How To Create A Good Password That You Will Not Forget

SafePassword02   How To Create A Good Password That You Will Not ForgetPasswords can be a key to many things, for example your emails, your Facebook profile, or your bank account. Did you know that some people still use passwords like “password” or “123456”? Needless to say, it’s dangerous to use one and the same simple password for all of your online accounts. Imagine a hacker cracked that one password? To be safe, you should create unique and difficult to crack passwords.

So do you know how to create a good password? And how can you remember more than one of them? Here are some tips and tricks to maintain individual strong passwords for all of your online accounts.

Know The Characteristics Of A Safe Password

  • it cannot be found in a dictionary.
  • it contains special characters and numbers.
  • it contains a mix of upper and lower case letters.
  • it has a minimum length of 10 characters.
  • it cannot be guessed easily based on user information (birthdate, postal code, phone number etc.)

Create An Easy To Remember Base Password

You can use several techniques how to create a good password that you will not forget. Here are some suggestions.

  • Randomly replace letters with numbers, e.g. flirt becomes fl1r7.
  • Pick a sentence, i.e. your passphrase, and reduce it to first letters of each word only, e.g. “Everything I Do I Do It For You” becomes EIDIDIFY.
  • Take a word and reverse spell it, e.g. neighborhood becomes doohrobhgien.

These examples are not very safe. While none of the words can be found in a dictionary, they are still failing other characteristics of a safe password. Try to find a combination that allows you to incorporate all characteristics.

The base password I’m going to use for this password is “E1d_1D!4Y:)“.

Note that my base password meets all of the above criteria. It cannot be found in a dictionary, it contains special characters, a mix of upper and lower case letters, it is 11 characters long, and cannot be guessed based on my personal information (unless you suspect that I like Bryan Adams).

Be Creative & Think Out Of The Box!

A computer may calculate faster than you can recognize patterns a lot quicker than any human brain, but one thing it cannot do is be creative. That is your great advantage over hacker tools!

As you see, in my password I replaced some letters with numbers or special characters. However, I didn’t use a stiff set of rules. I replaced the “I” with a “1” or a “!”. Using rules for replacing characters, i.e. always replacing an “a” with the “@” symbol will weaken your password.

Here are some ideas how you can make it even harder for a hacker to crack your password:

  • Don’t use common substitutions, e.g. @ for A/a.
  • When you have recurring letters within your password, mix your substitutions, e.g. 8 or ( for B/b.
  • Have a word and touch type it with your fingers in the etpmh (wrong) location. Keep in mind that you may switch keyboard types.
  • Pick a pattern on your keyboard and type it with alternating use of the SHIFT key, e.g. Xdr%6tfCvgz/

Test Your Password

Do you want to make sure your password is indeed safe? [NO LONGER WORKS] The Password Meter will reveal details about the strengths and weaknesses of your password. However, if your password is too long, i.e. too safe, this test will actually fail.

SafePassword01   How To Create A Good Password That You Will Not Forget

Create Individual Passwords For Every Account

Once you have a strong base password, you can use it to create individual passwords for each of your online accounts. Simply add the first three letters of the service, e.g. “E1d_1D!4Y:)GMa” for your GMail account or “E1d_1D!4Y:)eBa” for eBay.

Be Super Safe

To be super safe, you should have TWO base passwords. They will be used to keep important and not so important accounts separate. You would use one password for sites which hold personal information or credit card details, such PayPal or GMail. The second password would be used for forums and similar sites that would not be of great harm if hacked. However, the passwords should be equally strong.

Update Passwords Regularly

This is the toughest part. To maintain safety with a strong password, you have to update your password every few weeks or months. The more often, the better. You can do this in several different ways. Here are some ideas that will keep it simple.

Change your base password only:

  • Change the special character substitutions you’re using.
  • Reverse use of upper and lower case letters.
  • Type the password with SHIFT lock turned on.

