Life is filled with things we know we need to do, even though they’re not exactly fun (doing dishes when you cook and pulling weeds when you garden come to mind). One of those things is coming up with secure passwords for all of our online accounts, which seems to get more difficult with the passage of time.
Faced with the need to come up with passwords for dozens of sites and apps, we tend to opt for what’s memorable rather than what’s secure (bad) or just repeat ourselves from site to site (even worse). A better approach is to find a system to help you create password ideas that yield strong but memorable passwords. We’ve rounded up several examples for you to choose (and learn) from.
First, Though: Why Passwords Are a Hot Mess
Before we start looking at how to craft a good password, let’s review why most passwords are bad. The first, and arguably biggest, reason is human nature: crafting a unique, strong password for every app or site is a pain in the butt, so we don’t do it. Instead we pick weak passwords, things that are easy to remember (but also easy for attackers to guess), and reuse our passwords indiscriminately.
IT people and administrators love to put the blame on users, but let’s be blunt: they’re the ones creating the policies that often enable poor password usage. There’s a known, long list of worst and most-used passwords, for example, but how many sites actively prevent you from using one? If you guessed “not many,” you’d be right. Most will now warn you if you choose a weak password, but few will flat-out refuse to let you use it.
Those that do enforce strict rules around passwords can be frustrating, too. The end goal — security — is one we can all get behind, but the implementation is often indifferent. Sites vary in the length of password they require and which combinations of characters they’ll accept. Some don’t tell you their criteria, so it can take several tries (with a different error message each time) until you guess the right combination. Several years ago, researchers at Carnegie Mellon University found that when users were irritated with the password policy, about half simply gave up in exasperation and followed the path of least resistance, picking whatever weak password they could get away with.
How Your Passwords Get Broken (and Why There are Rules)
So how do criminals and scammers go about getting, or breaking, your passwords? Phishing attacks are one common point of vulnerability: if you simply give them your username and password, they don’t have to guess. Another weakness is data breaches, which can expose thousands, millions or even hundreds of millions of passwords all at once.
When they don’t get combinations of usernames and passwords that they already know are valid, criminals can also use a technique called credential stuffing. Basically that means taking inexpensive lists of already broken or exposed usernames and passwords, and trying them automatically on popular sites until they find a combination that works. Once they do — because people reuse their passwords — they can try that same combination everywhere. At tens of thousands of attempts per hour, multiplied by many thousands of criminals and crime rings worldwide, that’s a big vulnerability.
Finally, there’s brute force. Criminals armed with heavy-duty computing power can simply try every possible combination of characters until they succeed. The longer and stronger your password, the more difficult that becomes. With these things in mind, it’s easy to see why there’s so much emphasis on using long, strong, unique, hard-to-guess passwords.
Password Ideas: Long, Strong and Memorable
The ideal password (the kind a password-generating app or site will make for you) looks like what happens when a cat walks across your keyboard: an endless, random mixture of upper- and lowercase letters, numbers and symbols. Unfortunately, what you gain in security you lose in memorability. Very, very few people indeed could remember one or two dozen of those.
So how can you come up with password ideas that are secure but won’t hurt your brain? There are several useful techniques, including several variations on these six we’ve chosen to highlight here.
One important caveat: when you’re gleaning password ideas from this or any other article, always tweak them slightly to personalize them (reverse the order, use the last letter instead of the first and so on), and never use the specific examples given. Criminals read security articles too….
1. The “Words Out of Context” Method
Pick a book, song or poem you know well — in a pinch, even a user manual will work — and pluck a few words from the first sentence at random. If it were Jane Eyre, for example, you might go with “was possibility walk that” as your password. You can’t always use spaces, so fill in the gaps with numbers and symbols (we’ll come back to that).
2. The “Memorable Phrase” Method
When it comes to passwords, length equals strength, so all things being equal a passphrase is better (and usually more memorable) than a password. Something along the lines of “a stitch in time saves nine” or “waste not, want not” would work, especially with added characters. Ideally you’d choose a less widely-used phrase, such as a piece of local slang or even a catchphrase or in-joke that’s only known to your family and friends.
3. The “Line of Verse” Method
This one’s a refinement of the “memorable phrase” method, and works best with songs or poetry. Take the first letter of each syllable, using lowercase for unstressed syllables and uppercase for stressed syllables, and keeping the punctuation in place.
Treated this way, Shakespeare’s “Shall I compare thee to a summer’s day?” becomes “sIcPtTaSm’d?”, which is a pretty reasonable password, and it’s even better if you add “S18” to the end (because it’s Shakespeare’s sonnet #18). Any song or poem works, as long as it’s one you’ll for sure remember.
