6 Tips For Creating An Unbreakable Password That You Can Remember

Ads by Google

You can lock every door and window of your house, but if you use a skeleton key the odds are pretty good someone is probably going to end up robbing you blind. The same is true of your passwords. If your passwords are not unique and unbreakable, you might as well open the front door and invite the robbers in for lunch.

A few years ago, Damien described a few ways to come up with strong passwords, like making sure you use special characters and that the password is at least 8 characters long. Still, creating a complex password is only half the job, the other half is actually remembering it.

And, is any password truly unbreakable? Not really, but in a recent interview with Bruce Schneider, Bruce referenced one of his blog posts about choosing a secure password. His advice was to take sentence and turn it into a password. His exact words were, “Choose your own sentence – something personal.”

This sounds like a simple concept, but even coming up with a sentence that you’ll remember can be as difficult as coming up with a password itself. About a year ago, Yaara offered some tips that could help you remember your passwords. The following are a few more tips that might help you develop passwords that are especially complex, nearly unbreakable, but also memorable.

1. Nursery Rhymes

One preferred method of coming up with complex passwords that pass every IT security policy out there – even those that require 15 character passwords – is the nursery rhyme technique.

Ads by Google

passwords2   6 Tips For Creating An Unbreakable Password That You Can Remember

The way this works is you choose one of your favorite nursery rhymes, capitalize the first letter of each sentence, replace certain letters with numbers, and follow that up with an exclamation point or some other symbol at the end. For example, take the nursery rhyme Little Boy Blue, which goes like this:

“Little boy blue, come blow your horn. The sheep’s in the meadow. The cow’s in the corn.”

Now you transform that replacing any “s” with “5” and any “L” with a 1 or a 7. Here’s the new password.

“7bbcbyhT5itmTcinc!”

That’s an 18 character password that includes numbers, letters, uppercase, lowercase and at least one special character.

2. Favorite Line of a Song or Movie

A technique similar to that above uses famous movie quotes to come up with the password rather than nursery rhymes. There are actually very popular nursery rhymes people may use, that hackers could guess. Using a favorite movie line – especially one that is particularly obscure – will make this approach much more secure. You may also consider replacing characters with numbers that are not so easy to guess.

For example, lots of people would think to replace an “s” with a “5”, but if you choose a different number, it’ll be harder to guess. Replace every “s” with a 6 or 7 instead – easy to remember because they start with the letter “s”. You might also replace every t with a 3 using the same logic.

passwords3   6 Tips For Creating An Unbreakable Password That You Can Remember

Using this new approach, you may start with the famous movie like from Al Pacino in the movie Scent of a Woman:

“If I were the same man that I was thirty years ago I’d take a flamethrower to this place!”

This quote then becomes:

“IIw36m3Iw3yaI3af33p!”

This concept is basic cryptography 101, but it’ll at least provide a compromise between coming up with a password that is very difficult to hack, but also one that a normal human brain can remember.

3. Use Industry Lingo

One alternative of this is using very specialized industry lingo to come up with the phrase. Nursery rhymes or even movie quotes could be guessed with a computer algorithm running through as many possibilities as a computer can manage. However, industry-specific lingo is much harder to guess.

passwords4   6 Tips For Creating An Unbreakable Password That You Can Remember

For example, if you’re a nurse, your phrase might be:

“The aortic coarctation led to an agonal response, BLS and finally intracerebral infarction.”

(I’ve no idea if that makes any sense, but you get the point).

Replacing “a” with 0 results in the following password:

“T0clt00rb0fii!”

This is only 14 characters rather than 18, but much harder to guess.

4. Personal Dates

An alternative technique to using sentences is using mostly numbers. Of course, random numbers aren’t exactly simple to remember either.  However, one technique that I learned from my father (he used it for choosing lottery ticket numbers) was to go with important family dates.

