How To Create a Strong Password you can Remember
Follow our simple guide to easily create an easy to remember yet secure Password.
As more and more of our lives move online, the need to maintain secure online profiles is critical. Creating a password isn’t good enough, it needs to be a strong password. A common misconception, however, is many think a strong password is hard to remember. Not true and, I have some good news for you. Today I’ll review how to create an easy to remember, yet rock-solid password.
How to Create a Strong, Secure Password
- Use a passphrase.
- The great thing about a passphrase is it’s long, it’s not a dictionary word and in some cases, it’s easy to include special characters which are tough to guess for both a human and a computer trying to compromise your password via Brute Force. For example, a previous password I’ve used recently was: my Laptop is black and ugly! – Wow, a 28 character password that’s easy to remember (I just look at my laptop) and nearly impossible to guess or hack (unless you look at my laptop). Some services out there like Twitter don’t allow spaces in passwords so you might need to adjust it from time to time. I also recommend adding a numeric character if you’re particularly paranoid and don’t normally use two-factor authentication for your online accounts.
- Use a password management tool
- There are two Password managers we suggest here at groovyPost. LastPass and 1Password. Both are fantastic, modern tools that not only will they help you create long and strong passwords, but also store them securely online so you can access your passwords securely across all your devices.
- Regarding which one is best, I use 1Password at home and LastPass at work. So, both are great. If you have a family, however, I do like the 1Password Family plan. It’s easy to use and it just works on all my family’s devices.
- A secure password is a unique password.
- As tempting as it might be, never ever use the same password on multiple websites. Sharing passwords between sites is like playing Russian Roulette. All it takes is one website hack to ruin your day, especially if that password is used across all your online accounts. Add a layer of security to your online footprint by using unique passwords on every website. This is another reason why I use a password manager. Each password is unique and 1Password warns me if I accidentally re-use a password on more than one site.
- Don’t use dictionary words.
- Yeah I know, your kids are cute, but their names make horrible passwords as do months of the year, movie titles, and cute furry pets. Dictionary words are easy to guess, and they’re about a million apps out there that specialize in attacking accounts using dictionary words in all known languages. The only exception to this rule is using dictionary words in a passphrase as mentioned above.
- Like most valuables possessions in life, passwords need maintenance.
- In other words, if you’ve been using the same password for a while, change it. Again, using a passphrase, you shouldn’t have a problem coming up with a simple, unique phrase you can easily remember. If you don’t know how to change some of your account passwords, no worries. Here are a few of our most popular guides for changing your Amazon, Facebook, and Twitter passwords.
- Contrary to popular belief, passwords written on a yellow sticky, hidden under a keyboard do not make it secure. So, don’t do that! In almost all cases, if the worst happens and you forget your password, you can almost always reset it using your email address.
When it comes to online security, multiple layers are required. One of the most important layers is two-factor authentication. It’s a bit more complex, however, as always, we have step-by-step guides to walk you through the procedure. Do you know someone who uses really bad passwords online? Do them a favor and share these tips with them today!
Great tip. I spent half the day moving to a pass phrase and altering it a tad for each site using a technique I can’t tell you about. :)
Thanks for the tip. I’d never thought about a phrase before. Very groovy.
Thanks for the feedback @Jim!
Glad to hear you liked the Pass Phrase Tip. I’ve been using that trick for years starting about 8-10 years ago when I first discovered spaces are allowed for Windows Active Directory accounts. Our corporate IT guys made us change our password every 45 days and we couldn’t re-use old passwords. The Pass Phrase worked like a charm and several times they made me smile being… no, I won’t tell you what they were but I’ll bet you can figure it out.
Somebody recommended modifying the name of the website as the password. So on Facebook the password could be myfacebook. What do you think?
Neither your system nor the one I mentioned above works in many cases where numerals are also required.
humm, slightly modifying the website name sounds like it might make it easy to guess. But I think it is good to include a concept from the site into your pass phrase (i.e. “myRambling” instead of “myfacebook”)
Here are some tips I would recommend in addition to the ideas Steve offered.
1) Exchange strategic numbers for specific letters within your phrase. i.e. O=0, l or i = 1, E = 3, etc. So “the tall wall” could become “th3 ta11 wa11” – that gets around the required numbers problem and, if you are consistent, is just as easy to remember.
2) Exchange a punctuation mark like _ or , or . for all spaces – “th3,ta11,wa11”
3) I’m new here so I don’t want to look like I’m a plant for a password storage app, but these can be *really* helpful. I love the one that positions itself as “the last password you will ever need”.
4) If you don’t use a password manager, then Steve’s rule 1 (about each one being unique) should be tempered (IMHO) a little bit for sanity. For non-financial passwords, I would group them into categories. So, if you have two or three email accounts, you might be able to get away with using the same password for each. But here you have to evaluate risk vs. convenience.
