How to choose hundreds of good passwords. That you can remember. In your head.

I often sit with clients when they need to choose a password for their user account on their website.  The expression of pain and annoyance is universal.  But it doesn’t have to be like this!

We’re going to take a quick look at why a good password is important, and what it is that makes a password “good” or “bad.  Then I’m going to share with you an amazing method for always being able to think up new passwords at the drop of a hat – and, crucially, never forget them.

“It says my password isn’t strong enough.  Really?!”

I’m not just worried about your password because I’m a foil-hat-wearing oddball drowning in paranoia.  It’s because I know that most of my clients  regularly choose passwords that can easily be guessed.  And those that try for something a little more cryptic often aren’t aware that hackers use software that can make millions of guesses a minute.

If you’ve noticed an increase of websites nagging you to choose a stronger password, that’s because the sophistication of hacking attempts is always increasing.  It concerns me because I care about my clients, and I don’t want any of them to face a hacked website, or a leak of sensitive data.  We’ve all got enough on our plates without this kind of drama.

So what’s “bad” about some passwords

Here are some common poor password examples, and what’s wrong with them…

  • antelope” – could be cracked instantly. Hackers use software to try every word in the dictionary, plus place names and given names, in a very short time.  This is called a “brute force” attack – trying millions of password possibilities using software – specifically, a “dictionary attack”.
  • Ante1Ope” – could be cracked in 2 hours.  So we’re getting better.  Throwing in some capitalisation, punctuation, and numbers helps.  But, sadly, brute force attacks are getting more powerful, and a dictionary attack can include a few common letter to number swaps.
  • Ante10p3#241” – would take 34 thousand years to crack!  So this is good, isn’t it? We’re basing this on a somewhat memorable word, adding less common punctuation, and generally getting cryptic.  Problem is though… is this still memorable?  Really?  Could you have different passwords like this for several websites and remember them all?  And if you get asked to make up one like this under pressure, and record it somewhere, you’re going to feel a bit stressed and unhappy!
  • Antelop3 House.” – would take 34 billion years to crack!  Wow, and this is really easy to remember too, because my organisation is based in a building called “Antelope House”… So, yes, that’s the problem.  Even though we’ve capitalised a bit, done a letter-to-number swap, and ended in a full stop, while this might take a computer longer to crack than the age of our planet, a clever hacker could have a look at your contact page and guess this in about 5-10 minutes.  I’ve had an actual client have a password like this for their Gmail account, the email address shown publicly on their website, just above the postal address – a client sometimes discussing the vulnerable people they support in their emails with their volunteers.  I’m not naming names, as that would be unkind – these mistakes are very common.  And they have a good password now 🙂

It’s worth stressing that point from the third bullet above – could you have different complicated passwords for several websites and remember them all?  If you choose one really strong password and use it everywhere, you might block any imaginable “brute force” attack.

But there are other ways your passwords can become known.  Your computer or phone might get a “key-logging virus”, which records what you type in and sends that off to an naughty person.  If you use the same password everywhere, if that gets discovered, then you’re at risk of having all your online identities stolen very rapidly.

Different passwords everywhere makes this much, much less likely – again, reducing risk to the point of near impossibility.

OK.  So what are we looking for in a good password?

Here are what I think are the criteria for good passwords:

  • Must be fiendishly hard to crack, hack or guess.  Practically impossible is ideal.
  • Every website or service you use must have a different password.
  • You can instantly think one up for each new website you sign up to.
  • You can easily remember every single one, perfectly, every time.

A few years ago, I realised I could meet all these criteria, using only my brain (which, really, is nothing special!).  And now I’m going to share the secret…. with you!!!

Sorry – I never normally get to exercise my hyperbole muscles 🙂

The trick: something genuinely random, plus a pattern you’ve made up, taken from the website you’re logging into

Does that make sense?  OK, let me break that down.

The majority of us can remember a small number of genuinely random or arbitrary things.  Like phone numbers.  Remember the days before mobile phones when we’d all remember our parent’s home phone number?  I guess that dates me 🙂  Or your postcode – that’s pretty random, and most can remember that with a little practice.

Well, that’s the first step – finding your “base” password.  You can use the wonderful search engine DuckDuckGo to generate a random, medium strength 8-character password (tip: type “generate password” into, or follow that link).  I’ve just done that, and was given “4hRijJDb”.  We’re not going to need anything quite that long.  Six random characters will be fine.  So I’ll pick the first six – “4hRijJ”.  It’ll be great if we can get some punctuation in here too, so I’m going to throw in an underscore to get “4hR_ijJ”.