Now, the first thing many people think is to use birthdays. Unfortunately, these days it’s far too easy for the savvy hacker to discover online. You need something a little more advanced than that. A good approach is to use dates of events only you would remember as important to you, but no one else would really know about. The day that you first took a roller coaster ride. The day that you kissed for the first time. The day your parents gave you your first bike.

passwords5   6 Tips For Creating An Unbreakable Password That You Can Remember

Take the three dates that you are sure to remember, and line them all up in a row. Replace the slashes with a lower-case L, a space between dates with a “_”, and end with a special character like “!” or “#”.  Such a password would look something like this:

“10l08l86_03l14l94_09l06l98#”

This password is 27 characters, so it can only be used in systems that can handle very long passwords. If allowed however, it’ll allows you to have one of the most secure passwords possible.

5. Use a Keyboard Pattern

Here’s a fun password approach that uses the same technique as the smartphone login pattern. In this case, what you’re going to use is your keyboard. Draw some kind of recognizable pattern on your keyboard, and then use the letters and numbers as the password. For example, let’s say you create a pattern on your keyboard as shown below.

passwords1   6 Tips For Creating An Unbreakable Password That You Can Remember

If you start this pattern at the number 3, it should be pretty easy for you to draw out the pattern each time. If it helps, you might even draw recognizable images or letters on top of the keyboard. In the case above, the password ends up as follows:

“3waxcvgy7890-=”

Using this approach, you can alter the complexity of the pattern to lengthen the password. A hacker could potentially run an algorithm through that would attempt every password possible on a keyboard by connecting every key to one another, so making the pattern as complicated as possible – such as going back and forth or making complex, diagonal lines – should make that kind of hacking much more difficult.

6. Establish a Rudimentary Hardware Key

The final technique that’s worth trying for an ultra-secure password is the hardware key approach. In most corporations, employees are provided with a hardware “token” or key, which has a digital number on it that changes at a regular interval. That number is used as one part of the login process.

passwords6   6 Tips For Creating An Unbreakable Password That You Can Remember

In much the same way, you can print out and carry a card where you’ve written down part of your password pair. The other part of the pair would be the part of the password that you need to remember.

For example, your password might be “2BeOrNot2BeThatIsThe?”  So, you would write down “ThatIsThe?” on a piece of paper, and this will remind you what your entire password is.

The value here is that even if someone finds the written portion of your password, they still won’t have the part of it that exists in your head. At the same time, it gives you a powerful tool to extract that part of the password out of your head when you’re having a bad memory day.

Ultimately – the password that you go with should be the one that works best for your situation. You can use any of the techniques above, or come up with one of your own, but the idea is to develop a password that is so unusual, with such a variety of character types, that hacking that password becomes a nearly impossible chore.

Image Credits: baby crib via ziviani at Shutterstock, s_bukley / Shutterstock.com, Nurse making call via Monkey Business at Shutterstock, Riding a bike via Brian Jackson at Shutterstock

Ads by Google

63 Comments - Write a Comment

Reply

Nick C

I use Keepass to create hard to hack passwords.

Stephen

I don’t get why people feel they have to come up with these intricate rituals to make passwords better. Use a password manager and just stop bothering with it.

Stressed Go Outside

I don’t get why we have the rituals to make passwords better. I agree with Stephen because if kid can google how do I reset a password, and also get your security question just by asking you your security question in a normal conversation why do we bother with that?

Nick C

Keepass makes it so hard for Passwords to hack. I believe Makeuseof has made numerous articles talking about how good Keepass is. Keepass is my go to for Password management and creating hard to hack passwords. Keepass can even be stored on a USB drive as well.

Reply

Barrie M

I use lastpass and make it generate passwords. The one issue with the things listed above is it will be difficult to remember one nursery rhyme password try remembering a different one for every site.

Eric J

you create a “base” password and just change a part say the beginning or the end with something familiar with the site like for example makeuseof you could have at the end “Mu)”

Ryan Dube

Like Eric – I tend to often use the Nursery rhyme approach with a different number and character per site. then I only really have to remember 3 unique characters or so (or jot them down in my journal – without the base password the 3 characters are useless).

