In this post I’ll give you a method to create a really strong and flexible password.
Now i’ve personally only gone through 5-6 passwords in the last 8 years. The first 2 passwords were insanely weak (6 digit numbers!). I then started picking stronger passwords but unfortunately I’ve had to change my password multiple times due to database leaks on websites i’ve joined.
However, my current password fixes all of these problems!
Desirable requirements for passwords
- No dictionary words or simple phrases (so no QWERTY or password!)
- No obvious patterns (ie 12345679, abcdef)
- No obvious substitutions (ie hello -> he11o)
- Length greater than 8
- Length lower than 16 (unfortunately password length limits exist on many services so this is needed)
- Starts with capital letter
- Contains 1+ capital letter
- Contains 1+ number
- Contains 1+ special characters
- Easy to remember
- Unique for every website
- Can be used with systems that make your password expire (without need for a new password)
The password we will make will meet all of the criteria above!
Step by Step Guide
- First, pick an easy easy to remember dictionary word or a phrase that means something to you. Make sure it is around 5-6 characters long. As an example, I will secure.
- Chose a position to split the phrase on. Don’t just split the phrase at its syllables! I’ll decide to split at secu so I have secu and re.
- Now capitalize the first letter in the first string. So se becomes Se. (This is so we meet the start with capital requirement on many websites)
- Now pick two 2-3 digit numbers. I’ll pick 101 and 42. Add these in between your strings! Thus far we have Secu101re42 (length 11)
- Now pick a few other lowercase letters and capitalise them. I go with: SecU101Re42
- At this stage, all we need is 1-2 special characters. I decide to go with # and add it in somewhere: SecU101#Re42.
The password is already a very strong password at this stage but still fails to meet the unique requirement.
- For the unique requirement, you have to come up with a system for creating unique passwords for each service you use. I came up with the following, look at the domain of the website you are using and take the first 2 letters from the domain. So on facebook.com you would take fa. Capitalize the first or last letter of this. Then add this to the start or end of your password or put 1 character at the start and 1 at the end. I decide to capitalize the last letter and put the 2 characters at the end of my password. So our password for Facebook is: SecU101#Re42fA ( length 14). The benefit of this is that even if someone manages to get your plaintext password on a service, they are unlikely to notice your system and will be unable to access your other services.
Note: You can also use a 2 letter prefix that works with many websites so Facebook becomes fb. Furthermore, you can vary the length of the tag for each service as this will also make your password vary in length from service to service which is another bonus!
- If your password expires on a service and you are not allowed to reuse the password again, simply add the year, semester, term, quarter or something similar to the start or end of the password. I usually add the year to the end: ie 15 for 2015
Remembering your password…is easy!
I came up with this system in such a way that remembering the password is no issue at all. Most people fail to remember passwords because they have so many different ones across various services. In our case, the domain gives you a tiny bit of the password. All that left to remember is your phrase (in our case secure), the selected split position, the few letters that are uppercase and two 2-3 digit numbers. It turns out that this system is very easy to remember. Simply typing your password over and over again for 2 minutes will get it stuck in your head and then you can begin using it on all of your services.
I put the above password through various password strength websites. The passwords do very well in these tests.
Here are some results from online tests:
Again these passwords are great because they are unique for every service you use (a few may clash but that is generally not an issue, however ensure you keep the number of clashes to a minimum and ensure important websites DO NOT clash). If your password gets compromised on a service you can rest easy knowing all your other passwords are secure.
Just for fun, there are the SHA1 sums for the password we created together below. If one hash gets compromised, the risk is almost nothing. If one plaintext password gets compromised, the risk is low if automated tools are used (often the case with large database leaks for major services). If someone is targeting you specifically, then it will take them a while to figure out your system but chances are they won’t.
Oh and my password isn’t the password above so don’t try to hack me 😀
SHA1 sums for our password on various services