This is the one thing you’re going to have to remember.  (If you think you might struggle with something this random, you could use a relative’s postcode instead – keeping the space in the middle, or replacing it with punctuation like a full-stop or a dash).

Next up, you need to decide on a consistent pattern to extract three or four letters from the name of the webite you’re logging into.  So, for Facebook, I could pick the first four – “face”.  Or the last four, “book”.  Or four letters starting from the second, “aceb”.  When I did this, I used a pattern which was to take the first four letters, but in each case to type the letter 2 keys to the left of that letter on a qwerty keyboard, unless I couldn’t, in which case I’d pick the key 2 to the right.  So Facebook would be “sdzq”.  For this example, I’m going to pick four letters in a pattern 2-4-3-1, so, from Facebook, we get “aecf”.  So I’ve got to remember 2431, along with my base password.  I can manage that 🙂  You can choose an easier pattern if you like.  Just a little nudge away from being obvious will suffice.

So, finally, to choose my new Facebook password, I’m going to stick these two things together: (1) my base password, which is stored only in my brain (4hR_ijJ), and (2) my letter pattern which I can always pull from the name of the website I’m logging in to, in this case Facebook (aecf).

That gives me “4hR_ijJaecf”.  The great website, How Secure is my Password?, tells me this password would take a computer 400 years to crack.  If I had started with an eight-character base password, the end result would take about 3 million years to crack.

It’s not a bad idea to go for the longest thing you can comfortably remember.  If, using How Secure is my Password?, you can get your password into the millions-of-years-to-crack zone, then you’re keeping yourself years ahead of increasingly powerful computers.

But all my passwords would be nearly the same, or similar – isn’t that bad?

On a practical level, probably not.  Because most websites don’t store your actual password.  They encrypt your password into a long and unrecognisable “hash”. It’s a one-way mathematical process.  There’s no way to calculate the original password if you’ve only got the hash.  When you next log in, the password you type is encrypted with exactly the same process, and compared with the encrypted hash.  If they match, you’re logged in.

So, even if a hacker stole the database of your website, they would only have the encrypted hash made from your password.  No way to even begin to start working out your clever pattern.

If you were to get infected by a key-logging virus, then your passwords could be stolen.  For a virus to figure out which key strokes out of the countless characters you type each day are your passwords would be hard work, but possible. Clever analysis could reveal your base password.  But the level of analysis required to isolate that, plus the extra website-specific portion you tack on, and figure out your pattern – that gets really hard.  It buys you time.  And in any security breach, time makes all the difference.  If you discover you’ve picked up a computer virus, get it removed, and change all your most important passwords (to a new pattern, following the instructions above) within a few days, or even a few weeks, you’re greatly reducing any risk of your accounts being compromised.

Wrapping up – and looking quickly at the alternatives.

All things considered, for most people, even those working for organisations storing sensitive client data, I think my method, described under the heading, “The trick…” above, will be more than adequate.  You’ll end up having a secure password, unique for every website, which you can remember without needing any superhuman abilities.  For most people, this would strengthen your passwords way above the average.

Alternatively, there is software available to help with passwords.  Personally, I no longer use the method I describe in this article.  I use software called KeePassX, which generates and stores utterly random passwords of any length.  KeePassX is available on Windows, Mac, and Linux, with mobile versions available too.  I use KeePassX on my MacBook, which stores its database file in Dropbox, and I use the Android app DropSync (free version) to synchronise the password database with my phone.  The database file is heavily encrypted, and protected with a primary password (one of three 16-character random passwords I remember with only my brain). This was fiddly to set up, possibly not recommended for the non-technical, but I needed something like this because of the sheer number of really critical passwords I have to remember for my clients.  I wanted something that was genuinely as secure as technology currently allows.

But my less technical, human-mind-only method described above worked just fine for me for several years for my own passwords.  I warmly recommend it for anyone needing to remember passwords primarily for themselves.

If you’ve got any feedback on any of this, want to share your approach, or have any questions, please do leave a comment.  Thanks!

[ps]  I’ve written this quickly.  I’ll be editing, correcting and removing unnecessary words whenever I can.
[pps]  My actual Facebook password is not as described above 🙂