Reply

ReadandShare

Not sure what the big hang up is against password managers that can remember very long and very complicated and very unique passwords for each and every one of your sites?!? I use Lastpass without any issue, but even those who remain squeamish about “the cloud” can use Keepass and keep the info within their own desktop (or device)!

One BIG advantage of using a password manager to “auto populate” website login’s and passwords is this: a fake site good enough to fool you and me WON’T fool a password manager.

No clever nursery rhyme can protect you from accidentally logging onto a cleverly phished webpage.

Ryan Dube

That is very true – phishing is one of the biggest dangers, regardless of how clever anyone’s password is.

Reply

likefunbutnot

As a starting point, I usually suggest that someone make a password by using the stupid thing they like to use as a seed value and shifting all the characters over one row of keys on the keyboard.

Ryan Dube

Might only work for people who know how to type though, I would think? I know a few people I couldn’t imagine being able to type the correct password in that way. :-)

Reply

Steven Kopischke

I have been using a series of Bible verses to help me come up with passwords. For example, I will start with a verse, John_3:16 (that’s nine characters already and includes four classes of characters) and add -06/13 (another six characters for today’s date) followed by three letters that mean something to me, jHk. That gives me a unique password that also tells me what I was reading on that day….which I can also find in a physical journal. I also used 1Password to keep track.

Ryan D

Clever. This is a particularly good approach because it’s unique to your interests and your knowledge. Changing it frequently like you mention is another added layer of security. Very smart!

Reply

CP03P0

A strong password is good for some things but don’t get paranoid about a password, if we can make it, we can break it. And besides some people like the harder challenge thinking there must be a bigger prize inside. It’s like a treasure hunter opening a box only to find it empty.

Ryan D

How would a hacker know the password is more difficult?

Reply

John Bennet

But this would be another reason for password hacks

Reply

?????? ?

I use http://www.passwordcard.org/en Great service! I have my card on smartphone, tablet, in wallet, near my work and home computers. Passes like 3:)-cube written in paper notebook and evernote/OneNote

Reply

Pavels O

My comment was lost due to a glitch, and I am too lazy to retype it.

This summarizes it nicely though: http://xkcd.com/936/

“Through 20 years of effort we’ve successfully trained people to use passwords that are hard for humans to remember but are easy for computers to guess.”

Reply

Peter Hood

Use the password generator at grc.com, or the one in a password oubliette such as PINs.

Reply

password

use gibberish and keep the passwords in a password protected Word document

jasdykjnr82ngn^^jjWHWJK6d..m,m

Ryan D

This is actually kind of dangerous – all one would have to do is break the protection on the one Word document, and it’s all over. Also, the fact that Microsoft Products seem to be targeted so much more than others makes it that much more dangerous I would think.

Reply

Snedzsr

What or who is Yaara? This is a reference I’m not familiar with.

Ryan D

Yaara is an MUO writer and the link to the article mentioned is right there beside her name in the intro.

Reply

Q

This is all great people, but when I find I need a variety of standard PSW “keys” or starter phrases because the 282 site where I need to use them all have such a variety of rules that it makes it very, very tough to standardize. Even the most secure financial sites don’t allow special characters which seems stupid. Further, they limit you to only 12 characters — how dumb is that? Others require it to be changed every 90 days — what a PITA. Another is use is so seldom, you have to write down the clues, and hope you still remember. Finally, sometimes a site will change lock you out after lack of use and even THAT parameter varies. I don’t trust the idea of a master PSW to unlock anything using the cloud with 282 PSW’s stored on it — that would be a catastrophic hack! HALLLLLLLLLLLP!! I need more guidance on how to cope with all this!

Davidpleach.dl

Your situation is closer to everyone’s situation that we want to admit. One good solution is to get biometrically-based single sign on software (and a scanner, of course) that let’s you use your fingerprint to get into all those sites. Passwords are virtually eliminated and your authentication is even MORE secure.

