How To Create A Strong Password And Remember It

Following the hack of Zappos.com and 6pm.com there are probably quite a few of you looking for a way to create strong passwords and also remember them. Back in December, our safety-conscious friends at Consumer Reports ran a guide to creating strong passwords that are also easy… well, easier, to remember. Here it is.

You can create strong passwords that don’t make you memorize a cryptic string of letters, numbers, and punctuation symbols. Here are three techniques:

Use a sentence. It’s easy to remember the first letters of the words in a sentence. For example, children have used this sentence to remember the names of the nine planets: My Very Excellent Mother Just Served Us Nine Pickles. You could use the first letters of those words to generate this strong 9-character password: m*Emjsu9p, where Venus (the morning or evening star) is represented by *, the letter for Earth is capitalized, and nine is a numeral. In practice, it’s best not to use such well-known sayings to generate acronyms.

Use a pass phrase. Several words mixed with numbers and punctuation symbols is known as a pass phrase. For example: stitch9clock^handsapplausE. The longer the pass phrase, the more secure it is, though you’ll be limited by the maximum length the site allows.

Growing the haystack. Developed by security expert Steve Gibson, president of California-based Gibson Research, growing the haystack takes advantage of the ways hackers crack passwords. “The first thing they’ll try is the well-known dictionary of most common passwords,” Gibson says. “Then, if they know something about you, they will try to guess things from your life.”

To foil that part of the process, Gibson suggests starting with a phrase that’s short but not a common word. That forces the hacker to resort to the slower brute-force approach by trying every combination in existence, which is like looking for a needle in a haystack.

Once you’ve accomplished that, “the length of the password matters more than its absolute complexity,” Gibson says. In other words, make the haystack larger by padding the password with numerous easy-to-remember symbols. For example, the password “c – @T – – 9 – – -” is 10 characters long and is probably not in any dictionary, but it’s not very hard to remember.

A caveat: Don’t use any of the above examples as actual passwords. Now that they have been widely published, hackers might add them to their dictionaries.

How to create a strong password and remember it [CR]

Comments

Edit Your Comment

  1. Mr. Fix-It says: "Canadian Bacon is best bacon!" says:

    Or just do like xkcd does.

    • MutantMonkey says:

      I now know my new universal password. Thanks!

    • George4478 says:

      I wonder what my bank would say if someone tried to log into my bank account with 1000 guesses/sec?

      Oh, I know — “your account has been locked after 3 incorrect login attempts”. This is pretty much the same policy at every financial or important website I visit. So, good luck Mr xkcd-inspired Criminal with that 3 day window on my “easy to guess” 11-character password.

      • SpiffWilkie says:

        The problem comes when you use the same password/login for multiple sites. If they guess your password by using a brute-force attack on a low security site, they don’t need 3 attempts on your banking site.

      • jvanbrecht says:

        Most brute force attacks are against the password hashes that have already been retrieved from a compramised system, whether that be the windows SAM file, or your firefox/IE password store…

        No worries about locking the account at that point. Very few, if any hackers these days brute force a live system.

    • dobi says:

      Seriously, the longer the better.

      becausethispasswordistotallymoresecurethanmostotheronesoutthere

    • Fiona says:

      ETRADE, which I have to use for stock options at work, has an 8 character limit on its password. STUPID.

    • French_Toast says:

      I thought of xkcd when they first said use a sentence, instead of using first letters.

      My password security is even better still. I type using the Dvorak layout, something like “correct battery horse staple” turns into “isoodik nakkdot jso;d ;karpd”

  2. sir_eccles says:

    Step 1 – check the site’s password policy.

    It’s no good coming up with a fancy password if you suddenly find the site won’t accept special characters or has upper or lower limits on the number of characters.

    • j2.718ff says:

      This is the most annoying part… some sites require certain characters – other sites don’t allow those same characters.

      • katarzyna says:

        I HATE that! Also hate the different requirements for usernames – some require a capital letter or number, others forbid them.

    • A.Mercer says:

      I had one the other day that had a cap of 8 characters and no special characters were allowed.