Change entire password:

  • Change how you identify the account you’re using, e.g. use the last three rather than the first three letters (GMa would become ail or eBa would become Bay).
  • Change the position of the letters identifying the account, e.g. put them to the front or in the middle of your base password.
  • Add the date of when you last changed the password at the back and mark it in your calendar.

In other words, use your human advantage: be creative and think out of the box.

If you don’t feel safe with “easy to remember” passwords, you will enjoy Stefan’s article on 5 Free Password Generators For Nearly Unhackable Passwords.

Do you have any additional tips on how to create a strong password?

Image credit: railking

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

26 Comments -

Shree

Yes, I understand the importance of a UnHackable password.
But IMHO…

The above and many other suggestions will come at a price, Brain generally get fuzzy around 7th or 8th Character, In order to fool the Hackers, and making it a tough job (If not impossible), Aren’t you setting yourself up for Social engineering hackers.

The more complex your password is, and the more frequent you change it, A higher tendency to WRITE it down, under the keyboard, In the Diary, and with creative mind we come up with a number of places to hide these passwords, With multitude of systems, on average most have about 15+ system passwords, To me that is close to 30+.

I have no answer, but in an eternal quest of how to balance the 15 AlphaNumericSpecialcharAndSymbol password (and add changing it every 2 Weeks) with not forced to write it under the keyboard.

pevinsghost

There are plenty of articles released lately that say you’re making an error, that keeping passwords written down is not a huge security hole that many in the IT sector believe it to be. The reason being that through familiarity of doing it people are better at physical security than at info sec. Granted taking that written password and putting it under your keyboard is pretty stupid, if you were to keep it in your wallet it becomes pretty safe. Or do you get your wallet stolen and have to freeze your bank accounts and replace your credit cards every few days?

Tina

Very good point.

Also, if you prefer to write down your password, you have the choice to write it down in a way that doesn’t immediately reveal it’s a password. For example, a credit card PIN can be hidden in a contact phone number or a password list could contain a dozen random character passwords, of which only every second or third is an actual password you’re using etc.

The point is to be creative because creativity is not predictable.

tully

Not true, the human brain is very good at remembering passwords. Dictionary attacks are always first step, and using dictionary words greatly increases the chances it will be hacked. I read that 40% of encryption can be cracked due to weak passwords.

You may have 30+ different accounts, but classify them, forums etc with one password, and banks and other personal stuff seperate passwords.

Charlatan

My personal preference is to use KeePass, a free, open source password manager, in conjunction with a basic account at Dropbox, which gives me 2GB of free storage. KeePass generates extremely secure, unique passwords for everything I need to log into. No remembering multiple base passwords and variations for different sites, I just keep track of a single master password. Dropbox lets me store a portable installation of KeePass online, accessible from anywhere with an internet connection, and keeps my password database synchronized. So, even if I’m not at home, all of my passwords are still at my fingertips.

Tina

Thanks for sharing your approach, Charlatan.

Doesn’t it feel a little uncomfortable, that a single password gives access to all your other passwords and accounts? And then to store the information online…

I’m sure doing it your way is much, much better than an easy to remember (dictionary) password. But even if in theory it was safe, I wouldn’t feel very comfortable with doing it this way.

Using a password safe, however, is a great alternative for people worried about losing or rather forgetting their passwords.

pevinsghost

I personally use a password safe on my PDA, that way I have all my passwords on me but don’t have to remember them all and they are not being stored in a place accessible to anyone else. I happen to also have a safety deposit box too, so I keep a backup list there. Then if my device is lost or stolen I can use my backup list to get into all my accounts to change the passwords, and since it has all the sites listed it would act as a checklist to make sure I didn’t miss any too.