If you stick with passwords, one thing you must do…make sure your money (bank) is always secured with a totally unique password. If the bad guys find any password you use, they’ll head to your bank and assume it works there, too.

Reply

OnTheRoad41

With Ryan Dube’s suggestions, how do you handle places (like my husband’s employer) who require you to change the password every 60 days and it can’t be similar to the previous 5?

Ryan D

Yeah – I know a lot of folks who have that issue. A solution that I’ve heard many friends of mine use is actually a version of the #6 solution in this article. Every time a password change is required, you update your “rudimentary hardware key”, and you’re good for another 60 days.

Reply

Þór Sigurðsson

All these require the person choosing the password to be fairly adept at on the fly encryption/encoding.

Most people are not. Most people have the patience of an agitated pitbull and the memory of a banana fly when it comes to handling passwords. And as such, they use password managers where they can and write down those pesky passwords they can’t put into their password manager – like their top secret don’t write anywhere and don’t tell anyone work password.

There is a simpler approach that still has many times over the entropy of the nursery rhyme passwords described above. Choose 4 or 5 words at random from a dictionary. Better yet if it’s not an English dictionary. Better yet if they are 4, but come from 4 different dictionaries.

As such, “quaint sauerkraut fuego hamborgari” would be totally rememberable – but still almost impossible to brute force or guess.

Short but useful reading material on password entropy: http://blog.shay.co/password-entropy/

Reply

Karl K

Your first example, “7bbcbyhT5itmTcinc!”, violates your nursery rhyme rule. That is, the
new password (based on the rhyme) should be: “7bbcbyhT5itmTcitc!” (the next-to-last letter should be a “t”, not an “n”.

Ryan D

Wow – good eye Karl! :-)

Reply

Stressed Go Outside

Lots of people forget passwords I work in IT a little code here and there and people sometimes brag that they made the password to long and difficult to remember, but it still takes the same effort and time to reset the password even if it is simple like pass321. What is easier and more effective than advice to just change your password regularly? Just something to think about google (Your LinkedIn Password Is On Display in a Museum in Germany) it was news last year.

Reply

Anonymous

About 90% of the sites I sign up for, I couldn’t care less if someone hacks into my account. What are they going to do, post a comment on a message board on my behalf? For those sites I just use the same password, and save secure passwords for things like email, banking or any site that requires credit card info. That significantly cuts down on the number of passwords I have to remember.

A41202813GMAIL

Exactly What I Do.

I Do Not Even Use Any Money Online, Whatsoever – Brick And Mortar All The Way.

Cheers.

Reply

Leopardmask

Is the “4 common words” password that xkcd talks about still difficult to hack? 4 random, common words that have nothing to do with each other, but you can still create a mnemonic to easily remember them. This is the comic, if this comment allows links: http://xkcd.com/936/
If not, the example is “correct horse battery staple”. Still really long, but does it work?

NP

No, it doesn’t work anymore. Anything that uses real words, even if long, are now easily cracked with smart, heuristic dictionary crackers. See the link to Bruce’s article

Reply

Gerald Z

Every time I change my password I have to rename my cat.

Reply

Comenclater

How Stephen said, password managers are very useful programs .
With password manager is easy to create a strong password. For example: http://blogen.stickypassword.com/creating-strong-passwords-with-sticky-password/

Reply

Robert M

This is far too overly complex. Complexity does very little to make your password secure. A brute force attack will still have to go through every possible character regardless. The length of the password is what really matters.

Make up a nonsensical sentence that is related to what you are protecting, such as:
“When I log onto my giraffe from Saturn I always include the number 7.”

And make that your password. And to make it easy to remember choose your favorite whatevers, in this case I picked an animal, planet, and number. This is your password. There is no reason to be cryptic with the complexity, it doesn’t do anything to stop a brute force attack, but the length of that requires “a very long time.” Remember, partial successes do not work. Passwords are all or nothing.