Using password managers is a bad idea. If that database becomes corrupted (which has happened to me with the most widely used password manager), you are SOL unless you keep (or the password manager can export) a user-readable copy — they are usually encrypted so you can’t read your passwords when the inevitable happens.
BTW, the lookalike number/letter substitution is obvious and always explored as part of dictionary word password breaking.
True- However, my PW Database is backed up w/Crashplan. It watches my files and backs them up each time there is a change. With Unlimited revisions, I don’t worry about it.
So worst case, I restore a previous version of my PW Database w/Crashplan.
The same goes for Ransomware… If my box is ever owned from a Ransomware standpoint, oh well. Wipe the box and restore from Crashplan. It’s not free but, it’s cheap insurance at $60 a year. It’s the one product I tell ALL my readers to buy no matter the platform (Windows/Mac).
This is a good idea and i use it
so if i was to use this website my password would be
facebook would be
and unless you know my login name too you won’t guess it or get in.
quite usefull actually. Thanks…
Thanks for the feedback Alex!
I used a different method to select my password, I start from a sentence like, “The winter is coming but I am ready !” I just take the first letter of each word: Twicbiar!
That fix the problem of the maximum 8 characters password.
What do you think?
HI Pter – That’s also a great method. It works very well and it’s not a dictionary word so good luck on anyone guessing it. Plus since you used a pass phrase, it should be easy to remember also.
You said NOT to use dictionary words but “my laptop is black and ugly” is 6 words, all of which are found in the dictionary.
I don’t get it.
Perhaps this is more clear. Do not use a password that can be found in a dictionary. So, “laptop” is not a good password. But the phrase “my laptop is black and ugly” cannot be looked up (as a phrase) in any standard dictionary.
Still, to be safe, phrases should contain at least 4 words unless you choose to slightly mangle the words in a personally memorable way (as was suggested above). i.e. “th3,ta11,wa11”
Is it a good idea to use different passwords for different sites?
Oh yes. Very much so. You should never use the same password on multiple websites even if you come up with a really secure password.
The main reason for this is because websites get broken into all the time at no fault of you, the end users. Perhaps it’s an inside job where a system admin goes rogue or perhaps the website has a bug in it and the attacker can break in.
Either way, if they get into the website, your passwords is normally stored in a database. So if the attacker gets into that database they now have your password.
Not good…. however this could be REALLY bad if that same password is used on all your accounts over the internet. And REALLY REALLY bad if they now have your email or paypal account….
I perhaps should have elaborated a bit about how hackers go about cracking passwords. Here’s how it works:
One method hackers users for breaking into accounts is they take an application make for testing passwords and point it at a list of dictionary words in several languages. The application then crawls applications and websites trying common usernames in combination with that list of dictionary words.
Now the way it work is it tries individual dictionary words, not combinations of them IE: phrases. The reason they don’t go after pass phrases is because there are just way way too many combinations of words to put together. I would say impossible and to try them all it would take way way too long.
So that’s why if you use a Pass Phrase, you will be 99.999% safer than a person who users a single word like laptop or december or becky or any other name which you can find in a common dictionary.
Makes sense thankyou
Sorry if that’s confusing. You see — using the password “Laptop” would be bad. This is a dictionary word. However, the passphrase “my laptop is black and ugly” is NOT a dictionary word.
Sure, it’s made up of dictionary words, however, together they are not a dictionary word and neither a hacker or an automated brute force password application would be able to break it. Why? Because the number or possibilities endless when you stack dictionary words together into a phrase.
Now, there are exceptions to every rule. In other words, I would not use a passphrase like “I love my kids” or, “I love my dog”. That’s not random enough and there is a possibility… it could be guessed by a human or application given enough attempts.
My husband used the last four numbers of his army id to protect his log-in screen. And had the visible onscreen tip as “last 4”.
Why password protect from your wife of 23 years? Hmmm. I wonder why ….
I checked. And changed it to “I am a cheat and a liar”. He’ll never figure that one out, but he doesn’t live here anymore.
You say above that you think it is a good idea to use different passwords for different sites – do you have any suggestions for how to remember loads of different passwords?
My advice would be:
Use a passphrase that you can take the specific service onto.
“this is my gmail account password”
“this is my yahoo account password”
“this is my bing account password
“this is my password i use for crap i dont care about”
Are all very secure and nobody would be able to guess them unless you use the same username on every site (or somebody very close to you figures them out).
You could also change up the order though:
“this is my password for gmail austin”
“this is my password for bingo smingo”
“this is my password for wahoo yahoo”
“this is my password i use for crap i dont care about”
Just keep it simple, LONG, and easy to remember, then you should be good.