Charlatan

Tina, no, I don’t find it uncomfortable. As Lisa said, even if somebody got into my Dropbox account, the actual passwords are stored in a heavily encrypted database file. Not having to deal with multiple base passwords and all kinds of variations means it’s much easier to make my master password that much more secure. I can, of course, let KeePass also generate my master password with enough length and entropy that I wouldn’t have to worry about even the NSA figuring it out (might be a slight exaggeration for all practical intents and purposes, but still).

sabat

This is a fine article, but a couple of the suggestions won’t help much against password cracking programs — in particular, mixing upper and lowercase letters does practically nothing in defense of a password crack, and neither does replacing letters with numbers (“7″ for “L”, etc.). The cracking software is smart these days, and knows about those tricks. The basic idea here, though, will absolutely work: create a seemingly random series of characters, the longer the better.

XabiK

Very good advices, but I’ve got another one: use 1Password (if you own a Mac and/or an iPhone/iPod Touch); it makes password using easier!

AndreG

One trick that I have taught, is to augment the base password with the name of the site that its being used for so you get the following fl1r7Gma1l… but for added security I place a character between the fl1r7 and the gma1l, usually an ‘@’ or ‘!’ or even ‘n’, the ‘n’ works well for e99nch1p5 (egg n chips) Simple!!

mwafi

thanks very useful

Tony

These tips are very useful. Password Meter and PasswordBird are some great tools to come up with strong passwords. They can be kind of combined, that is, first you go to passwordbird.com and get a strong password. Then you can go to passwordmeter.com to check the password you got from passwordbird is safe or not.

Lisa

I use Charlatan’s approach and use Keepass and Dropbox. I can generate way better passwords than I could ever think up for the 100+ passwords I have and only have to remember one. I change my Keepass password every few months to a 15+ randomly generated one that I just make myself flat out memorize.

Tina, I get what you’re saying, but keep in mind that not only is Keepass open source (you can verify what the developers are doing), but the entire database is encrypted, meaning that without the password, the information inside is just a bunch of random stuff. The Keepass folks actually recommend that not only do you use a super strong password for your database, but you also use an encrypted keyfile, like a special file on your flash drive. This significantly ups your security, as not only do you have to know something (super strong password), but you have to actually have something (keyfile on a flashdrive) to open the database.

As far as syncing with Dropbox, I believe all of your files are encrypted before being synced. If you were super worried, you could always store your Keepass database in a TrueCrypt file.

Keepass FTW! :)

Pascal

This is risky to type the password with SHIFT lock turned on because it will not work if you have to use a different keyboard type, when travelling by example.

Dave

I’ve tried all these schemes and they don’t work for me. I have one simple password I use for all sites that do not require financial information.

For more critical sites, I have a complicated password that is impossible for anyone but me to know.

But even this system breaks down because many sites now have incompatible rules. Like “no special characters allowed but you have to mix upper/lowercase and numbers.” or case insensitive but must include a symbol.

Best idea I ever heard for dealing with systems admins who like to set up schemes forcing you to have new passwords every week is to use your existing password, then just add a number to the end of it. So that could be P@ssword1, P@ssword2, etc.

symbols for letters drives me crazy. Was it P@ssw0rd or P@ssword? I can never remember to do it consistently.

reverse spelling? Are you crazy? It took me 3 years to learn to type “stunodniknud” as the admin password at one clever company. My brain does not work that way but after typing it hundreds of times, I now understand that DunkinDonuts is Stu Nod Nik Nud spelled backwards.

Parand

It’s easy to create strong passwords that you can also remember:

http://parand.com/say/index.php/2006/03/09/choosing-a-good-password/

In short:

Think of a sentence you won’t forget. Here’s one:

I hate thinking of passwords, it’s such a hassle.

If you really can’t think of one, pick up the closest book to you, turn to a random page, and select a random sentence.

Now, create the password as the first letter of each word in the sentence:

Ihtop,isah

There you go. That is a password that is hard to crack, but easy to remember. Because you just remember the sentence.

Buffet

“Test” your password? – like I’m gonna fall for that! Please.

