How to make a better password, right now

Dissertations and whole books are written about making passwords secure. But if you would rather read something not boring, here are a few tips to get you started.

If you are online, your data is under a constant stream of hacking attacks. When i started this site a few days ago, the first visitors were spambots and targeted attacks, both from China, who were specifically interested in my WordPress login page.

What passwords NOT to have.

If you go with one of these most used passwords, you should change it immediately:

1. password
2. 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball
11. iloveyou
12. trustno1
13. 1234567
14. sunshine
15. master
16. 123123
17. welcome
18. shadow
19. ashley
20. football
21. jesus
22. michael
23. ninja
24. mustang
25. password1

If your password consists of one word you find in the dictionary and a number that is also a birthday you are also very vulnerable. Examples:

maverick69
bunny1984
camera53
obelix1949

These password options already cover the majority of users, because people don’t want to remember 12 different passwords like “$3dR_9vL?d+k%?”

Generating a secure password that is easy to remember.

The trick is to generate a password from something that you already know / is already in your head, but make it less obvious.

Start with a quote, song lyrics, a prayer … something that is intimate to you / influenced you and consists of at least 8 words. An example: If you would like the song “Mr. Tambourine Man” from Bob Dylan, take the beginning of the lyrics:

“Hey! Mr. Tambourine Man, play a song for me”

Now take the first letters of every word and combine them to something like this:

H!MTM,pasfm

or:

HMTMpasfm (whatever is the most obvious for you).

Now just slap a number at the back (even one of the infamous “birthday numbers”), just because why not? In this example, his birthdate. Now you have something like this:

H!MTM,pasfm41 or HMTMpasfm1941

Congratulations! This is it. A pretty good password – it has uppercase and lowercase letters, it’s not in the dictionary, and it’s only in your head because it means something to you and you get quickly used to it if you use it regularly. Of course you could always crank it up a notch or two – look what “anonymous stranger” writes down in the comments section …

A few more things to consider.

photoUnfortunately, one strong password may not be enough. Most security experts recommend to change it now and then. At least, try to have one password for entertainment sites (they tend to be less protected) and one each for online email, social networking, and of course financial services. If you are getting serious about security, follow Walt French’s advice in the comments below.

If you really only want to remember one really good password, get a password manager where you use this “master key” to login and where you have securely stored all your other information. If you have a smartphone, i recommend “1password” or “mSecure“. They both can store an encrypted backup on your computer, so if you lose one, you are still able to recover them. If you are more traditional, write the passwords down on a piece of paper and lock them away safely / put them at an unsuspecting place. DO NOT store them on your computer as a text document.

Great! You now enjoy more security than 99% of the people out there. Just remember not to get too famous – because then you better remember bad boys like Yø7h#(&Jz/k7(§9 …

  • Walt French

    This is indeed a fine way to generate *A* password. It’s not so good if you need more than one. I must have 50. If somebody busts into LinkedIn again, and gets the same password I use on all “non-critical” sites, I’m at risk for cross-site compromise, eventually leading to email, from which ALL sites are at risk.

    There are two extensions to the scheme I’d recommend. First, put those numbers at some predictable spot WITHIN the password (say, the 2nd and 5th characters). Second, do a little non-obvious permutations of the site name, say “ae” — reversing “fb” and subtracting a letter, then putting those letters into your already indecipherable “hmtmpasfm” mess, again in predictable places such as the 3rd/6th characters, so again: you remember it easily, but the root of your password scheme won’t be breakable.

    For the truly/appropriately paranoid, I’d suggest one-offs for your email account since it’s (currently) at the heart of a thief’s ability to request resets on MOST ALL of your other accounts. And a second phrase for your financial accounts (which at least in California are required to notify you of a breach), to minimize the risk of a theft from a casual site being transferred into financial loss.

    • http://mavericks.no/ Mavericks Guerrilla Consulting

      Hello Walt, thanks for stopping by. I am following your insightful commentary for a few years, especially at Jean-Louis Gassée’s Blog (Monday Note). I assume FalKirk brought you here? :D

      Indeed, this is not a solution for “power users”, this is merely a guide for normal users to get at least some basic security going. And i definitely agree that you should have strictly separate passwords if you do a lot of financial transactions. I will update the post in this regard.

      Thanks,
      Markus

  • anonymous stranger

    This, but also the longer password you make the better. Why extend your “messy” password with 2-4 digits? Just put 8 or more. I create my password with an easily entered sequence followed by a special char. For example H!MTM,pasfm32156548′ (look at numeric keyboard). The longer the password the better. With todays graphic cards breaking 10 letter password is easy. 21 letters pass is not that easy.

    • http://mavericks.no/ Mavericks Guerrilla Consulting

      Relevant. Updated my post.

    • Anon

      Graphics cards? Huh? I don’t think GPUs are the technological advancement you should be worried about.

      • anon2

        GPU’s are better for this kind of calculation and are often used in decryption/brute force algorithms.

        Specifically ATI video cards are better, asking me why is too much because I don’t know.

        • anonymous stranger

          GPUs are good because they allow *massive* parallelism.

  • Ohmcat

    What about “Hey! Mr. Tambourine Man, play a song for me” for a password, or any full phrase like that? Isn’t it as secure as anything else?

    • http://mavericks.no/ Mavericks Guerrilla Consulting

      I think that’s actually a pretty good idea. It has definitely a higher entropy, but also takes much longer to type. You always have to balance between security and feasibility.
      You would have to remove the spaces and put underscores in there though to have higher compatibility, and i could imagine a password that long is hard to enter in small text boxes.

  • blankman

    What I usually do is use the website’s name– let’s say “facebook”– and do a one-letter shift over to the left or right, and intersperse it with my birthdate, starting with the 2nd, 4th, 6th, and 8th positions. So my facebook password might be, for example, “g1s9v7r7nppl”

    • http://mavericks.no/ Mavericks Guerrilla Consulting

      Indeed, this seems to be a great method to easily memorize passwords for multiple sites. It can also effortlessly be modified to match a personal algorithm.

    • Morris

      I’ve considered a system like this, but it struck me as potentially dangerous in that if that pattern is figured out all your other passwords could be compromised.