• Facebook
  • Twitter
  • Subscribe
  • RSS

Make Your Password So Hard to Guess That Even You Can’t Remember It

Computer Password Security

Rafael Lugana, CEO of something called Open-Xchange, helpfully explains “How to remember all your passwords and keep them safe.”

ne method is to base them on the first letter of each account. For example, your Facebook password would correspond to (F), which could mean “favorite film.” If your favorite film is Star Wars, you might then pick your favorite character: Han Solo. Then, your password could be Solo, plus some combination of numbers and symbols that isn’t related to any of your personal data but instead has a hidden personal meaning—for example, you first saw Star Wars on your 7th birthday, which was in 1983, at your Uncle John’s house. So the password for Facebook is now Solo7_1983@johns. Not a foolproof system, because the most dedicated hacker can crack any password, but it’s much better than using variations on the same password for all accounts.

So, all you have to do is make up unique password for each site based on randomly chosen details of an incredibly complex story associated with the first letter of the site? What could possibly go wrong?

Related Posts:

About James Joyner
James Joyner is the publisher of Outside the Beltway, an associate professor of security studies at the Marine Corps Command and Staff College, and a nonresident senior fellow at the Atlantic Council. He's a former Army officer and Desert Storm vet. He has a PhD in political science from The University of Alabama. Views expressed here are his own. Follow James on Twitter.

Comments

  1. As someone who has walked into a room forgetting why he went in there, this does not seem like an ideal solution.

    More seriously, I have recently started using LastPass, which allows you to store web passwords locally and encrypted. Thanks to it, I have been able to finally get over the rather obvious problem of using similar passwords for different websites.

    Like or Dislike: Thumb up 8 Thumb down 0

  2. C. Clavin says:

    http://xkcd.com/936/

    Like or Dislike: Thumb up 8 Thumb down 0

  3. KM says:

    @C. Clavin:

    Aww you beat me to it!! one of my favs and so useful too….

    I have this on my wall at work – ever since I put it up, there have been no password resets required in my building. IT now forwards it along with remote pw reset requests; they’re had few repeat offenders since.

    Like or Dislike: Thumb up 4 Thumb down 0

  4. Ron Beasley says:

    My bank recently forced me to change my password to something that is so complex it’s impossible to remember. Fortunately I have Norton identity safe which remembers it for me.

    Like or Dislike: Thumb up 0 Thumb down 0

  5. Liberal Capitalist says:

    I use jibberish that is done via a pattern on my keyboard.

    I have no idea what my password is… but I can duplicate that pattern when I need it.

    Need to change it? shift the pattern over one.

    Yeah… I know. who cares.

    ps… this is fun… forth of July thieves being caught red handed:

    http://gawker.com/florida-beachgoer-hilariously-confronts-two-women-steal-1600961473

    Like or Dislike: Thumb up 2 Thumb down 0

  6. Stonetools says:

    Also recommend XKCD. One commenter discussing the method said that several months after he read the comic he still remembered “correct horse battery staple “.
    If you can’t use a password manager XKCD Is the way to go.

    Like or Dislike: Thumb up 2 Thumb down 0

  7. grumpy realist says:

    Another reason to learn many languages….mush together an Japanese word and a Latin word with a number between them and you’re golden.

    Like or Dislike: Thumb up 0 Thumb down 0

  8. Pinky says:

    You’re the last person who should ever be able to figure out your password. You’re far more likely to access the sites that interest you, in detectable patterns. You have all of your own personal information. You think like you – all someone has to do is to be able to think like you, and they can harvest all your information. You’re much better off not knowing your passwords. Whenever possible, you should randomize your passwords, and never write them down or record them in any commercially-available software in any form.

    Like or Dislike: Thumb up 1 Thumb down 0

  9. Mikey says:

    @C. Clavin: I’d love to do that, but when I try…

    “Password does not meet complexity requirements. Reason: contains dictionary words.”

    grrrrrrrrr….

    Like or Dislike: Thumb up 1 Thumb down 0

  10. Tyrell says:

    I have a four page data base of all my different passwords. Some sites will take anything while others require a complicated combination of letters and numbers. If my 8 year old computer goes out, I am in trouble. I need a back up.

    Like or Dislike: Thumb up 0 Thumb down 0

  11. Ron Beasley says:

    @Tyrell: Me too, I have it on a USB thumb drive that I only plug in when I need it.

    Like or Dislike: Thumb up 1 Thumb down 0

  12. Tyrell says:

    @Ron Beasley: Thumb drive: I have thought about it, but I have left my thumb drive everywhere, but luckily have always found it.

