In tech security circles, experts always refrain from saying any system is 100% secure—because nothing is. If your data exists in digital form somewhere out there, then it can potentially be compromised. The chances may be slim, but as we’ve seen from the last few episodes, even highly respected stewards of personal data are vulnerable (perhaps because of their prominence, rather than in spite of it; they are bigger targets). There is one last place where your passwords can be secure, however: in your noodle. While a determined brute force attack can crack a simple password in a matter of minutes and a rogue employee can compromise gigabytes of sensitive information within seconds, the only way to get the secrets from inside your head is through waterboarding or mind reading. But how do you create a password that is easy for you to remember, but impossible for a hacker to guess? In spite of what the websites of financial institutions think, it’s not a matter of basing your security questions on obscure personal facts from your childhood. Anyone who grew up in my small town of 6,000 is going to be able to guess my high school mascot, the name of my childhood best friend and my mother’s maiden name with ease. Steve wrote a simple How-To for coming up with a secure password however if you still need a method to generate memorable, unique password — here it is:
Personal Rule-based Passwords
When a computer program encrypts data, it does so using an encryption key. Without this encryption key, you can’t unscramble the data into something meaningful. Creating a password that’s easy for you to remember but hard for others to guess uses a similar concept. What you need to do is create your own personal “encryption key.” That is, a set of rules that only you know that will help you figure out what your password is.
Step 1
Create one or two nonsense words. This will be the core of your password. Think like Dr. Suess here, and come up with a nonsense word that you never utter in real life. For example:
zyppyPopPacheenenockhalPenpulpumRiggerRonut
Go ahead and Google your nonsense word in an Incognito Window (so it doesn’t get saved in your search history) to confirm that it’s not actually a foreign word or something. For the rest of this example, let’s use “zyppypop” as our nonsense word.
Step 2
Create a capitalization rule. Most sites now require you to have one or two capital letters anyway. Making the first letter capital is too obvious, so make a site-specific rule instead. For example, you could simply count the number of letters in the URL and then make that letter in your nonsense word capital. For instance, Mint.com has four letters in it. So you’d capitalize the fourth letter in our nonsense word and get zypPypop. Now, what makes this password more secure is that the capitalization will be different for each site since it’s based on a personal rule. The nonsense word for Gmail.com would be the fifth letter: zyppYpop. See how that works? Of course, you might not want to use the rule I just described here. Maybe add or subtract an arbitrary number for your rule to change things up.
Step 3
Add a special character. Acceptable characters typically include: ! ” # $ % & ‘ ( ) * + , – . / : < = > ? @ [ \ ] ^ _ `{ |} ~ You can use whatever rule you want here. To change it up, you might want to have one special character for one situation and another for another situation. Where you place it is up to you, just make sure it’s not predictable (e.g., an exclamation point at the end of the password) and it’s memorable. For example, you might want to place it in the middle of your nonsense word by your capital letter: zyppYp!op
Step 4
Add a numeral. Make it at least two numbers, since some sites require two. You can base this off a rule or pick something arbitrary. Just don’t make it 69 or 420 or the year you were born or graduated. Example: zyppYp!op03 Or better yet, shove it somewhere in the middle: zyppYp!03op
Step 5
Add additional rules you can think of. I think anyone would be hard-pressed to figure out your nonsense word, your capitalization rule, and your special character rule. But even so, you should invent one more rule that has nothing to do with anything I’ve talked about here. Be creative, but make sure you can remember how to rebuild your password when you get to a site.
Results: A Memorable, Unique Password for Each Website
I won’t say that this is 100% secure, but the benefits of this password creation method are fourfold:
You can remember it. No need to write down your passwords or save them on a local or server-based hard drive. If you need help remembering your rules for the first few days, write them down on an index card and stuff it in your wallet. Shred it once you have it figured out.You’ll have a unique password for every website. Well, it’s only unique to a piece of hacking software—it’ll all be the same to you. This stops people from guessing your Gmail password and then using it to log in to your bank account, your online poker account, and your Etsy store. E.g.:Gmail.com: zyppYp!03opFacebook.com: zyppypoP!03Aol.com: zyP!03pypopTwitter.com: zyppypO!03pYour passwords will have uppercase and lowercase letters, numerals and special characters in it. This is a minimum requirement for most secure websites.The password is easy to change. Say, you could keep the nonsense word but change the numeral or special character. Or you could keep all your other personal rules and change the nonsense word.
If you have any other ideas for creating secure, memorable passwords, please share them in the comments below. [Key Flickr image used under Creative Commons license. Credit: jakeliefer] A) Change all my passwords at once B) Lengthen my passwords incrementally and then, for my password hint, have it something like “Short password” or “Long password” Occasionally, yes, I do end up locking myself out. But then I just change it to the latest “version” of my password after that. …and I also seem to have a pretty good memory, I guess. I have some sites that have completely off the wall and unrelated passwords and I always seem to keep them straight… In any event, I can’t imagine that a site would what – REQUIRE that you change your password? – frequently. So at best you might have to try 2-3 different versions of that site’s pw to get in. e.g. as gJ says – simply “lengthen the passwords incrementally” (perhaps maintain a personal “rule” that you’ll add an extra numeral or some such if required), and thus you only need try 2 or 3 versions to get in, no? In any case, it happens, and while the idea is great for a few sites, it doesn’t hold up when there are tens, much less hundreds of sites, and you begin having to change a few here or there. A few examples: “my Dog is named Spot” “iH34rtR0cknR011” “b04n2b3WILD” You can also use site-specific phrases so that it is different for every site. But still incredibly easy to remember: “this 1$ my gMAIL PW” “this1$my$kypePW” “this1$myTWTRpw” Remember, a pass phrase like “gmail my phone is black” is good enough. It’s not a dictionary word so brute-force is out and it’s site specific so it’s easy to remember. Each year or so I come up with a new phrase and change things around the net on my accounts using Excel with a LONG pass phrase as my book of record just in case I hit my head and forget where I am. ;) Comment Name * Email *
Δ Save my name and email and send me emails as new comments are made to this post.