    • There's room to move as a fry cook says:

      Up until a few years ago my bank would only accept passwords of 8 or less characters.

  3. pop top says:

    Pluto isn’t a planet?

    • chizu says:

      My Very Evil Mother Just Served Us Nothing?

    • Coffee says:

      First the brontosaurus, now Pluto. My childhood is a lie.

      • pop top says:

        At least we still have the triceratops buddy!

        • Coffee says:

          The Land Before Time taught me that all triceratops are dickish…I don’t even have those D:

        • Cantras says:

          Bad news on triceratops, maybe. Apparently science says they might just be a bunch of baby Torosaurus — A similar, bigger dinosaur. Cliffs notes of the argument is that they hang out in the same place in terms of geography and history, but the smallest Toro skeletons are all about the size of the biggest Triceratops skeletons, and the big Triceratops skeletons have thin spots in their frills that match the holes in the Toro frills…

    • zippy says:

      And it’s pizza dammit, Nine Pizzas! Not pickles.

  4. SpamFighterLoy says:

    And then find out that the site doesn’t accept your really, really good password because it’s too long, doesn’t have capital letters, doesn’t have something else stupid that the site wants, etc.

    • tsukiotoshi says:

      That drives me crazy! I try to make a secure password with tricks I remember only to have the site inform me it can’t be more than 10 or 12 characters. Bah.

    • jvanbrecht says:

      American Express is like that.. or at least was like that for a long time, could not use any special characters.. wtf!!

      • BurtReynolds says:

        Still is, unless they’ve changed it since PSN was hacked and I changed all my passwords. Discover Card doesn’t allow anything but numbers and letters either. Most sites won’t let you put a space in either.

    • raydee wandered off on a tangent and got lost says:

      Yes. The requirement for a letter and a capital drives me bonkers!

  5. elephant says:

    I have been meaning to redo my passwords for awhile – the zappos breach got me motivated and I spent yesterday changing 60+ passwords. Took the whole day – each site is different and has different requirements – ugh.

  6. Coffee says:

    I just write down all my passwords and tape them to the bottom of my Sega CD…I know no one will ever steal that.

    • SecretShopper: pours out a lil' liquor for the homies Wasp & Otter says:

      What if a burglar really wants that copy of Ecco the Dolphin you’ve got?

  7. dolemite says:

    This is why I like Lastpass. I create one super strong password that I remember, and the software tracks a bunch of unique passwords for the 50+ sites I visit. It also makes it easy to remember all the sites you have passwords to, and manage them. Of course there is the terrifying prospect of them getting hacked….(and there was a scare last year, where they thought they may have been).

    • George4478 says:

      I don’t think I could trust my password list to a company like that. The downside is so big for me if they have a security breach.

      • jvanbrecht says:

        I would not really worry too much about sites like lastpass and such, they store your password in such a way that without the master password (part of the cryptographic process to decrypt the encrypted hashes), the hashes are essentially useless, even if they have the password encryption/decryption algorithms.

    • SpiffWilkie says:

      I forgot my LastPass password. For real.
      I decided I don’t like them, though, because I don’t remember all my passwords anymore since they are stored in LastPass, and if I’m on a PC that doesn’t have the app installed, it’s a pain to go to their site and look it up.

    • Geekybiker says:

      I use them too. I don’t keep any of my super important password on there though. Like banks, etc. It does help keep all my other site straight though which is really nice.

    • ninjustin says:

      LastPass encrypts your passwords with hashing and can’t access them themselves. It’s one of the most secure password tools that exists. You can have it think of insanely complicated passwords that are not likely to be cracked. Then you just have to remember the one semi-complicated password for LastPass.

    • Jesse says:

      If you have a LastPass premium account ($12 a year), you can buy a YubiKey and add two factor authentication.

  8. brinkman says:

    This is fun.

  9. Frankz says:

    KeePass is a very good, very easy to use, free, open source, password manager, that will easily handle all your fancy hard to remember passwords.

    • Jimmy37 says:

      If you use more than one computer, how do you move you Keepass file between them and keep everything straight?