Your suggestion has (though to a lesser degree) the same issue as using the exact same password at multiple accounts.
For example, if a hacker (or rogue admin) finds out that your passphrase at, say, Bing is “this is my Bing password”, they could then try that same passphrase at other sites, replacing “Bing” with the name of each site.
Take a phrase that you will always remember
Have a standard insert of at least 1 numeric and 1 punctuation character
then you can write down the clue as to the password
start at character number ‘s’
the selecting every ‘n’th character
create a string of m characters
Put the block in after the x’th character
Now – without knowing the phrase it will very very difficult to work out the password from the 4 numbers
So – you can (with reasonably safely) write down the numbers the 4
s n m x
as the password generated is based on 2 strings of characters you will have a great deal of certainty remembering, yo should never need to write them down.
You can take that concept and modify it for your use- Maybe
Use one of the numbers to indicate which in the generated string should be a capital
Use one of the numbers to indicate which in the generated string should be a number –
count through the alphabet, move up the keyboard, whatever –
Position your block as a single set – or merge it in, or use it as part of the string from which you select characters
Once you have the basic process – then modifying it by applying whatever process you can remember to always use will make things easy
And – making easy to remember, and enter, but not easily guessed or worked out is the major consideration
The frequent recommendation from ‘Consultant’s that passwords should be random strings should (in my opinion) get that consultant, and those employing them blacklisted. add to that the frequent requirement that passwords be changed every month is one of the surest ways to get passwords written down with a clear indication as to what they give access to.
Imagine = having, say 20 facilities that need passwords
12 character long pass codes for each – changed monthly
That’s 2880 characters to remember throughout the year, and having to log into each facility each month – even if there is no need to
A hackers dream – every month a system will be accessing 20 secure sites – so just lay in wait with a store and forward facility
store and forward – what you type or select gets passed on to the site and then their response gets displayed on the screen for you to see and respond to.
So – your transaction with the bank happens OK, but was monitored, and how many sessions need monitoring until enough of the access key is known for a try at accessing the facility is likely to succeed.
Great tip and completly understandable. I’m going to use it from now on.
Awesome! I’m glad you enjoyed it. Feel free to spread the love by submitting to your favorite social media site.
The more security ppl out there the better we all are!
I used a variation of that scheme since about 2002:
Steeler beat Browns 27 16 yields password:
I think with a cap, an underscore and a number or or four it’s nearly impossible to crack (well maybe you can crack it — with something on the order of a liquid cooled supercomputer running for 96 hours straight!)
Awesome system. A good example of building a system that works for you! Easy to remember yet powerful.
what can you do if you forget your password? How will I be able to unlock it? Thanks
In most cases, applications and websites have a “I forgot my password” feature. The way it works is a reset password will be emailed to you. You click that link and the app will walk you through resetting your password.
Now, if you forget your password to your email account, most services like Gmail and Outlook.com will ask you additional questions to confirm your identity.
My preferred method is to use a password 2 million characters in length (with no repeating characters), use caps, numbers, special characters and super-enciphered dictionary words.
Meanwhile back on planet Earth, how on earth are people meant to remember multiple passwords? Course they can’t. You could use a password manager, but 99.9% of the sites I use don’t require a unique password, because I’m not bothered if they get hacked or not. I use the same password for all these sites. The only exceptions are online banking and web mail, where I do use different (non-dictionary) passwords.
Another similar technique to a passphrase is to use half a dozen or so random words (can be dictionary words or made-up ones, doesn’t matter), for example:
TANDOORI PUPPY UNICORN GRAPEFRUIT BROTH DREGS UNCTUOSITY
Unless the alphabet agencies have quantum computers we know nothing about, a random chain of dictionary words will keep their supercomputers busy for at least a week or two I reckon.
Like you, I have about a hundred or more accounts online. It’s such an important piece of my life that I’ve invested in an application to help me both create and store my passwords. I highly recommend 1Password for all my groovyPost readers. Buy it for your iPhone, Mac or Windows and you can use the software on all devices.
This is not all that helpful with the sites that have bad limits on passwords–e.g., no more than 8 characters, or no special characters allowed. 8-letter abbreviations for phrases is almost the only option is such cases.
Well sure. You can’t lock a door if the door has no lock on it. In that case…. What do you suggest?
Great info. As one that tries to vary passwords, but has been leery of using password managers, the suggestions posted, I will try to remember when I need to change a password. One of the most ridiculous passwords I’ve read about folks using is “password”. Duh!
Yes… Password or just as bad, P@$$W0RD….
