How to create and remember strong passwords

Security & Privacy

Marja threw me a challenge in her Spam from Xavier comments to write about creating strong passwords. The idea comes from our Lab Blog, where Sean posted about this a while ago.

I am one those people that have a very short attention span for technical instructions, so let me try to explain this as shortly and clearly as possible. Just in case you are like me. 🙂 The idea is to use a system that allows you to do 2 things:

1. Remember your passwords through writing a part of it down. The only thing you need to remember is a part that is the same for all your passwords; a pin if you will.

2. Create passwords that are good and strong, unique and can’t be guessed

Here are the step-by-step instructions:

1. Think of a “pin” for your password, this is the part that is same for all of your passwords. The pin should be 3 characters or longer,  it could be something like “25!” and this part should be kept secret.

2. For each of the web sites that you need a password for, you create a code that helps you remember what site/service the password is for. For example aMa for Amazon and gMa for gmail.

3. Continue the password with a random set of 4 or more characters,  for example: 2299 or xy76. You should use different random characters for your different passwords.

4. Write down parts 1 & 2 on a note and keep is safe so you don’t forget it. In this example you would end up with a note in your wallet with this written down:

  • aMa2299
  • gMaxy76

5. When using the passwords, add your pin to them. Remember again that the pin should not be written down anywhere!  You can decide the location of your pin too. With the example pin “25!” created in the first step we would  end up with 2 passwords that could be:

  • aMa229925! or 25!aMa2299
  • gMaxy7625! or 25!gMaxy76

Tadaa, you now have passwords that are unique and can’t be guessed! And of course you only need to remember a part of it! By having unique passwords you can also make sure that even if someone finds out one of your passwords, the others are still safe.

As a final note, should you choose to use this system, you should come up with your own passwords and not use the ones used in this post or in our Lab’s post.

Hopefully I managed to make it sound relatively easy. If not drop me a question below.

Annika

Tags

Rate this article

0 votes

80 Comments

Hi all!
Usually Everyone is telling us to use “Strong Passwords”, but when it comes to ordinary people (that are not into IT-security) just about all methods to create these strong passwords are simply not working for them…

So I have for years been teaching people a “ordinary peoples” way of creating stronger passwords.. a method that works even for kids and people with dyslexia … and, although not the superstrongest, it creates passwords that are multifarious times stronger than the ones peoples used to use…

All you need to do is to come up with a sentence with at least 8 words and only type the first character of each Word..

For example: My cat Garfield has black and white Fur
That creates the password: McGhbawf
(Even kids remember a password like this one, and it`s FUN!)

This is a far way better than the average passwords of garfield, volvo or your kid names etc..

And believe it or not… it is very easy to teach ordinary users.. of all sorts…

The point (in the end) is It’s not about creating the strongest password, its about having more people moving toward using SAFER passwords..

Many people in IT seems to forget that! sadly!

This is quite handy as well, I agree. To keep the passwords unique, different sentences should be used for different sites. Combining this idea with the pin would also create stronger passwords so that there are also numbers and special characters included.

I employ the same method Thomas, with one exception. I go a step further and add some 1337-speak to it (substitute some letters with punctuation or numbers). So in your example, I would have used, McG#b&wf (H is like # and the word ‘and’ is &). Even harder to crack!

Hi.
You all right…
I use the “I like HopHop a lot, and my girlfriend” coud be “IlHH4l,4mg”
– I have capital letters too, AND “,” and digits…

– And it´s still fun 🙂

But the first within the “pin code” i like this…

Regards Chris

I am definitely in favor of ideas that help make things more fun 🙂 Like mentioned in the comment for Thomas it’s also important to keep the passwords unique.

A good tip for remembering different passwords is to use different lines from your favourite song(s)

For example…
I got my first real six-string
Bought it at the five-and-dime
Played ’til my fingers bled
It was summer of ’69

could give you these passwords:
IgMfrss25!
BiAtfad25!
PtMfb25!
IwSosn25!

Then just write down which line you need for each website you log into.

(ps. you could also choose a good song :P)

When teaching how to generate a good and memorable password, I use both Annika’s and Thomas’ ideas:
1. For example: My cat Garfield has black and white Fur
That creates the password: McGhbawf

2. For each of the web sites that you need a password for, you create a code that helps you remember what site/service the password is for. For example aMa for Amazon and gMa for gmail.

3. Add 1+2 plus if you want some extra unique info.

1+2 = McGhbawaMa, aMaMcGhbawf, gMaMcGhbawf, McGhbawfgMa, or,…

It is also easy to use dots, etc and change i letters to 1 and o letter to 0, if you want to add numbers that are easy to remember (or change words like two to 2 and thirty to 30).

At least kids have liked to generate as strong passwords as possible, with using these easy tips.

I use loger “pin” (9 characters), so I have only two parts in my passwords. Gmail is gmail+pin, Amazon is Amazon+pin. I don´t have to write anything down to remember my very strong passwords.