    Like or Dislike: Thumb up 0 Thumb down 0

  13. beth says:

    @Ron Beasley: my husband and I realized we needed a list of passwords since we each access different important websites in our life – I pay the bills and regularly use the bank and credit card websites: he does the retirement plan and investments for example. We wrote them all down and stuck them in one of the hundreds of books in our office. Sure enough we forgot which book we put them in! We’re working on a better system.

    Like or Dislike: Thumb up 2 Thumb down 0

  14. Matt Bernius says:

    @C. Clavin & @KM:
    Agreed. Ever since that XKCD post I’ve been using pass phrases. It’s still a pain when you are expected to add numbers to it, but they work much better and are much more secure.

    That said, Mobile increasingly creates a problem as pass phrases (not to mention passwords) continue to be designed for physical keyboards.

    Biometrics provide a better option, but still have yet to be fully embraced.

    Like or Dislike: Thumb up 1 Thumb down 0

  15. Ebenezer_Arvigenius says:

    Seems to be a very specialist kind of idiocy. At a company I worked once the IT department decided that everyone has to set a password on the computer triggering on inactivity > 180 sec. The password should be at least 8 chars, Cap/No-Cap and contain symbols and numbers. I’m pretty sure it cut output in the department by at least 20% for the few poor fools who actually complied. The rest removed any passwords apart from login.

    Moral: Obtuse security increases risk.

    Like or Dislike: Thumb up 4 Thumb down 0

  16. Matt says:

    @Ron Beasley: I keep my passwords encrypted on an USB stick. The password for the stick is easy for me to remember and I keep the stick in a fire resistant safe that’s hidden when I’m gone.

    Yeah it makes life harder if I need to access some stuff outside of my house but those are usually low security passwords anyway.

    Like or Dislike: Thumb up 0 Thumb down 0

  17. Pinky says:

    I have an address book. Paper.

    Like or Dislike: Thumb up 0 Thumb down 0

  18. rudderpedals says:

    Your puny sheets of paper are no match for those of us chipped with implants, and carrying scissors.

    Like or Dislike: Thumb up 2 Thumb down 0

  19. DrDaveT says:

    @Liberal Capitalist:

    I use jibberish that is done via a pattern on my keyboard.

    I had good luck with that until I ran into a keyboard with a different layout. Ouch. Tablets and smartphones just make things worse, for that.

    Like or Dislike: Thumb up 0 Thumb down 0

  20. Boyd says:

    1) Like Doug, I recommend using a password manager, such as LastPass or RoboForm (which has served me well for many years on desktop, phone and tablet).

    2) Pass phrases have the highest level of entropy when constructed correctly. See Diceware.

    3) As many of you know, I’m retired from the Navy. Since then, I’ve worked as a software engineer, and now as a software development manager, I can find my way around a computer pretty well. But even I was stunned when the Defense Finance and Accounting Service applied DoD rules to their passwords last year. Imagine a 75-year-old computer-phobe trying to follow these requirements for access to the web site for his pension (the only way you can get most of the information you need about your pension, including your 1099R for filing your income taxes):

    – Passwords must be at least 15 characters long.

    – Passwords must contain a mix of upper case letters, lower case letters, numbers, and special characters (minimum of two characters from each of the four categories).

    – When a password is changed, users cannot use personal information such as names, telephone numbers, account names, or dictionary words.

    – Passwords must expire after 60 days. (!)

    – Users must not be able to reuse any of their previous 10 passwords.

    – Passwords must differ from the previous password by at least four characters when a password is changed.

    Wonder of wonders, DFAS lowered the requirements to be more in line with banking industry standards this year.

    Like or Dislike: Thumb up 3 Thumb down 0

  21. Luke says:

    What could go possibly wrong? Maybe that fact that I will forget it or when I would like to change it every half a year it will not be possible. No technique of creating strong passwords is safe when you have more accounts. I have about 180 of them and it is impossible to manage passwords without a decent password manager. I use Sticky Password and there are also others like mentioned before. Without it, I can not imagine the password life.

    Like or Dislike: Thumb up 0 Thumb down 0

  22. I use a system not unlike the one described in this post. I forget my exact passwords all the time.

    Like or Dislike: Thumb up 0 Thumb down 0

  23. Matt Bernius says:

    @Steven L. Taylor:
    Like XKCD suggests, pass-phrases — all the cool kids are using them.

    Like or Dislike: Thumb up 0 Thumb down 0

  24. James Joyner says:

    @Steven L. Taylor: @Matt Bernius: I posted the xkcd password strength cartoon three years back when it first came out. Very few sites actually allow you to use “correcthorsebatterystaple.” First, it’s too long for many sites. Second, almost all of them require a capital letter, a number, and a symbol. Third, many require you to constantly change passwords.

    Like or Dislike: Thumb up 0 Thumb down 0