What’s your password? A password strategy anyone can remember.

Seriously, what’s your password? If you can tell it to me off the top of your head, it’s probably not very good.

This past week, the password “happiness” lead to the break in of several high profile users of Twitter. (Read the Wired blog on the incident for more details.) Yes, that was “just” Twitter, but what if that had been someone’s Amazon account, or maybe their bank account?

A Perfect Password

So, what’s a good password? Here’s an example:


This might seem like an extreme example, but this is a good password for several reasons.

1. I couldn’t tell you that password in a phone conversation.

2. I doubt if you looked over my shoulder as I typed it in that you could remember it accurately enough to reproduce it either.

3. It happens to be unique. You won’t find it in any dictionary and I doubt anyone else on the planet has this password. It’s very strong.

This example password was generated by https://www.grc.com/passwords.htm. Visit it and you’ll get a new unique one on every page load. Plus, it’s free, like beer, so go wild. Just remember to keep your passwords in a safe place.

But it’s a pain.

It would be fair for you to protest that using a password like this will make the web a real pain to use. You’ve probably used password managers built into web browsers before and that’s a decent way to “remember” difficult passwords, but you’ve got to start with a good password. There’s not much protection having your browser remember “password123”. (If you’re using Firefox, be sure to set a Master Password on your browser to prevent someone causally going through them.)

If you’re a Mac user, you are so much luckier than you realize when it comes to password management. I can’t recommend the program 1Password highly enough. It will keep your passwords stored in your Mac’s keychain. Your keychain stores all kinds of sensitive information about your Mac, so, of course, you want to protect it with a good password as well. So, in a sense, you’re still stuck, right? You still need at least one good password. I haven’t found as elegant password solution as 1Password for Windows.

A Password Strategy

Although it contradicts one of my rules I mentioned at the beginning, I wanted to share a way with you to create and remember hard-to-crack passwords. You can use a password like this to lock your Mac keychain if you use 1Password, or, you can use it as a method of remembering how to recreate your seemingly hard to remember passwords as needed.

1. Think of a phrase that only you would know. For the sake of this example, I’ll pick one many people would know. “Four score and seven years ago our fathers brought forth on this continent, a new nation…”

2. Now let’s take that phrase apart and make it into part of our password. Any word that sounds “number-like”, we’ll change to actual numbers. This will give us a password piece of 4s&7yao4b4otcann.

3. No one looking over your shoulder would remember that, right? Now let’s take it one step further. That’s your “base” password. Let’s mix in a bit of the URL of the site it’s for, so that no 2 passwords will ever be the same. You can make this rule up to suit you, but let’s say we’ll take the first and last letter of the main URL and make it the 2nd and next to last character in our password. For example, for

facebook.com, we would use 4fs&7yao4b4otcanbn. For myspace.com, we’d use 4ms&7yao4b4otcanen.

Now you’ve got a method to creating virtually uncrackable passwords.

One note about the password we created here 4fms&7yao4b4otcanebn is only an 18 character password. I’ve read that somewhere between 22 and 26 character is what will give you a truly uncrackable password, so when you’re picking your passphrase, try adding in a few more words to provide more protection. Good luck!

Comments on this post.

Not doubt, your method generates nearly uncrackable passwords. I just wouldn’t want to use it for frequent logins. For every letter typed (and every unusual/awkward combination of letter) you stand a good chance of a typo. Even the fear of a typo can cause you to start over half the time lest you burn up your password retries.

I’d suggest a simpler method I came up with for rotating passwords required at work. First, I create a list of short words I like (such as “swipe”, “furl”, and “dwell”). For my password, I pick a word and type the it plus a symbol (like @) and then type the word again but shifted up one row on the keyboard. Finally, I add a 4 or 5 digit number.

The result is something like “swipe@w28032579” where “w2803” are the keys above “swipe” and 2579 is the secret number. That’s a 15-character password that’s easy to remember (just one new word per password rotation) and it passes most password safety checks because it includes digits and symbols. No hacker’s dictionary tumbler will be able to find it any time soon.

Like your passwords, it is hard to “shoulder surf” because typing the word and the shifted word is done in two quick, repetitive stabs at the keyboard.

I’d like to steal one of your ideas: For website passwords, just replace the “secret” word with a memorable part of the domain: “google@t99to32579”

What do you think? It is pretty simple, easy to type, and hard to crack.

That sounds like a pretty cool solution. I like how you incorporated the site name in. Sweet solution. Have you run into any problems using a non-standard keyboard, like a Blackberry or iPhone?

By John Morton on Feb 03 2009
Commenting is not available in this channel entry.