Remember that old clubhouse in the vacant lot of your childhood neighborhood that the local kids hand-built from scrap wood and castoff rusted sheet metal, with “KEEP OUT” scrawled in red paint on a sign nailed over the threshold, which you could only cross by whispering the secret phrase of the day?
OK, my childhood never really had that, either. But as this millennium's second decade blazes to a close and the tangible machinery of my life increasingly vanishes into the vapory world of binary code, it feels like several new secret forts pop up every month. Not only does each online account demand its own covert entry key, but with cybercriminals stomping on the gas for data breaches every year, it's becoming more and more important to be able to create unique, hard-to-crack passwords for each one. It's a tall order to balance security with memorability—let's explore how to do it!
I have a confession to make: as of the time of this writing, I only have about four passwords that I use for my current 150+ open online accounts. This train is on a track with only one inevitable destination: catastrophic security nuclear detonation. All it would take to hack into my bank account, say, would be for a random online account I used once within the last 4 years (Zillow, Sears, QVC, to name a few) to experience a data breach and for a hacker to plug in my name, email and password and wipe my balance clean.
But first, the thing about passwords is…
The study of cryptography is tricky for laymen like me to understand—the key is in the Greek etymology: kryptós (hidden, secret) + graphein (to write)— so as I researched for this article, I found myself deeper and darker down the rabbit hole more quickly than I had anticipated. Conflicting expert cryptologist advice on what makes a password truly secure made the road to a conclusive report woolly at best. To make things more complicated, I read the horrifying story about reporter Mat Honan, whose digital life got completely torched by hackers in 2012 just because they wanted his coveted three-letter Twitter name @mat, and his argument that passwords alone are a single point of failure and no password is truly secure. (Bear in mind that this was written in the early part of this decade, so hardware is even faster and software more sophisticated.)
Bearing that all in mind, let's assume that climbing with a single anchor—especially when there are people roaming the cliffs, actively throwing rocks at you and trying to cut your rope just for lolz—is an outdated idea. This is why newer security features are a good idea to use—Google's two-factor authentication, for example, which requires both your password and a one-time-use numerical code sent to one of your trusted devices. But it's still a good idea to tie up with the strongest rope you can find.
If you're still plugging in the kind of passwords you were likely using in the simpler tech times of the 90's and early 2000's, you're not only leaving the door unlocked for hackers, you're also giving up your own bed with fluffed pillow and leaving them a gift basket of wine and chocolates. Please don't use the following:
1. Personal information
This goes for numbers like birthdays, addresses, and social security numbers. It's also a bad idea to use names, even of your pets. Not only is this stuff easily accessible on the web, it's also easy for code cracking software to figure out.
2. Number strings and leetspeak
Permutations of number strings are also really for software to crack. So hopefully you're not using “1234567,” but “3902759472” would still get stomped in under a minute. Also, leave the leetspeak—mostly made up of substituting numbers and symbols for letters, like “1337” for “leet” or “haxor” for hacker—to cyberculture, not security, because password guessing algorithms easily account for letter substitutions. Sorry, but R3dsoxfan ain't gonna cut it anymore.
3. Generic passwords, simple phrases, and common dictionary words
“Password” and “admin”? Please, no! Hackers using the “dictionary attack” method can also guess common phrases as well. If it's really easy for you to remember, a hacker at the helm of a decently fast computer can guess it.
Password Formulas That Work!
So, what password formulas should you use? These are the three best password-generating options I found in my research, listed from most secure to least.
1. Totally random
First, it has to be said that the absolute most secure password is the computer-generated string of letters, numbers, and symbols that mean absolutely nothing. The more digits, the more permutations a hacking program has to generate, the longer the time it takes to crack. Sign up for a reputable password manager, according to cryptographer and computer security rock star Bruce Schneier, and allow it to generate and store these passwords for you. Usually they allow you to copy and paste the password in for efficient sign-in.
2. The Schneier method
If you'd like the ability to remember your password, let's check out Mr. Schneier's method from the same post above: “Combine a personally memorable sentence with some personally memorable tricks to modify that sentence into a password to create a lengthy password.”
Here are his examples:
- WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
- Wow…doestcst::amazon.cccooommm = Wow, does that couch smell terrible.
- Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
- uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
To test this for my Amazon password, I wrote a sentence about the first thing I remember streaming when I signed up for Prime, then converted that sentence to a 12-character string using a combination of letters, numbers, and punctuation. It looks like complete gibberish, but it's intelligible to me—and what's more important, I was able to recall it 12 hours later.
Personal application: Because of my successful test, I'm going to change all of my most sensitive passwords using this method, especially my financial, email, and social media accounts.
3. Multi-word pass phrase
This webcomic on password strength describes why the multi-word pass phrase formula works better than the leetspeak-inspired letter subsitution method: basically, it contains a more characters for password cracking algorithms to cycle through, while being a lot easier for you to remember. However, they're not quite as secure as either of the methods above, since they're still susceptible to dictionary attacks. Using this method is a good substitution when you want to create an easy-to-remember password for an account that doesn't really contain sensitive information, which in the event of a breach would be more like a stubbed toe than a severed arm.
A good way to do this is to borrow the Person-Action-Object (PAO) formula from the PAO mnemonic system by creating a mental image associated with the account using a subject doing something to an object.
Example: let's say I want to check out Skillshare, so I go to create an account. I'm not planning on storing any personal information in this account, so I'm going to go nuts on making this password secure. Using the PAO formula, I create a mental image: Bob Ross climbing a happy fir tree, which I'll reduce it down to Bobclimbinghappy. Then to make it more secure, I'll date stamp it by adding on 2 to the front (denoting that it was the second season of the year when I created the password) and an exclamation point to the back—2Bobclimbinghappy!— to make it emphatic, since Bob was always enthusiastic.
To remember it, all I have to do is to mentally retrieve my image of Bob Ross shimmying up a giant tree and add on my prefix and suffix.
A Few Parting Security Tips
1. Check your password strength
Don't always trust individual websites' password strength meters—opt instead for more thorough third-party checkers like Password Checker, which not only calculates the time it would take computers to crack your password at various processing speeds, but also alerts you if you password is among the top 10,000 common passwords revealed in data breaches.
2. Always use two-factor authentication when possible
As I stated before, this is the first step tech companies are taking toward multiple failure points in security. It's more inconvenient if you're used to just plugging in a single password, but keeping your information safe is worth it.
3. Securely store your passwords
A document on your computer with everything listed out like I've had for the last 8 years is not secure, especially if you store it like a chump on Dropbox. Use a reputable password manager instead, like the ones in this Lifehacker review.
4. Lie on your security questions
The security question answers in the password retrieval process are like lobbing a balloon towards a hacker swinging at your account. Your public records are posted like a circus announcement in the town square of the Internet, regardless of your social media presence, so it doesn't take much research to figure out what to fill in. (If you're a blogger, forget about it—you're burned toast.)
If you can, suggests this Wired article, disable your security questions, or at least give false answers. What's your mother's maiden name? Eddie Van Halen. What was your first car? The 1961 Ferrari 250 GT California. What's the name of your childhood best friend? Doodoo head. The sillier, the better—it'll help keep your accounts more secure, and if you're like me, you may find yourself LOLing a little.