How to Create a Secure Password You Can Actually Remember
We’ve had a lot of Internet security scares in the past few months. From the massive PlayStation Network security compromise to the Gawker Media hack attack, it seems that we’re rushing to change our passwords every two weeks. And now, this month brings us a LastPass security notification that warned that a potential breach might have occurred. While the announcement was mostly precautionary, it highlights a disturbing reality for web security—your password is never safe, even with a renowned and highly acclaimed password vault service.
In tech security circles, experts always refrain from saying any system is 100% secure—because nothing is. If your data exists in digital form somewhere out there, then it can potentially be compromised. The chances may be slim, but as we’ve seen from the last few episodes, even highly respected stewards of personal data are vulnerable (perhaps because of their prominence rather than in spite of it; they are bigger targets).
There is one last place where your passwords can be secure, however: in your noodle. While a determined brute force attack can crack a simple password in a matter of minutes, and a rogue employee can compromise gigabytes of sensitive information within seconds, the only way to get the secrets from inside your head is through waterboarding or mind reading. But how do you create a password that is easy for you to remember but impossible for a hacker to guess?
In spite of what the websites of financial institutions think, it’s not a matter of basing your security questions on obscure personal facts from your childhood. Anyone who grew up in my small town of 6,000 is going to be able to guess my high school mascot, the name of my childhood best friend, and my mother’s maiden name with ease.
Steve wrote a simple How-To for coming up with a secure password; however, if you still need a method to generate a memorable, unique password — here it is:
Personal Rule-based Passwords
When a computer program encrypts data, it does so using an encryption key. Without this encryption key, you can’t unscramble the data into something meaningful. Creating a password that’s easy for you to remember but hard for others to guess uses a similar concept. What you need to do is create your own personal “encryption key.” That is, a set of rules that only you know that will help you figure out what your password is.
Step 1
Create one or two nonsense words. This will be the core of your password. Think like Dr. Suess here, and come up with a nonsense word that you never utter in real life. For example:
- zyppyPop
- Pacheenenock
- halPenpulpum
- RiggerRonut
Go ahead and Google your nonsense word in an Incognito Window (so it doesn’t get saved in your search history) to confirm that it’s not actually a foreign word or something. For the rest of this example, let’s use “zyppypop” as our nonsense word.
Step 2
Create a capitalization rule. Most sites now require you to have one or two capital letters anyway. Making the first letter capital is too obvious, so make a site-specific rule instead. For example, you could simply count the number of letters in the URL and then make that letter in your nonsense word capital.
For instance, Mint.com has four letters in it. So you’d capitalize the fourth letter in our nonsense word and get zypPypop.
Now, what makes this password more secure is that the capitalization will be different for each site since it’s based on a personal rule. The nonsense word for Gmail.com would be the fifth letter: zyppYpop.
See how that works?
Of course, you might not want to use the rule I just described here. Maybe add or subtract an arbitrary number for your rule to change things up.
Step 3
Add a special character. Acceptable characters typically include:
! ” # $ % & ‘ ( ) * + , – . / : < = > ? @ [ ] ^ _ `{ |} ~
You can use whatever rule you want here. To change it up, you might want to have one special character for one situation and another for another situation. Where you place it is up to you; just make sure it’s memorable and not predictable (e.g., an exclamation point at the end of the password). For example, you might want to place it in the middle of your nonsense word by your capital letter: zyppYp!op
Step 4
Add a numeral. Make it at least two numbers since some sites require two. You can base this off a rule or pick something arbitrary. Just don’t make it 69 or 420 or the year you were born or graduated.
Example: zyppYp!op03
Or better yet, shove it somewhere in the middle: zyppYp!03op
Step 5
Add additional rules you can think of. I think anyone would be hard-pressed to figure out your nonsense word, your capitalization rule, and your special character rule. But even so, you should invent one more rule that has nothing to do with anything I’ve talked about here. Be creative, but make sure you can remember how to rebuild your password when you get to a site.
Results: A Memorable, Unique Password for Each Website
I won’t say that this is 100% secure, but the benefits of this password-creation method are fourfold:
- You can remember it. No need to write down your passwords or save them on a local or server-based hard drive. If you need help remembering your rules for the first few days, write them down on an index card and stuff it in your wallet. Shred it once you have it figured out.
- You’ll have a unique password for every website. Well, it’s only unique to a piece of hacking software—it’ll all be the same to you. This stops people from guessing your Gmail password and then using it to log in to your bank account, your online poker account, and your Etsy store. E.g.:
- Gmail.com: zyppYp!03op
- Facebook.com: zyppypoP!03
- Aol.com: zyP!03pypop
- Twitter.com: zyppypO!03p
- Gmail.com: zyppYp!03op
- Your passwords will have uppercase and lowercase letters, numerals, and special characters in them. This is a minimum requirement for most secure websites.