4. The “Autobiography” Method
Your own life is another rich source of words and phrases you can use to generate strong passwords or passphrases. Using your own personal memories as the key for a password pretty much guarantees you’ll remember it, because (duh!) it’s already your memory.
“We went camping when I was 6 and I caught four fish” would become “WwCpwIw6,aIc4F” using the first-letter system, which is a pretty strong password. If you use it to make a phrase instead it would become “We camping six caught,” which is also pretty strong.
5. The “Alternate Keyboard” Method
Your OS sets itself up to recognize a specific keyboard, usually US English, unless you tell it otherwise. You do have the alternative of using other keyboards, though, and it’s a useful way to strengthen your passwords.
To use this technique, set up a second keyboard layout on your device, choosing a language with lots of special characters but relatively few users (Cherokee, for example, or Scots Gaelic). Before typing your password, choose your alternative keyboard layout — just search up how it works on your specific OS, if you don’t know — and while you type ordinary letters, your computer registers foreign ones. You can use this with any password and any password-selection method as a strength booster.
6. The “Pad That Password” Method
Each extra character makes your password significantly stronger; so adding characters gives you strength without (necessarily) sacrificing memorability. The secret is consistency: as long as you use a consistent formula for adding those characters, you don’t have to worry about how you’ll remember them.
One option, by way of illustration: take a pair of characters (^ and $, perhaps) plus the numbers from those same keys (6 and 4, in this case) and add them to your passwords. Combining this with our earlier Jane Eyre password would yield “was^possibility$walk6that4,” which is very strong indeed.
Test It Before You Trust It
The helpful people at your local hardware store will usually say, after cutting you a new key, to “test it before you trust it.” That’s a really good rule of thumb for passwords as well. There are a couple of useful tests you can try before committing to a password. One is to check and see if your chosen password has already been stolen in a breach.
Several services can check a password to see if it’s been compromised — Have I Been Pwned? is a good one — so pick one and enter your chosen password into the search bar. If it’s found in the database of already-cracked passwords, don’t use it: that would be like buying a broken lock.
You can also use the interactive brute-force calculator at Gibson Research to see how long it would take attackers to break your password the hard way. It’s quite instructive to see how difficult it becomes with each character you add (hence password padding). As the company itself is quick to point out, this doesn’t necessarily mean your password is strong, just hard to crack by brute force. You still have to make sure there aren’t any easier ways for criminals to break it.
Get Some Help
Ultimately most people will still end up with a lot of passwords to remember, perhaps too many for comfort. That means you’ll need to give your memory some help, and there are two main ways to do it.
One is simply writing down the passwords somewhere. That might seem like a really bad idea, but it’s not necessarily so. Keeping them on a card in your wallet, or in a locked drawer at the office, is reasonably secure (and it’s offline, so it can’t be hacked). Also, there’s a lot to be said for keeping a record of your passwords with your will and other legal documents, so your loved ones can access your accounts if you should be unexpectedly incapacitated.
The other is to use software to manage your passwords. Your browser will do this for you, but that isn’t necessarily the most secure platform (it’s not their main business, after all). It’s better to select a free or low-cost password-management app, which keeps your passwords in an encrypted database. Many are cross-platform, so you can use them across devices running Windows, OSX, iOS, Android and even (sometimes) Linux. That way you’ll only need to remember one strong password — the one to your password manager — and you can look up the others as needed.
Applying What You’ve Learned
It’s difficult to overstate the importance of good password hygiene. It’s absolutely fundamental to your online security, and it’s one of the very few things in life that’s absolutely, unequivocally under your direct control.
So your mission — should you choose to accept it — is to try a few of these methods, find one you can live with and use it for your passwords from here on out. Using a strong, unique password for every new site (and changing them on every old site where you’ve currently got a mediocre password) might just be the best thing you can do for your online peace of mind.
- NordPass: Top 200 Most Common Passwords of the Year 2020
- The Conversation: Four Ways to Make Sure Your Passwords are Safe and Easy to Remember
- Measuring Password Guessability for an Entire University; Michelle L. Mazurek et al.; October 22, 2013
- US Federal Bureau of Investigation: Cyber Actors Conduct Credential Stuffing Attacks Against US Financial Sector
- Have I Been Pwned?: Pwned Passwords
- Gibson Research Corporation: How Big is Your Haystack?
- McAfee: Strong Password Ideas to Keep Your Information Safe