How to Create Secure Passwords you’ll never forget

A really long but not complicated password is better than a short complex one.

This is a pretty good password: 3*w#loWQ@

But this one is too: A8-9*iA8-9*iA8-9*iA8-9*iA8-9*i

Not as complex, but a LOT longer, which is a key.  Remember that.  Repetition can help make a password more secure.  The cracker program doesn't know how long it is.  It doesn't know it's repetitive.  It just has to try scores, thousands, millions or billions of permutations to get it.   In other words, someone really has to care.

That longer password may look hard to type or remember, but it's not.  It's a repeated "phrase" and your fingers will soon remember it.  Sucks when you have to change it every 90 days at work, though, right?

I've written about password "patterns" before.  I like the pattern idea.  With it, you can simplify "remembering" a password but still get a pretty secure one.

There is another way

Another way is one I thought up while playing flash cards with my kids tonight.  Two of them are 4 years old and one is 5 years old, so the words were short (like "am" and "is" and "tag").  Eventually we bored of me flashing them a card and them staring at it, saying "I don't know" then begging me to show them another.  We started mixing and matching to make stupid phrases, which they thought were hilarious.  And I thought: hey, that would make a good password system.

Say you have to have a LOT of passwords, like I do.  I never use the same one everywhere  (well, I have a standard "I don't care if someone hacks this account" password for those stupid forum sites that make you log in just to answer someone's question then never ever go back to.  I hate them.).   But, it's hard to remember them all.  Even patterns can get tricky, if you want to keep mixing them up. 

So, do flashcards.

Write down ten short words.  It would be best if they weren't dictionary words, which are easier to crack (but not used in this way), but since we're going to be making phrases and not just using a single word, it is okay to use dictionary words, too.

Here's an example:

fi$h
b!ke
so@p
boat
tack
5778
k3y
cup
c0@t
fred

Don't use any plurals -- that makes it easier to remember than "do I use key or keys?"

Now, there are 10 for a reason. We're going to assign each "word" to a single-digit number.

0 - fi$h
1 - b!ke
2 - so@p
3 - boat
4 - tack
5 - 5778
6 - k3y
7 - cup
8 - c0@t
9 - fred

Now, say you have to have a million passwords.  You memorize those 10 pseudo words and which number they correspond to.  You use them for the rest of your life.  You NEVER TELL ANYONE WHAT THEY ARE.  Not even Professor Dumbledore.  Got it?  If you forget them, you'll lose your passwords.  All of your passwords. If you tell someone, then it's not secure anymore.

Okay, so now you are free to write them down.  Put them somewhere where you can find them again.  Don't say "these are my password keys".  Just have a place where you can save them.  When I say "write them down" I don't mean the words.  No, I mean the numbers.  Like this:

facebook: 2839

twitter: 8879

Now, if you forget your facebook password and just cleared your cookies on accident and you just do this:

2839 = so@pc0@tboatfred

8879 = c0@tc0@tcupfred

confused? Look at it this way:

2839 = word2 + word8 + word3 + word9

8879 = word8 + word8 + word7 + word9

That's pretty good but a lot of places require special characters (and rightfully so).  You might consider a code like this:

facebook: 2839^_

The "^" means "capitalize the first letter in each word" and the "_" means "use spaces" so the facebook password becomes

So@p C0@t Boat Fred

Better.  Try

twitter: 8879!x2

Which means "word 8 then word 8 then word 7 then word 9, separate them using a "!" and repeat it (x2):

c0@t!c0@t!cup!fred!c0@t!c0@t!cup!fred

A password code of 8879^!x2 becomes

C0@t!C0@t!Cup!Fred!C0@t!C0@t!Cup!Fred

37 characters!  And, believe me, your fingers can type it easily. These ten "words" will be with you forever. And ever. So, your fingers will become very familiar with them.

BUT WAIT: Some of these passwords have actual words, like Cup, and sometimes they are repeated!!!

Alas, you are right.  But that doesn't make it easier to crack.  The problem with using "dictionary words" is that if you use just the dictionary word, at not a combination of them, then a cracker program just goes through the dictionary until it matches yours.  You might want to read this post about how people figure out your password.  You don't want to "base" your password on a dictionary word either (Coat12, etc).  But look, an easy to remember (or write-downable) 16 character password is more secure than what you are using now.

Think of it this way: we have 26 letters in the alphabet, but there are many billions of combinations of those characters.  A hacker doesn't know what words are used.  They could run through the whole dictionary and none would match because your password isn't a dictionary word, and it's not even based on one.

Oh, if you are wondering, if you used all ten words in every password, you'd have 1,000,000,000 (one billion) possible combinations.

If you use 4 or 5, there are 9,999 or 99,999 possibilities, respectively.

Plus, if you didn't tell anyone, even Professor Dumbledore, then NO ONE KNOWS THE WORDS YOU USE.  They don't even have to be words.  Use numbers that are important to you (it's okay, use important things,  because it's not the ENTIRE password, just a part of it, and you can actually remember it)  I remember the name of the street I lived on when I was 6.  621 Oak.  There you go.  Those could be my first two words.

0 - 621

1 - oak

...

Isn't using words and things important to you insecure?!?

Yes! Absolutely, but you are mixing them up.  The problem a lot of people have is that they use their own birthday, and just their birthday, as their password.   If I designed a brute-force cracking program, I'd do this:

• Find out everything I can about the person (name,  birthday, pet's name, maiden name, kids, spouses, etc)
• Feed it to my program
• Design program to try the things I know individually: names (Brett, Johnny, Spot), dates (birthday 1/1/65), addresses (621 Oak), then in as many combinations as I can
  • 1165
  • johnny
  • Johnny1165
  • joHnnY1165
• If I still fail, I move on to trying words from the dictionary
  • Computer
  • Dollar
  • Fish
• Then I use dictionary words with numbers, important names, dates
  • Computer1165
  • JohnnyApple1165
  • Dollar1165Johnny

The lesson: don't use a lot of things that are guessable (dog's name, street you live on, birthdays).

The other lesson: Compromise. If you aren't going to remember Word #5, you better come up with something easy for you to remember.  This system is better than

1. Using the same password everywhere
2. Using easy-to-guess passwords
3. Writing down your passwords

Conclusion

We live in an age where having strong passwords is important.  You need a system or you might just use the same password everywhere.  And/Or you might use a lame one, like kitten12 because you have a cat and you got her in December.  Those are recipes for easy hacking.  To make strong, easy to remember passwords, utilize my two systems:

1. Password pattern system
   1. When you have to use it a lot -- ie, sites that you must re-enter your password frequently
   2. When the password isn't required to change very often
2. Flashcard 10-word system
   1. When you need to change the password a lot and my resort to writing it down to remember it.  Now you can write it down safely

A password system like this isn't as good as some 128 RSA encryption, but for your day-to-day life, it will be a lot (!) better than what you have.  And, you can store the corresponding codes nearly anywhere because they don't make sense without your 10-word list.  Ladies & Gentlemen: The Flashcard Password System.

comment on this post on twitter