CREATING STRONG PASSWORDS THAT YOU CAN REMEMBER
Security experts always recommend "strong passwords." But what exactly qualifies as a strong password? And how do you avoid creating a password so strong you can't remember it?
According to NIST (National Institute of Standards and Technology), a strong password should contain no fewer than 12 characters, a rule adopted by the U.S. government in 2007 and further defined in the U.S. Government Configuration Baseline.
The myth of complexity
Most security guidelines also insist on character complexity, which usually means that the password must contain multiple character sets, such as uppercase alphabetic characters, numbers, keyboard symbols, and so on. However, complexity is less important than length. A password of sufficient length can defeat a password guesser or cracker, whereas complexity adds significant value only when the complexity is random or near-random.
Typically, when users are forced into complexity, they use the same types of characters in the same places. For example, when people are required to create an 8-character password with complexity, most will choose a root word in their country's language, with an uppercase first letter (usually a consonant), followed by a lowercase vowel. If they use a number, it will usually be a "1" or a "2" and placed at the end. If they use a symbol, it will usually be one of a handful of characters placed somewhere in the middle, often replacing a letter with a similar shape: an @ or a zero to replace an "o," an exclamation mark for an "i," and so on.
Password attackers know this, and their password cracking tools are optimized to guess at passwords using these patterns. Several security experts have analyzed large dumps of captured passwords and found the password patterns outlined above to hold true again and again. For example:
Marshall1968 - Though this uses 12 characters and includes letters and numbers, names that are associated with you or your family, or uses other identifying information such as birth year, are easily hacked.
F1avoR - Though it mixes up capitols and numbers, it is too short and substituting the number 1 for the letter l is easy to guess.
Take a sentence and turn it into a password.
The sentence can be anything personal and memorable for you. Take the words from the sentence, then abbreviate and combine them in unique ways to form a password. Here are two sample sentences:
WOO!TPwontSB = Woohoo! The Packers won the Super Bowl!
PPupmoarT@O@tgs = Please pick up more Toasty O’s at the grocery store.
Use passwords with common elements, but customized to specific sites
These examples tell a story using a consistent style so if you know how you write the first sections, and you’re on the login page for a site you’ll know what to add.
ABT2_uz_AMZ! (About to use Amazon)
ABT2_uz_BoA! (About to use Bank of America)
Putting It Together
Sentence: How do I untie this rope?
Put a common element around it like PSB: PSHdIutr?B
Now add the current year at the end: PSHdIutr?B15
Now we have a 12 character password of sufficient complexity that is something you can remember. Here are a few more:
For Amazon: AmHdIutr?Z15
For eBay: eBHdIutr?y15
For OSI: OSHdIutr?I15
Remember: Change your passwords often. Don’t put them where someone else can find them. Don’t share with others.