10 Tips for Creating Secure Passwords

If you do anything with computers, you deal with passwords and you probably have a handful of different passwords for different sites and systems. The best password is something that you will never forget, but even your family or closest friend would never guess.

passkey-main

In my experience people either have extremely secure passwords like J!*xurQ1# that are so difficult to remember that they have to write them down (which defeats the security of a password) or extremely unsecure to start with, like Jonny (the name of their spouse). The goal of this post is to give you some ideas on how to generate secure passwords. The tips start out with some simple ways to come up with terms and end with ideas of how to combine these terms into secure passwords.

It should be obvious that you shouldn’t directly use any of the examples shown here. However, some of these ideas should be useful in generating your own secure passwords.

Here are a collection of tips for creating useful passwords.

  1. Use Different Character Classes - Many systems require that your password be from a variety of character classes. The letters a to z are one character class, A to Z is another, 0 to 9 is another, and the symbols are a fourth. In general the more character classes you use in your password, the more secure it is. So “guitar” is less secure than GuiTar which is less secure than Gu1T&r. One simple way to add different character classes is to capitalize all vowels or consonants.
  2. Use Letters from a Phrase – Use the first letter from each word in a phrase, line from a song, etc. “There’s a hole in the bottom of the sea.” could become Tahitbots.
  3. Numbers From Word - Use your phone keypad to convert a word to its numerical equivalent to use as part of your password.
  4. Keyboard Patterns – Creating terms from rows of adjacent keys. 12345 is not very good, but \][po combined in the ways specified below can make for a secure password that would be very difficult to guess and is fast to type.
  5. Use More Than One Word - Single word passwords are easy to break. If a hacker runs a program to try a bunch of words from the dictionary they shouldn’t be able to figure out your password. Choose words that you will remember, but that someone else won’t be able to guess. So a password like shinynail or flyingrock or tallwater are more secure than single word passwords.
  6. Ideas for Passwords – Sometimes coming up with a password can be pretty difficult. Keep in mind you need to choose terms that you won’t often talk about. Here are a list of ideas to help come up with words:
    • Choose two objects from a picture that you’ll always remember. For example: a drawing at your grandparents house, the illustration from a children’s book, a painting at an art museum, etc.
    • Choose two terms from a memorable purchase. For example: bluev6 (first car), thinibm (first computer), gold3crt (engagement ring), 7ftgrand (piano), pinedoor (first house), sunshore (honeymoon destination).
    • Look through a catalog and choose terms based on something you see.
    • Look up a random article on Wikipedia and choose a word found or related to a word you find in the article.
  7. Separate Your Two Words With Symbols and Numbers- For example: pine&1&door, kit!2!cat, etc.
  8. Modify the Password For Each Site- In theory, the most secure password strategy is to use a completely different password for each system. In practice, this means you’ll have to write them down. By choosing a secure password and modifying it based on where it will be used, you can keep from having to write passwords down, but still have a slightly higher level of security. Here are some examples showing how they were created
    • blue.Mv6 for Amazon.com – blue and v6 from first car. M from the second letter in site name.
    • blue.Av6 for SAP logon – same as above.
    • thin!5!ibm for Amazon.com – thin and ibm from first computer. 5 from the number of letters in the site name.
  9. Multiple Passwords for Different Types of Sites – Another option to keep from using the same password on every site is to use two or three passwords based on how secure the site is. For example, your banking sites might all use derivations of the bluev6 password. Ecommerce sites might all use a derivation of a different password and community type sites might use a third. The goal is to make sure that a rogue administrator at a forum you frequent isn’t able to get to your 401k.
  10. Date Based Component – Some systems require you to change your password every 180, 90, or 60 days. (One client had set up their system to require a password change every 30 days!) If you are familiar with the cycle, you can add a date based component to your password and change it each time it is required. For example J10 could be added when you need to change your password in June of 2010.

Originally published June 18, 2007.

Comments

  1. says

    Thanks for these super useful tips! I **really** need to overhall my passwords– I’ve used basically the same one word/number password for every site for years. I think I’ll come up with some kind of system I can remember based on site and security. Thanks tons!

  2. says

    Great tips! I will definitely refer clients to this post… as most of them are reknown for having passwords like their child’s name or their own middle name. yikes!

  3. Nicola says

    The simple solution is to just use passwordmaker (www.passwordmaker.org) as it fullfills all of these requirements and means you only need to remember one master password, but without the risk of a single site being compromised resulting in all your accounts being compromised.

  4. Mark Shead says

    @Nicola – I like the idea behind passwordmaker. I think that could be a pretty smart approach although it make it difficult to use your password from a computer other than your own. Still, I like it and I’ll have to try it out.

  5. says

    Personally, I have 10 events memorable events in my life that I have converted to a short, 4 character code with 2 letters and 2 numbers (ex. if your birthday was Jan 1, 1970, you could use mb11, bd70, or your initials and the date). To get the proper mix of character classes, I pick 2 of my 10 events and hold the SHIFT key while entering either the first or the last code set. If I need to record a reminder for the password in the open, I then write down a question that leads to my two digit key. For instance, “1) Car 54, where are you?” -> 1)54 -> fifth and fourth events, first set SHIFTed.

  6. Amy says

    I was taught to take example #9 just a step farther

    For a low security site, “LoWblueV6″
    For a med security site, “blueMedV6″
    For a high security site, “blueV6Hi”

    For banking you could also BANKblueV6bank

    Thanks for all the great suggestions – definitely an article to pass onto my children!

  7. says

    When you think about it, password security is really like the first line of defense, if your password is weak it really does not matter what other security precautions are in place. Thank you for some very practical guidance.

    Chris

  8. says

    It is about time that the industry..i.e. Yahoo-Google developed an internet crawler that catches those password crackers, even before they actually break a password. The act itself is illegal.
    If you walk around a neighborhood, and find someone with a crow bar and some nails fiddling around a back basement window..that should be a hint that he’s trying to break into the house, unless he live there or ha been hired to fix the window.
    There maybe automatic webcracking sites running, and Internet providers should try to eliminate them. It is no longer a cute college kid prank, it is a crime.
    In the mean time, until then we’ll heed your wonderful advise.
    Thanks
    I love living in the 21rst Century.

Trackbacks

  1. […] Password Chart is an interesting method to generate secure passwords. You give it a “master” password which is used to generate a chart that maps single letters to one or more letters.  You then just type in the name of the service you need a password for, and it will turn that into a password. Be sure to checkout our 10 Tips for Creating Secure Passwords. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>