For more in depth explanation and plenty of links to explanations: http://rpmillers.blogspot.com/2014/05/puny-passwords-are-you-weakest-link.html

Reply

dpocius

Gearheads/petrolheads: For #5, overlay a picture of your favorite road circuit or portion thereof on the keyboard and proceed! The only way you’ll mis-enter your password is if you put a wheel off.

Reply

Petey P

Of course none of this matters when people take whole groups of passwords from Target, EBay, or Yahoo!….

Reply

S. Phibber McGee

If the industry standard became biometrics instead of passwords then this entire continual problem would become a none issue. You’d never need to remember anything.

Gigi O

I have a few concerns with sole use of biometrics.

While large scale hacking sweeps would certainly be harder, would this encourage more individual physical violence like kidnapping at ATMs or even “hacking” off of finger tips, etc.?

On a less ominous note, my ThinkPad’s fingerprint scanner is hit and miss already, although I’m sure that technology will continue to improve. But what if I have “dishpan hands” one day or develop periodic eczema? In the case of retina scanners, what if I develop glaucoma or need cataract surgery?

What if I have a sudden stroke or heart attack and need my family to handle my affairs for a while? What about access to my accounts after I die?

I’m curious how these kinds of situations can be dealt with. Please advise.

NP

biometrics is even more dangerous. It’s tied to your identity and you can’t change it.

Reply

S. Phibber McGee

@ Gigi: Many scanners allow for more than one print to be used in case of accidental injury/loss of a print. Also there are (a bet currently very advanced) systems out there that combine several biometric features such as facial recognition, finger/hand print, and retinal scan. My tablet does facial recognition now.

Dishpan hands is temporary, eczema doesn’t happen over night nor to all fingers at once. Neither does glaucoma or cataracts and you do have 2 eyes.

Kidnapping for the purpose of accessing ATMs happens now regularly in some places as does thieves loitering around them not to mention of theft of RFID data and card skimming. The potential for finger removal can be thwarted by the inclusion of pulse monitor in the scanner &/or a sensor to monitor the temperature of the finger.

No system will ever be 100% secure we can only make it as hard and time consuming and risky as possible for these thieves.

@NP regular changing of passwords is to prevent theft or hacking of your security. How exactly are you suggesting your biometrics will be hacked?

Gigi O

@ S. Phibber: Thanks. Use of multiple biometric criteria seems to be key. As does being physically present with delegates to my accounts long enough to establish biometric access for them in case of emergency. But this means they have constant access vs. knowing where/how/under which circumstances to access a master password that I might change periodically, for example. Unless there is some method for triggering such alternate access?

Reply

S. Phibber McGee

@ Gigi O-

Most of the fingerprint readers I am aware of have a password option in the event of
hardware failure (or presumably unrecoverable loss of the biometric data/digit used or in the case of events such as you have discussed previously.

Controlling access to your computer &/or the print reader are certainly still of paramount importance. To that end I am aware of the existence several hardware/software arrangements that require either a specially set up USB stick or the presence of an RFID pendant to make use of the computer before they can even access the biometrics.

Finally I’m sure that one or more of the available systems might well have a multi-teired authentication protocol requiring both biometric and password input. If they were to provide the biometric data and you the password you would still feasibly retain privacy and control.

I am somewhat confused however by your last comments as these indicate you do not trust those whom you would have access your personal data ICOE. My question the becomes why
allow them to at all. At that point I would simply take the lap top to my attorney and set him up be the ICOE data access person.

Reply

me

There is still more simple way. Decide two key words form your life incidences, assets, locations, family, name, initials, dates etc. One key word shall be 4 letter OR numerals. Second shall be of three letters or numerals. Say they are K1 & K2. Select two wild characters of your choice. Say they are W1 & W2.

Now your password for any site, any office file or zip, ram files will be filename OR sitename followed by W1 followed by K1 followed by W2 followed by K2.

Example if your K1=abcd, K2 = xyz, W1= & & W2 = *

your password for facebook will be facebook&abcd*xyz
Your file name is data.xls your file password will be data&abcd*xyz

The essence is in selecting k1,k2,w1 w2 in a manner that no one can guess.
This logical password created can work for entire lifespan…!!!!

