After seeing a recent article called “How I’d Hack Your Weak Password” I thought about my own password situation. As an IT professional, and someone that uses web resources constantly, I have to know passwords to dozens of different services, and as a precaution, I use a different password for each of them. How do I remember them all? Here’s my secret for developing strong passwords, and remembering them.
As mentioned in the article I linked to, you definitely don’t want to use the same password for everything. Crack any one of those services, and you’ve got the keys to the castle. You also need to have a strong password. This typically refers to one that has at least 8 characters, and uses at least one capital letter, and one non-letter (a number or a symbol). Simply adding a capital letter and a number increases the time to crack your password from two days to two centuries. It should go without saying that you should never use any word that is in the dictionary, including proper names.
So how can you create a strong password that you can remember? It’s actually pretty easy. Pick a phrase or a sentence that has at least eight words, ideally with one of those words being a number (though you could always add a number or symbol to the phrase). As an example, I’ll choose a lyric from a song you’ve probably heard:
For Those About to Rock, We Salute You
Now, take the first letter from each word: f t a t r w s y
Change the word ‘For’ to the number 4: 4 t a t r w s y
Perhaps it’s easier for you to remember a ‘U’ instead of the ‘Y’ from the word ‘You’: 4tatrwsu
Now capitalize one of the words, preferably one with extra importance: 4tatRwsu
Resulting password: 4tatRwsu
There you go, a collection of random characters that should hold up well to a brute force attack, yet you can remember it by running the lyric through your head as you type (no, this isn’t my password, mine is 123456789). You might want to test it at a site like Microsoft’s Password Checker to confirm it is at least Strong.
Of course you can’t use that one password for everything, you now need to somehow make it unique for each site you visit, or service you use. To do that, add a character to the begining or end of the password that relates in some way to the site or service you need the password for (or if length is an issue, replace one of the characters). Using the example password I created above, I’m going to replace the ‘W’ from the word ‘we’ with the first letter of the name of the site or service. So the phrase in my head might end up sounding like this “For Those About to Rock, Amazon Solutes You” which would translate to 4tatRAsu (I’ll capitalize the letter since the names will usually be proper names, and it should make the password even stronger). Here’s a few more examples:
- CNN.com = 4tatRCsu
- The New York Times = 4tatRNsu (you’ll need to decide if you want to use ‘T’ for ‘The’ or ‘N’ for ‘New’)
- Target = 4tatRTsu
- AT&T = 4tatRAsu
- Google = 4tatRGsu
Notice that I end up with the same password for Amazon that I do for AT&T. This is going to happen, but the odds of someone getting your password for Amazon, and then thinking to try it on your AT&T account (even if they’ve tried it and failed on other accounts) have got to be pretty slim. None-the-less, this points out that no scheme you develop is going to be perfect, their is always some level of risk. For me, this is an acceptable level.
So, pick a phrase that you’ll be able to remember easily, throw in a number and a capital letter, then customize one character based on the site or service you’re using and you’ve got strong passwords that can be used and remembered on all of your sites and services. On sites that ask you to put in a phrase to help you remember your password, I might even put ‘AC/DC’ to help me think of the lyric. This technique has worked for me for years now, and it can work for you as well. The hardest part is coming up with the perfect phrase that’s easy to customize, and that you won’t mind running through your head multiple times a day!