll at least two fingers per hand (such as thumbs and index fingers).
- Turn on Passcode but disable “Simple Passcode”, use a long passphrase instead.
- Enable TouchID in all applications that support it such as Dropbox and LastPass.
- Enable “Find my iPhone/iPad”.
OS X Security Checklist
- Set-up the EFI firmware password from the recovery environment or a recovery USB drive.
- Enable FileVault 2.
- Enable “Find my Mac”.
- Enable “Back to my Mac”.
- Disable the “Guest” account.
- Enable the firewall:
- Ensure “Block all incoming connections” is checked.
- Ensure “Automatically allow signed software to receive incoming connections” is checked.
- Ensure “Enable stealth mode” is checked.
- Disable all options in the “Sharing” panel except for those needed by “Back to my Mac”.
- Ensure “GateKeeper” is enabled for both Mac App Store and identified developers.
- Do not disable kext signature verification. Ever.
- Enable automatic installation of all application and system updates from the Mac App Store.