Reply

Jo-anne P

OMG after reading all this my brain hurts lol.

Reply

Allan Harmsworth

I agree with Q, the article does not say how to deal with sites that make up arbitrary password rules. Some require a special password, some forbid it. Some require inclusion of a capital letter, some require inclusion of a number, or both. Then they limit it to 8 or 12 characters. What I need is a long nonsense phrase as *my99#dogRoverhas99fleas* then be able to add a unique differentiator like the name of the site like Facebook, Google or such in an arbitrary position. I do a lot of contests, so accumulate hundreds of new login passwords and username combinations. I used to use Roboform, but find LastPass works well for what I want.

Reply

Allan Harmsworth

I meant to say some require a special character.

Reply

Neville Scollop

2 factor authentication, application specific passwords, google authenticator, Bad IP Blocker, and KeePass Pro. That’s how I do it and it’s worked so far.

Reply

suherman

Thanks makeuseof for your tricks.

Reply

Sreeraj R

Nice article, in fact a much needed one. I always use passwords with numbers,Small and capital letters and at least two symbols.

Reply

Nick

No, no, no, no. Sorry, Makeuseof, you’re usually pretty good, but this is dangerous advice. Don’t use known phrases (nursery rhymes, movie quotes), or keyboard patterns. Both tactics are known to password crackers and they use them to easily crack long passwords.

Here’s the background you need on how passwords are actually cracked now:
http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

Ryan Dube

The article doesn’t describe using plain words – did you read it? It describes using number,,letter and symbol variations to form complex passwords based on tge firdt letter of each word. Furthermore this wss a best practice described by security expert Bruce Schneier.

Reply

Squatch

I had the chance to sign up with the CIA but ultimately declined but I you have to make an account with them. Their password requirements were as follows:
20 characters long
Uppercase Letters
Lowercase Letters
Numbers
Symbols
All of this is required. If you can’t do this, your password is probably not secure.

Reply

Ron

I use the Yubico Yubikey to add 16 characters to my easy to remember password of 10 characters a total of 26 characters mus do the job.
And this way I use something I know and Something I have and only miss the something I am part.

Reply

Guy M

I type my new password in a word processor program and change the font to something with icons like wing dings. Then I copy that and past it into the password field on the site I’m signing up for. Hack that!

(This has been a troll comment. This won’t really work. Don’t waste your time responding either.)

Reply

android underground

Passwords in the cloud don’t work if the cloud service is offline. Passwords on your device don’t work if you have to log in on a device that is not yours.

Passwords in your head always work, no matter where you are, no matter if your password cloud service is online or not.

One password for things that are not important, and a handful of unique password for those email accounts and financial services that really matter.

Reply

John W

Nursery rhymes are quite common to many hundreds of thousands of people. I’d rather call on the vast store of song lyrics in my head. Even better if you have misheard the lyrics in your yoof and have been singing the wrong words for 20 years. Even when you’ve been told the right words many times!

If a site limits you to 8 or 12 characters or won’t take symbols don’t forget to complain loudly.

Also, many of us use acronyms, jargon and part numbers in our workplace that are meaningless to others. I use obsolete transistor and chip part numbers.

Reply

Moazzam Shahid

There’s also another site called http://www.mystrongpassword.com/
Its simple and fast for generating random, secure passwords.

Reply

Roch

Can someone point me to information on why a sentence with multiple words separated with spaces is easier to break than nonsense patterns without spaces (something I have heard in multiple articles like this one)? I know a dictionary-based brute force attack can solve for single words, but when there is a multi-word string, how does the password cracker know that they got one word correct in the sentence? Doesn’t the cracker have to get all the words correct, in the correct order, to successfully match the encrypted password string they have stolen? So, if I use a sentence with real dictionary words and spaces that becomes a 40+ character password, how is this easier for the password cracker program to break than any other 40+ character string?

Your comment