This is all well and good until someone hacks your gmail account and obtains your PIN, then realizes that you preface all your passwords with the site name, thus they can now try other well known sites with variations of the site name (amazon) and brute force their way into your account.

It is important to keep the PIN hidden. I realize that sometimes some services send you emails with your password. I always delete those emails immediately so that getting to my email would not mean getting to other services as well.

It makes it a bit less obvious if you don’t use the name of the site, but instead a description, and interleave woth the pin.

Say, your pin is L09ghU7, and you need asswords for Blogger.com, your mail account, your website and Twitter. You might end up with

Lm0a9iglhU7 (interleave mail)
Lb0l9ogghU7 (interleave blog)
Lw0e9bgahdUm7in (interleave webadmin)
Lt0w9egehtU7 (interleave tweet)

[…] And this fact did not escape the acquaintance who originally owned the account. Using the original account passwords, this 18-year old boy was able to take control of Hannu’s character and the virtual wealth Hannu had been building for years. And it seemed that there was nothing Hannu could do about it, except regret that he hadn’t changed the password. […]

Its scary if one forgets the PIN. Most password reset features don’t retrieve back existing password (for security reasons, right?) The difficult part is remembering which shortform for which site and the unique 4 characters.

I prefer using passphrases than passwords. more characters and turn some of them to 1337-speak and things get much tougher…hopefully.

Its also scary that mailman and similar mailing list managers email you your password in plain text. No idea why, but keep a look out for these mails. remove them and use a unique password here that you can afford to forget. They keep reminding monthly anyways.

Wonder why KeePass or LastPass doesn’t figure in any of this. Besides creating rememberable difficult passwords, keeping a backup in one of these password managers (say) only to be used in case of amnesia attacks would be a practical measure.

People will never use strong passwords – even if you can remember one password what about the other 50? Then you have to remember which one relates to which service or site. The answer is either one-time passwords or a password management system…

See: http://bit.ly/9TsBRk

Yes – and no. I agree it’s impossible to remember 50 passwords. But who says you need to? Its possible to use only one strong password and mutate it by a fixed scheme. This works particular well with websites but also with products and services. You “(re-)create” the password on the fly each time you visit a website. See http://t.co/A5WYdBJ for more details.

[…] Most importantly, you should use different passwords for every account you have. Your passwords should be complex and not based on any public information like your kids’ or pets’ names. Keeping track of multiple passwords from multiple sites can be overwhelming. But here’s a system that makes creating and remembering strong passwords easy. […]

[…] A lesser problem is that your account is hacked and your reputation is ruined by an action supposedly performed by you. This is not as common. It is most likely to happen if you have immature friends, rebellious children or a jilted ex-partner and can be prevented by having a completely secret and impossible-to-guess password. […]

[…] 1. Use unique, strong passwords for all your most important accounts. John uses the same password for every account. That means if a hacker gets a hold of John’s Twitter password, that hacker would have access to every account John uses at work or at home. Creating and remembering unique, strong passwords is a must for your most important accounts. This system for creating and remembering strong passwords makes it easy. […]

[…] 1. Secure your PC and Password. How to do it: A. Update your system and security software. Our Health Check makes this easy. B. Choose a password that can’t be guessed. Make it a password that you only use for this account and none of your “friends” will able to guess. Don’t choose a word in the dictionary or any word mentioned on your profile. Here’s system we recommend. […]

[…] matter to you. Lousy passwords are not a sin on a site you don’t really care about.” Here’s a system we recommend to create and remember strong passwords. Also keep in mind that you want to limit information you share on public machines or over free […]

I use 1Password to generate mine, a different one for every site and I write them down as well in a safely kept notebook in case of a crash.
1Password can generate some awesome combinations.

I Want to be informed when someone is trying hack my Facebook. I had to make a knew facebook Because I got hacked… please help thank you!! :0/

I am now not certain the place you are getting your information, however great topic.
I needs to spend some time learning more or figuring out more.

Thank you for wonderful info I was searching for this information for
my mission.

[…] 1. I will have a strong, unique password for every account that contains private information. If you’re super concerned about protecting your privacy, you’ll use unique, unguessable passwords for all your accounts and update them 3-4 times a year. For your most important accounts, this is essential. But for your webmail, banking and Facebook accounts, if you have them, good password hygiene is a must. Here’s a system to create strong passwords you’ll remember. […]

The very core of your writing whilst sounding agreeable

in the beginning, did not really sit well with me personally
after some time. Somewhere throughout the paragraphs

you actually managed to make me a believer but just for a while.
I still have a problem with your leaps in logic and

one would do nicely to help fill in those gaps.
In the event that you actually can accomplish that, I
would certainly be fascinated.

Hi! I know this is kinda off topic but I was wondering which
blog platform are you using for this site? I’m getting tired of WordPress because I’ve had issues
with hackers and I’m looking at options for another platform. I would be fantastic if you could point me in the direction of a good platform.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like