    • skapig says:

      Use Dropbox or some kind of other similar service/mechanism to synch. The password database is encrypted, so you’ll be cool as long as your password on it is strong.

  10. Cat says:

    1. 2. 3. 4. 5.

    That’s amazing! I’ve got the same combination on my luggage!

  11. donjumpsuit says:

    I created my strong password by deciding that I wanted to do it one day and then randomly starting clicking a string of letters and numbers together in rhythm according to a little finger dance on my keyboard. Once I found something that felt fun and good, I repeated it about 30 times and it was committed to memory.

    What gets me is some sites require a non numeric/alpha character, while most prevent you from putting one in your password. In addition, some other sites require a caps, while others have a max/min amount of characters that can be used. This is the frustrating part.

    I thought about using the common theme of changing a few letters somewhere in it, so that it was unique for each site, but seriously it’s a little too much.

    • bethshanin says:

      I did that back in the 90’s. Now, trying to enter those passwords on my smart phone, xbox, and playstation has reverted me back to “do a passphrase”.

    • BurtReynolds says:

      I use unique passwords for “important” sites. Banking, credit card, student loan, etc. PSN kicked me into high gear when I realized that my email and PSN password would get someone into most of my important accounts.

      I might have some overlap and weaker passwords for the login I created at some online shops I rarely visit and don’t store CC information on.

      Of course, that means I have passwords in a PW protected file (Word actually allows a strong PW) because they are not easy to remember with so much variation.

  12. Back to waiting, but I did get a cute dragon ear cuff says:

    I will ask this again. What difference if I choose wazoo as a password as opposed to kjFbTg4632$#)kjhf!! when they are hacking into the system that is STORING said password and stealing the whole database?

    These people are not trying to crack individual passwords. They are stealing an entire database of millions of passwords at a time.

    • dolemite says:

      Good point. Of all the password “thefts” in the past year, I’d say the majority seem to be Sony, Steam, etc getting hacked. Although the Microsoft one seems to be an instance of easy passwords getting cracked.

    • Aphex242 says:

      …because if the passwords are encrypted, your former example is pretty unbreakable, whereas your latter example would be broken in seconds.

      • Aphex242 says:

        Oops. Reversed it.

        …because if the passwords are encrypted, your latter example is pretty unbreakable, whereas your former example would be broken in seconds.

    • jvanbrecht says:

      Because wazoo is an actual word, nonsensical as it may be, it is still a word.

      There is a database of password hashes out there for anyone to download called rainbow tables, rather then brute forcing the password which was the traditional way, they now just compare the hashes of passwords in the database to the rainbow table, it is actually quite quick.

      The other password would have to be brute forced, and the longer you make the password, the amount of time taken to brute force increases exponentially, throw in special characters, numbers and upper case, and instead of a simple 5^26, you end up with 5^88 (and that is just for a 5 char password, and does not include spaces).

      So yes, there is a huge difference.

    • Hartwig says:

      This is why this article should state you should use a different password for each site you visit. Although i am guilty of not following my own advice. The best way to keep and remember passwords is to use a randomly generated password at each site and store them in a password application.

  13. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute-force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

  14. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute-force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

    • dolemite says:

      I think the lock-out should be maybe 5 attempts, and the lockout should be for maybe 30 minutes, and that it should notify you if there are any failed attempts.

  15. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

  16. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

  17. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

  18. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

    • Fubish says: I don't know anything about it, but it seems to me... says:

      Back in the olden time many sites did this – 3 unsuccessful login attempts in a row and the account was suspended for 12-24 hours or it took a phone call to the help desk to reset the password.

  19. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

  20. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

    • Cat says:

      Could you repeat that?

      • Coffee says:

        Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

    • minjche says:

      Any website that allows comments should only allow three duplicate comments so we avoid a clusterfuck like this :-)

  21. jvanbrecht says:

    There appears to be alot of misinformed comments in here.

