On creating memorable passwords

![XKCD: Random, easy to remember, terrible idea](http://imgs.xkcd.com/comics/password_strength.png)

The above XKCD Comic describes a common problem: choosing a secure online password. There have been numerous methods of password selection given to users over the years. None of them are perfect, most are good, but some are less good. Below, I’ve outlined some major problems with passwords and my advice on the best solution for choosing and remembering passwords. It should be noted that ATM pins, security questions, and other secure strings follow these rules as well.

# General Guidelines

1. **Do not** use “password”. It doesn’t matter if you capitalize some of the letters, or make some of the letters into numbers or symbols. Anyone with any skill will guess it.
2. **Do not** use your birthday, nor the birthday of anyone who means anything to you. Additionally out are anniversaries and the last four digits of your social security number. – Also, if anyone ever asks for JUST the last four digits of your social, and you’ve never given them your full social, treat it as a pin and give them a fake number. I’ve had banks and cable companies ask for my full social at sign up for a credit check, so they get my last 4 when they ask. Everyone else gets a random 4 digit number.
3. Do not use identifying information. Family, friends, and pet names are all out.
4. If a website has a “Security Question” that’s also a password. Don’t put in real information, [because it’s easy to guess](http://www.huffingtonpost.com/2014/09/02/hackers-celebrities_n_5753270.html).

# Who wants my password/pin/etc?

Generally, people who want to access things. They fall into three categories:

1. Online attackers/identity thieves who do not personally know you (Bad).
2. People who know you and want to snoop/steal.
3. People who have physical access to your equipment (Worst).

The bad news is that if someone has your computer/cell phone/etc. then odds are that given time, they can get whatever they want from it, regardless of your password. Apple/Google are getting better at protecting devices, but unfortunately lots of people don’t put locks on their phones. Microsoft has Bitlocker, but it’s a Windows Pro feature not everyone has access to (and probably has [NSA backdoors](https://www.schneier.com/blog/archives/2015/03/can_the_nsa_bre_1.html))

Luckily, if someone breaks into your house or steals your purse, they are more likely interested in the quick sale than in recovering any data. However, there are [constant](http://www.computerworld.com/s/article/9233701/NASA_breach_update_Stolen_laptop_had_data_on_10_000_users) [stories](http://www.knoxnews.com/news/2012/oct/18/blount-hospital-laptop-stolen-with-27k-patients/) of how [laptops](http://www.knoxnews.com/news/2012/oct/18/blount-hospital-laptop-stolen-with-27k-patients/) and hard drives with business/financial/customer data are [stolen](http://www.faronics.com/2013/hipaa-doles-out-50000-penalty-to-hospice-center-in-wake-of-data-theft/) or lost. Odds are that even if ***your***equipment is secure, someone else who isn’t has your information and it will be stolen.

Not *if*, but *when* it’s stolen, it will likely be put into a database and sold to people who make their living off of fraud and identity theft.

# What should my password be?

Ideally, in a perfect, utopian world, your password would be a million character long string of letters, numbers, and symbols in varying caps with no repeating patterns. This is impossible to implement. Therefore, your password should follow the following criteria:

1. You should be able to remember it.
2. You should not chose an easy to guess password
3. Your password should be for only one website/account/etc.

# Why is the XKCD comic above wrong?

The method above is a good way of choosing a password, but it fails in two regards: It is both easy to guess and hard to remember. Or rather, hard to remember more than one. If your password is correcthorsebatterystaple, you may very well remember that, but you WILL forget to which website it belongs. If you choose a password like that for your GMail, your bank, your Amazon account, and your PayPal, you will have no identifying information as to WHICH password goes where.

The “bits of entropy” calculation is also completely false/nonsense as we’re talking about things people type with keyboards, not encrypted data represented as text. Additionally, if you choose four (or ten, or one hundred) easy to guess words, any password cracker could be modified to compensate for multiple words.

Given that most websites allow passwords between 7 and 15 characters, here is your algorithm: 1. Pick a word with less than 15 letters. 2. Try it. 3. If there is still space, add another word. 4. Try it. 5. Continue 3-4 until there is no more space. 6. Remove the last word and add a new one. 7. Continue 3-6 until there are no more words. 8. Go back to 1.

If you want to see a list of common English words used by password crackers, try [here](http://wordlist.sourceforge.net/).

# So how should I store passwords?

This depends. If you are in a business, you need to check with supervisors/IT about password requirements, how often (if ever) you need to change them, and their policies about storing them.

I personally use [https://lastpass.com/](https://lastpass.com/ “https://lastpass.com/”). They have plugins for Firefox, Chrome, etc which can automatically fill in passwords for you.

If you pay $12/year, you can even get the mobile version for Firefox for Android or Safari on iPhone. It’s a case where they perfectly priced it and if you log into things on your phone a lot, it’s worth the money.

Additionally, I would not trust your browser’s “Remember this password” feature. Most are better then they once were, and many encrypt passwords, but they are still vulnerable to viruses and malware.

You can sign up for an account at [PBworks](http://pbworks.com) to make a personal wiki. There you can privately store personal information. If you are at home, it is very easy. Write them down in a notebook. Do not label the notebook as anything to indicate it’s an obvious collection of your accounts. Keep it near the computer, but again, not obvious.

# So how should I make passwords?

As for choosing a secure password, this is how I do it.

1. Create a random base of 4-8 characters. Go [here](http://www.random.org/strings/?num=10&len=8&digits=on&upperalpha=on&loweralpha=on&unique=on&format=html&rnd=new) to do so. You will memorize this, and use it for multiple sites.
2. For a given website, choose a word you will not forget (shopping for Amazon, email for GMail, etc.)
3. Combine them. For example: 1. I choose jUGBLwJn as my random string.
2. I am making a password for Amazon, and I choose shopping. 1. jUGBLwJnshopping
3. I am making a password for GMail, and choose mail. 1. jUGBLwJnmail
4. Additionally, you could use 1. shoppingjUGBLwJn, mailjUGBLwJn
2. jUGBshoppingLwJnjUGBmailLwJn

In doing this, you make your password thousands of times more secure than most people currently out there because you are choosing secure passwords that are not duplicated across sites. Additionally, you are making passwords that are easy for you to remember, as you only need to memorize one random password. If you write down jUGBLwJn, nobody knows that it’s only part of a password.

# One important note about the above method:

I created classes of passwords based on how important the website was. For my banks, I use one password base, for my shopping another, and a third for websites that I don’t care if I lose my password. In this instance, if a random website gets hacked, and the hackers are clever enough to see that I use a formula password, I only have to worry about changing a few passwords, and they won’t be able to access my bank account.