If you do anything with computers, you deal with passwords and you probably have a handful of different passwords for different sites and systems. The best password is something that you will never forget, but even your family or closest friend would never guess.
In my experience people either have extremely secure passwords like J!*xurQ1# that are so difficult to remember that they have to write them down (which defeats the security of a password) or extremely unsecure to start with, like Jonny (the name of their spouse). The goal of this post is to give you some ideas on how to generate secure passwords. The tips start out with some simple ways to come up with terms and end with ideas of how to combine these terms into secure passwords.
It should be obvious that you shouldn’t directly use any of the examples shown here. However, some of these ideas should be useful in generating your own secure passwords.
Here are a collection of tips for creating useful passwords.
Use Different Character Classes – Many systems require that your password be from a variety of character classes. The letters a to z are one character class, A to Z is another, 0 to 9 is another, and the symbols are a fourth. In general the more character classes you use in your password, the more secure it is. So “guitar” is less secure than GuiTar which is less secure than Gu1T&r. One simple way to add different character classes is to capitalize all vowels or consonants.
Use Letters from a Phrase – Use the first letter from each word in a phrase, line from a song, etc. “There’s a hole in the bottom of the sea.” could become Tahitbots.
Numbers From Word – Use your phone keypad to convert a word to its numerical equivalent to use as part of your password.
Keyboard Patterns – Creating terms from rows of adjacent keys. 12345 is not very good, but \][po combined in the ways specified below can make for a secure password that would be very difficult to guess and is fast to type.
Use More Than One Word – Single word passwords are easy to break. If a hacker runs a program to try a bunch of words from the dictionary they shouldn’t be able to figure out your password. Choose words that you will remember, but that someone else won’t be able to guess. So a password like shinynail or flyingrock or tallwater are more secure than single word passwords.
Ideas for Passwords – Sometimes coming up with a password can be pretty difficult. Keep in mind you need to choose terms that you won’t often talk about. Here are a list of ideas to help come up with words:
Choose two objects from a picture that you’ll always remember. For example: a drawing at your grandparents house, the illustration from a children’s book, a painting at an art museum, etc.
Choose two terms from a memorable purchase. For example: bluev6 (first car), thinibm (first computer), gold3crt (engagement ring), 7ftgrand (piano), pinedoor (first house), sunshore (honeymoon destination).
Look through a catalog and choose terms based on something you see.
Look up a random article on Wikipedia and choose a word found or related to a word you find in the article.
Separate Your Two Words With Symbols and Numbers – For example: pine&1&door, kit!2!cat, etc.
Modify the Password For Each Site – In theory, the most secure password strategy is to use a completely different password for each system. In practice, this means you’ll have to write them down. By choosing a secure password and modifying it based on where it will be used, you can keep from having to write passwords down, but still have a slightly higher level of security. Here are some examples showing how they were created
blue.Mv6 for Amazon.com – blue and v6 from first car. M from the second letter in site name.
blue.Av6 for SAP logon – same as above.
thin!5!ibm for Amazon.com – thin and ibm from first computer. 5 from the number of letters in the site name.
Multiple Passwords for Different Types of Sites – Another option to keep from using the same password on every site is to use two or three passwords based on how secure the site is. For example, your banking sites might all use derivations of the bluev6 password. Ecommerce sites might all use a derivation of a different password and community type sites might use a third. The goal is to make sure that a rogue administrator at a forum you frequent isn’t able to get to your 401k.
Date Based Component – Some systems require you to change your password every 180, 90, or 60 days. (One client had set up their system to require a password change every 30 days!) If you are familiar with the cycle, you can add a date based component to your password and change it each time it is required. For example J10 could be added when you need to change your password in June of 2010.