Michael

Hi Buffet
“Test” your password? – like I’m gonna fall for that! Please
Other people seem to have missed this point.
I love your comment of only 10 words.
Like love ,it changes everything.

João Brito

My system for passwords works like this: I created ONE huge password with TWENTY characters, and I remember this one easily. For things that aren’t that important, I use the first six chars. For things that are somewhat important, I use the first ten chars. And for things that are really really important I use the whole 20 chars password. So far, so good.
But I liked the suggestion of using the three first letters of each service after the password, it will make my six chars password a little stronger.

David

A comment on passwordmeter.com. I am currently working on a website for a large government agency. As part of the registration process, it is necessary to choose a password. The decision was made to incorporate the password meter into the sign-on page. In the process of doing this, I discovered an enormous bug in the password strength algorithm – which is the root cause for

“However, if your password is too long, i.e. too safe, this test will actually fail.”

It has to do with the way it calculates the number of repeated characters – which is a major deduction in the algorithm. Consider a password like “EIDIDIFY” from the beginning of the article.

There are 2 Ds and 3 Is in the password, for a total of 5 repeated characters. Deduction for 5 repeated characters is n*n-1 or 5*4 or 20. However, because the algorithm bug to count this determines the number by looking through the string starting at the first character and looks at each character in turn to find matches. Then looks at the next character in the string and parses again til the end, whenever there is more than 2 of any character, you get characters counted more than once. In this case the first I matches two other Is in the string. Then when you get to the second I (in pass 4), it matches the last I also. The result is the algorithm thinks there are 3 I’s, 2 D’s, and then another 2 I’s, for a total of 7 repeated characters. 7*6=42 which is a huge deduction. If there was a third D as well, the algorithm would find 10 repeated characters for a deduction of 90. That explains why a STRONG password can turn into a WEAK password by making it longer.

Versatile

I currently use a great website called mashedlife.com. I use a yubikey to login for secure authentication, and all my passwords for all my online accounts are housed here.

I use the random system to generate random and complex passwords for each and every single online account I have.

When people ask me if I know my passwords, I literally say no I do not. In fact, if you asked me what my gmail password is off the top of my head, I honestly could not tell you because I have literally 0 passwords memorized except the main password I use to login to mashedlife.com with yubikey as the second form of online protection.

The mashedlife.com website is never down based on my usage, and the passwords are encrypted. Sure, lastpass.com is similar site, but in general I think these are good solutions.

jay

i use my dob as my pasword,easy to remember

Montana

You know what, these banks & email hosts would be almost completely hacker-proof if they maybe did something where the password was encrypted with two layers of security — one, SSL, the other, an encryption algorithm that uses IP addresses. With so many different IP addresses, and the ability to change them every now and then, it would be hard for hackers to decipher the password.

OklyDokly

So, I’m curious as to why more companies aren’t going the route of OTP + password for authorization…game companies are doing it, some banks are, but not all…

Sure, you have the risk of losing your OTP generator, but without your password, that OTP generator is useless, and vice versa.

The fact of the matter is this: Try and try as hard as you might, you will never be able to completely prevent/thwart social engineering. Yes, you can brute force or dictionary hack passwords in some cases, but the vast majority of security compromises occur through social engineering.

RAJ KIAN

earlier i used to use pw as 123456 or even 123456789.
my frnd use qwertyuiop or zxcvbnm.
but currently i hv 2 ytp of pw.or 3.
for myspace its 7letters tgen 3 nos.
fb,twitter etc. its 7+7=14 letters thats very big. Well its combo of 2 words. n i bliv dat its next 2 impossible to crack it.
oh n the 3rd one is 7letters dats 2nd part of my earlier pw.

another thing which every1 shud keep in mind. Always make it a point to hv ur pw in CAPITAL LETTERS if u find it difficult 2 rember mix of upper n lower case.
i use caps. n dey say “hey ur caps lock is on”.