PPL think it’s creative and secure. It’s not secure. :)
Passwords generated by password managers can be made stronger by adding another word known only by you after the password. You download your password from your password manager, then enter that extra word… even if your password manager gets breached/hacked/whatever you are protected because the passwords stored (however strong) are incomplete, need that extra word to be complete. Choose any word that you will remember that must be added to the downloaded password… it will be very difficult, if not impossible, for any person(s),group(s), computer(s), whatever to crack that password.
Excellent idea Leo. Honestly, that’s new to me and I really like it!
Thanks Steve. It’s very simple but effective. Even the password manager cannot know that last word added, neither can their rogue employee! And the word added can be different for different sites, just so long as you remember which word is for which site. You can even use foreign words!
Yeah – it’s a great tip. I’ve been doing this a long time and never thought of it (or heard anyone mention it)… Love it! I’ll have to add that to the article.
Lucky for me, I have used BlackBerry devices for the last 8 years and I have never worried about passwords because all BlackBerry devices come with a password keeper which can create and store passwords for you, it makes up impenetrable passwords. And the app is also password and encryption protected. I have been security conscious for a number of years. I use two emails the Gmail fir everything and Protonmail for important stuff because of no “IP logs policy”…[ProtonMail’s] security measures are intense: end-to-end encryption and user authentication protocols so rigorous even the creators can’t read user emails.
Very useful article, thank you for sharing these great tips with us! I have to admit that I never thought of using a passphrase, but I will definitely do it now.
My kids figure out my passwords same mind set I also figure out their passwords we live in the same system ha ha
Two-factor authentication is no longer considered secure.
A search on google.co.uk for
“two-factor authentication” insecure
produces 82,600 results.
Just one hit:
Or rather I should specify: two-factor authentication by *SMS* is (potentially) insecure.
Other two-factor authentication methods may still be secure.
Of course, keystroke logging, phishing and social engineering will undermine any password, however complex.
Pasted below is section A3 from https://pages.nist.gov/800-63-3/sp800-63b.html#appA
As noted above, composition rules are commonly used in an attempt to decrease the guessability of user-chosen passwords. Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.
Users also express frustration when attempts to create complex passwords are rejected by online services. Many services reject passwords with spaces and various special characters. In some cases the special characters that are not accepted might be an effort to avoid attacks like SQL Injection that depend on those characters. But a properly hashed password would not be sent intact to a database in any case, so such precautions are unnecessary. Users should also be able to include space characters to allow the use of phrases. Spaces themselves, however, add little to the complexity of passwords and may introduce usability issues (e.g., the undetected use of two spaces rather than one), so it may be beneficial to remove spaces in typed passwords prior to verification.
Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.”
Wow, Something very useful. I got my gmail account twice hacked because of low strength password. I will use your tips now.
Hi John – Thnx for the note. I’m glad you liked the article.
You should take a look at Two Factor Auth (2FA) – https://www.groovypost.com/unplugged/two-factor-authentication-guide-secure-online-accounts/. In 2017, if you don’t have 2FA setup on all your accounts… it’s only a matter of time before your accounts will get hacked again.
Granted 2FA is not perfect but, it does add a VERY strong layer of security between your data and the internet.
If a password contains dictionary words, then brute force can be used to guess it eventually correctly. I could write a program easy enough to try millions of passes until I finally get in. But I thought the stop to that is to only allow only up to 3 tries of password guesses. Do all password entries enable you to try millions of combinations of tries? I’ve seen examples that if you enter a wrong password three times in a row, your account is closed for a certain amount of time like 12 or 24 hours. Allowing only a fixed amount of tries I thought was the greatest defense against using brute force, yet even after scanning the article I never came across this feature.
I mean for the average user the strongest password is something around 6 characters and about quite a good percentage of the time it will have a 123 or 456 in there. These are common in wordlist you can find with a simple Google search and cracking them by plugging it into something like John the Ripper or Hashcat!
Just take that word or saying and use the key to the left, ( e.g. B + V, any vowel becomes a number. Suprising how easy you can come up with your own system to produce a “gobblydook” password.
e.g., “thisismypassword” becomes “rguauanto1aaqies”.
If a password is alphanumeric it is easy to crack by a hacking team, Upper/lower case/numbers/symbols/periods/commas used for passwords are difficult to crack for a maximum of ten.
None are easy to remember so put them in a small note book at home, plus, put them in an iWallet on a ‘smart telephone’.
A password checker may advise that a password would take a million years to crack, but hacker groups could have a million members, all connected around the world chops that idea to pieces.
Two step authentication is a quicker and more simple method that long, alphanumeric passwords, and forget password managers if the computer fails to start, also with passwords on the ‘phone one’s favourite sites can be accessed from another computer, in a Library or Internet Cafe for instance.
I had a password manager but I forgot the main password to get into it !!!!
Which password manager? Depending on the one you used, you should have a way to unlock it and get back in.