    First things first, people do not brute force passwords on live hosts. Why
    1) most sites have a lockout policy varying from 3 to 5 attempts.
    2) performing brute force on sites that do not have a lockout policy, would take forever, even on simple passwords as you would likely only be able to attempt 5 to 10 passwords at a time (assuming your using a script and not the sites interface), that might not result in a locked account, but it would result in significant load on the servers and the back end database that stores the password, that would get the attention of network and system engineers, and also leave a crap tone of logs.

    Most brute force is performed against password databases that have been retrieved from a compromised site (hopefully they use decent encryption, and not just std non cryptographic hashing), this gives them all the time in the world, and can run the hashes against rainbow tables prior to brute forcing, which would result in the very easy passwords being cracked almost instantly to however fast the persons hard drive is to parse through the approx 8G sized rainbow table db.

    Sites where passwords were compromised, usually did not store them encrypted, very stupid, or worse, the sites compromised DB also included the security challenge questions and answers to reset the passwords (your few questions that they ask you so you can reset the password). Also very stupid, but all to common.

    Now, as for creating good passwords, I have a different password for most sites, it comprises of 3 random words that have no association, and the sites name as the 4th word. example
    cat mrfusion kitchenaid consumerist
    The password would be “C@t, MrFusion, Kitchen@id, C0nsumerist” When changing the password, I rearrange the order of the words, but keep the same words, also change the punctuation.
    for a different site, say cnn.com it would be
    cat mrfusion kitchenaid cnn
    The password would be “CNN, C@t, MrFusion, Kitchen@id”

    Again, the word order would be changed for each site, as is the punctuation.

    ps, no those are not my chosen words.

    For sites that use password size limits, cut down on the number of words, but the mechanism remains the same. And they are extremely difficult (if not impossible) to brute force.

  22. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

  23. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

  24. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

  25. jsimpson says:

    Any web site that requires a password should only allow three incorrect attempts to enter before locking out the site. That would cut way down on dictionary or brute force attempts. Also, every such web site should post the number of failed attempts to log in to your account since your last successful log in. If you only check your bank web site once a week and notice there were some unsuccessful log in attempts, that would be a good time to change your password.

  26. Jimmy the Spender says:

    Here’s a cool site to test passwords: http://howsecureismypassword.net/

  27. ldillon says:

    The most important thing to do is to not use the same password for every site so when one gets compromised, all are not compromised. I recommend making up a a base password that you can remember and use a variation for each site. The xkcd http://xkcd.com/936/ advice makes a good base password, then add something unique from each site.

    For example: correcthorsebattery + ist (consumerIST.com) = correcthorsebatteryist
    Again, correcthorsebattery + gle (gooGLE.com) = correcthorsebatterygle

  28. Sparkstalker says:

    My pattern for users – two or three random objects on their desk along with a number and special characters.

    For example, from my desk – trackball!super68glue

  29. marc6065 says:

    I just use my social security. number. No ones knows that right???

  30. Geekybiker says:

    Most important- don’t use the same password everywhere.

  31. Outrun1986 says:

    The microsoft hack is a beast that is for sure, since it seems like there are a couple things going on there

    1. Users are being hacked because of FIFA 12, hackers purchase a family gold pack and whatever else they want then they buy massive amounts of digital trading cards in FIFA and transfer those to their own account.
    2. Users are being hacked so their accounts can be sold on third party websites, the accounts with payment information and large amounts of MS points on them that is.

    The ultimate way to keep yourself from having problems with the MS hack is to not store any credit card information with MS and don’t leave large amounts of MS points in your account. Some people that have been hacked had 6000 or more points in their account, unspent. Even if the hacker gets your password they won’t want your account because it has nothing to offer them. If you buy a points card and redeem it make sure you spend at least the majority of it right away.

    Moreover don’t use your credit card with any prepaid type of service, my iTunes account was hacked, for $5 in gift cards I had on there. I had no credit card on there so no damage was done. This could have been disasterous had a hacker gotten access to my credit card. Apple also refunded the money. I did notice that after the hack I had to create a new password Apple had much stricter guidelines on passwords than when I first created the account.