- The password is easy to change. Say you could keep the nonsense word but change the numeral or special character. Or you could keep all your other personal rules and change the nonsense word.
If you have any other ideas for creating secure, memorable passwords, please share them in the comments below.
[Key Flickr image used under Creative Commons license. Credit: jakeliefer]
16 Comments
Leave a Reply
Leave a Reply
Dyanne@TravelnLass
May 10, 2011 at 10:04 am
Wow – a unique (yet memorable) password for EACH SITE – utterly BRILLIANT!
Bill Minton
May 10, 2011 at 10:22 am
So, what do you do when you have to change it for a given site? How do you remember that siteA now uses version 2.0 of your scheme, and siteB uses version 3.0, but all others still use version 1.0?
groovinJackman
May 10, 2011 at 10:32 am
I admit that that is sometimes a challenge. What I’ve done is either
A) Change all my passwords at once
B) Lengthen my passwords incrementally and then, for my password hint, have it something like “Short password” or “Long password”
Occasionally, yes, I do end up locking myself out. But then I just change it to the latest “version” of my password after that.
…and I also seem to have a pretty good memory, I guess. I have some sites that have completely off the wall and unrelated passwords and I always seem to keep them straight…
Bill Minton
May 10, 2011 at 12:28 pm
That might be manageable on a small number of sites, but I have logins & unique passwords at over 400 sites. There’d just be no feasible way of simply going through and changing the passwords on all of them when one got compromised and I had to go to version 2.
groovinJackman
May 10, 2011 at 1:02 pm
Wow! That’s a lot of login credentials. In that case, yes, you are 100% right–this method WON’T work for hundreds of sites. I guess now I know who password managers were meant for ;-)
Dyanne@TravelnLass
May 10, 2011 at 11:30 am
Good question Bill. But I must say, personally I’ve never yet run into a case where I “have to change it for a given site”.
In any event, I can’t imagine that a site would what – REQUIRE that you change your password? – frequently. So at best you might have to try 2-3 different versions of that site’s pw to get in. e.g. as gJ says – simply “lengthen the passwords incrementally” (perhaps maintain a personal “rule” that you’ll add an extra numeral or some such if required), and thus you only need try 2 or 3 versions to get in, no?
Bill Minton
May 10, 2011 at 12:35 pm
It’s actually been required on a decent number of sites recently due to security issues. All of the Gawker sites (many very popular) just had an issue that required users to change their passwords. Amazon had an issue in the not to distant past that made some user passwords easy to crack. There was another popular recent one (not LastPass) that also necessitated a PW change, but I can’t remember now which site or set of sites it was.
In any case, it happens, and while the idea is great for a few sites, it doesn’t hold up when there are tens, much less hundreds of sites, and you begin having to change a few here or there.
brian
May 10, 2011 at 11:25 am
A great way to come up with your nonse word is to think of a line from a song you like and use the first letter of each word in that line to make your nonsense word. Example: “Your lipstick stain on the front lobe of my left side brain” = ylsotflomlsb
SueJ
May 10, 2011 at 11:56 am
Many thanks for this post. Compulsory reading for my team at work tomorrow, who roll their eyes when I encourage them to choose more secure passwords;)
grooveDexter
May 10, 2011 at 1:56 pm
I also like to use pass “phrases,” which are great if the site will allow longer passwords; and especially if it will also allow spaces. (Google allows both of these) It makes the password easy to remember but also hard to crack.
A few examples:
“my Dog is named Spot”
“iH34rtR0cknR011”
“b04n2b3WILD”
You can also use site-specific phrases so that it is different for every site. But still incredibly easy to remember:
“this 1$ my gMAIL PW”
“this1$my$kypePW”
“this1$myTWTRpw”
AlexMVP
May 10, 2011 at 4:32 pm
I also use a pass phrase however honestly, if a site accepts a long password with spaces, that’s good enough. No need to get all fancy with the phrase.
Remember, a pass phrase like “gmail my phone is black” is good enough. It’s not a dictionary word so brute-force is out and it’s site specific so it’s easy to remember.
Each year or so I come up with a new phrase and change things around the net on my accounts using Excel with a LONG pass phrase as my book of record just in case I hit my head and forget where I am. ;)
SueJ
May 13, 2011 at 1:43 am
Many great tips here! We had a lot of fun at work coming up with new passwords. My gang were very creative with song titles, catch phrases and special characters!;)
groovinJackman
May 13, 2011 at 7:11 am
Great! Glad you found the article useful.
VOXPOP
June 5, 2011 at 11:23 am
TOO DAMN COMPLICATED! I prefer using the first or 2nd letters of a phrase and doctoring that with symbols etc.
voxpop
July 28, 2011 at 11:28 am
you gotta be kidding!
Dianne El
November 16, 2011 at 1:26 pm
Great idea. I have a hard time remembering all my passwords. At age 70 I am lucky to remember my own name! This is a great idea. Thanks.