Creating and Remembering Strong Passwords

You have twin, conflicting needs on the web. First, you need a password strong enough to foil anyone who might try and guess it, but you also need passwords you can remember. We all remember how in the movie “War Games” the name of the researcher's deceased son “Joshua” was the backdoor password that, once easily guessed, quickly leads to a near disaster.

A dear friend of mine used to use his wife's name as his password. Even the dumbest hacker could easily guess a simple word like “Kathryn” given a little time. But anyone who knew anything whatever about my friend's personal life would have a leg up and guess it right away. Another friend used to use his honorary military rank as his password. Again, anyone who knew much about the person at all would quickly guess the simple word “Admiral”.

You may not be protecting the world's nuclear arsenal, but you do not want anyone accessing your private emails, bank accounts, social networking and other services. Choosing a son's or wife's name as your password is about as good as an unlocked screen door for keeping out undesirables.

Ideally you want a nice, long and complex password. Further, in case one site is compromised, you want to use a different long and complex password for each secure login you use. The trick is to not only set non-trivial passwords for each access, but to actually remember them.

Creating non-trivial passwords is simple. The security of a password is directly related to it's length. A 12 character password is better than an 8 character one. The longer the better. I try never to use a password less than 18 characters. Passwords should not be found in any dictionary, as the bad guys have computer programs that use a dictionary and will tirelessly guess passwords from the dictionary until they get a hit.

It is a common practice to obfuscate passwords by substituting numbers for certain letters, usually but not always vowels. This technique is called obfuscation by numeric substitution. For example, “Joshua” might become “J05hua”. This helps a little, but unfortunately the bad guys are onto those tricks, and their “guessing program” will routinely plug in numbers in the obvious spots. At most all you do is expand the number of possible candidate guesses they have to make, and even then, not by much. Mathew Broderick in “War Games” probably would have tried “J05hua” as well as “J0shua” and “Jo5hua” right away.

However, if you follow my guidelines you can create passwords that are long and strong, and easily remembered. Further, using the technique you can change them quickly, almost without thinking, and easily remember the new one.

The technique I champion uses what I will refer to as a “Seed Word”. You will want to decide on 3 or 4 good seed words and make a point of remembering them. A good seed word should be at least 8 letters, an even number being slightly better, and should be something not directly related to your personal life. For example, “Motorcycle” might be a good seed word, save in my case I am a motorcyclist. Since a prospective bad guy might know that, I would not use “Motorcycle” as my key word. Perhaps something more general, such as “gasoline”, might work. We will work out the examples using “gasoline”.

Although I just disparaged obfuscation via numeric substitution, nonetheless I do suggest it has a place. A good password should be long, at least 18 characters, and should use symbols, numbers and letters, not just limited to letters. So let's obfuscate our seed word. “Gasoline” becomes “Ga50l1n3” this way. The next step is to scramble it. Not really, as we are going to do so precisely in a way we will remember, but make it unlikely that a bad guy would think of.

There are several ways to do this, and I will leave the final choice to you. Here are some examples by way of suggestion. One way is to simply cut the word in half (remember I said an even number of letters was good) and reverse the halves. Thus “Ga5ol1n3” becomes “l1n3Ga50”. Or maybe that is “3n1l05aG”. Whatever scrambling technique you decide on, use it consistently across the board so you won't forget it.

The next step is to personalize the password to the service it is to be used with. Once you have a good, secure, scrambled password, you might be tempted to use it in multiple places. Don't! By hook or crook, your password to one site might get compromised. If someone hacks Facebook's security and steals your password, you do not want to let them into your bank account using the same password.

Personalization is simply inserting something into the password that is unique to the service. Thus your Facebook password might become “lin3.mfb.Ga50” and your bank might be “lin3.tba.Ga50”, where mfb and tba might be an acronym for “my facebook” and “the bank” respectively. Do not be too obvious about the acronym. You want something that indicates the service, but is not perfectly obvious, hence “mfb” instead of simply “fb”, but also something you will remember easily.

We are not done yet. Even though we are up to 13 characters and use numbers, letters and symbols in our password, it needs to be longer. Really, trust me. Longer passwords do wonders for security, as long as you can remember them.

So let's add a date to the password. Maybe it's the year you were born, although the astute reader will remember my cautions about using personal, guessable information. Maybe it's the year you opened your bank account. Whatever it is, make sure it is something you won't forget, and something a bad guy would likely not guess.

By this example, your Facebook password becomes “lin3.mfb.Ga50-1971”. At 18 characters, using symbols, numbers and letters it is pretty darn secure. Because you know exactly how it is crafted and what elements make it up, it is easily remembered. Likewise, when you log into the bank using “lin3.tba.Ga50-1971” you won't be worrying about forgetting it, or worrying about someone else guessing it. Further, if you are presented with an urgent need to change your password, substituting a new seed word gives you instant upgrades.

Security researcher Steve Gibson offers a free service to evaluate passwords on his web site. His Password search space calculator reports that the fastest computer on earth, guessing with the fastest software available would require over one trillion centuries to guess “lin3.tba.Ga50-1971”. I kinda think that counts as secure.

Use his free service to test your own passwords at https://www.grc.com/haystack.htm

In closing, use long, complex passwords, contrived from a seed word and basic elements including an acronym for the service it is intended for. Follow my guidelines and you will not only have good, strong passwords, and you will be able to remember them.