  32. Jerem43 says:

    You covered this in April.

  33. jayphat says:

    Good lord. Use a run-on sentence you’ll remember and be done with it.

  34. Burzmali says:

    I just use an algorithm that generates a password based on some characteristics of the particular website. It gives me a different password for every website while still only requiring me to remember one simple thing. Plus, it’s a convenient way to avoid the “we should share passwords” thing that comes up in relationships. “We should share passwords!” “Great, it will take just a few minutes to explain my algorithm. Good luck remembering it!” “Never mind.”

  35. Disgustipater says:

    I just use an easy to remember word or phrase and then shift the letters to the right one space on the keyboard, so “cupcake42″ would become “vi[vslr53″

  36. Disgustipater says:

    I just use an easy to remember word or phrase and then shift the letters to the right one space on the keyboard, so “cupcake42″ would become “vi[vslr53″

  37. legolex says:

    You could have the most elaborate password ever and not have it cracked but that does zero good when a company makes you change it when they suffer a security breach.

    • Evil_Otto would rather pay taxes than make someone else rich says:

      You’d rather they didn’t make you change it? Really?

  38. ned4spd8874 says:

    Sadly most banks don’t support passwords that are too long or complex. Out of all the sites I visit, my bank has the worst/easiest password.

    One trick that I’ve found works out really well is to take part of the sites name, say “consumerist” and add something that you can remember to the beginning or end of it. So say your password could be “consum1234″ or “0987Consumerist”…you get the idea. This is the trick I’ve found that works pretty globally.

  39. Tga123 says:

    Pluto isn’t a planet.

  40. tinyhands says:

    Use a different password at each site, but use the same algorithm to create that password so that you’ll always remember it.

    For example:
    Site = The Consumerist
    Username = Tinyhands
    Seed = Blue#3 (can be anything but it’s the same everywhere)
    Date of last p/w change = January 17 (helps you remember to change it often)
    Algorithm = Site(4)+Uname(4)+Seed+Date (your algorithm may be in a different order)

    Thus, my password = “TheCTinyBlue#3Jan17″

  41. DarkPsion says:

    Another thing, answer the wrong hint questions for password retrieval.

    If it is “What is your mother’s maiden name?”, use Sailor Moon
    “What is your favorite TV show?”, say Denton, Texas
    “Where were you born?”, go with Miss Smith.

  42. gman863 says:

    If you have trouble remembering dozens of passwords, here are a few other ideas.

    The xkcd link is a good idea; however I make my own such passwords at home without the help of a website.

    * Alternate letters and numbers. If your wife’s name is Amy and her birthday is 8/11, use “A8m1y1″ – not “Amy811″.

    * Use the first letters of a web site name in front of the base password (consumerist: COMA8m1y1). If you want to get really anal retentive, use military letter verification (CharlieOmegaMaryA8m1y1) – just keep in mind many web sites limit the length of a password to as few as 14 characters.

    * Pick something personal – a fetish only you could ever guess. I assure mine is not “300#USSRWoman”.

  43. incident_man says:

    This is how I create strong passwords.

    http://www.passwordcard.org/en

    You print it out and then put it in your wallet. All you have to remember is a colour and a symbol, and you go from there.

  44. Jimmy37 says:

    BOGUS!!
    All these articles that keep making the same suggestions over and over are useless. I have over 75 accounts, between shopping, credit, investments, blogs, etc. Am I going to come up with that many unique phrases? And then start muttering to myself over and over as I try to remember which characters were substituted for what and what the first letters are??

    I tried using Keepass and flash drive, but I got paranoid about losing that drive. Keeping multiple data copies on multiple machines doesn’t work because of synchronization problems. Using an Internet file service like Dropbox doesn’t work because my employer blocks these services. And what do I do when I go to a strange computer?? Install Dropbox there?? The answer is to use an Internet-based service, like Lastpass. One very strong password to rule them all.

  45. Kamrom says:

    I would always generate passwords by putting catnip on my extra keyboard, and pick out a random stretch of the data entered.

    I got the idea from Freakazoid!