In the wake of the LinkedIn password theft, I would like to offer up a simple process for creating strong and memorable passwords. These would be less susceptible to cracking if a maliciuous group got their hands on a hashed password list, as they would likely be at least in the 1% toughest to crack category that would require brute force.
In general, a “strong” password should:
- never contain any words
- be at least 8 characters (the longer the better)
- contain at least 1 of each of the following:
- lowercase letter: a-z
- uppercase letter: A-Z
- number: 0-9
- special character (when the site/system allows them): such as “!” or “(” or “%” or “@” and so on
Note: The special character group is crucial to adding security and complexity to the password
That’s all well and good, but how do you create a memorable password like that? In particular, how do you make one that would still be difficult to guess with hacking software?
Here’s a suggested method to do just that:
- Think of a not-so-popular expression, song lyric, quotation
- Capitalize it following the rules of Title Capitalization: http://grammartips.homestead.com/caps.html
- Hopefully your phrase has a number or something that can easily be substituted with a number (i.e. won -> 1, to/too -> 2, tree/the -> 3, for/fore -> 4, …)
- Your password becomes the first letter of each word
- Finally, if special characters are allowed, add parentheses, punctuation, and others where appropriate.
Here’s an example of turning a song lyric into a strong password (albeit probably more popular than something you should choose, but this will work as an example):
- Original lyric: Don’t stop believing Hold on to that feeling!
- Capitalize: Don’t Stop Believing Hold on to that Feeling!
- Add/convert to numbers where appropriate: Don’t Stop Believing Hold on 2 that Feeling!
- Take the first letter of each: DSBHo2tF
- If special characters allowed, add them in a way you can remember: DSB(Ho2tF!)
According to http://howsecureismypassword.net/ it would take a desktop PC 71,000 years to crack “DSB(Ho2tF!)” (10 days for “DSBHo2tF” –> you can see the importance of special characters!)
There are ways to make this even more obscure/secure of course if you like:
- Always add certain letters/characters at the beginning and/or end of the password
- Instead of parentheses, use alternates such as: [], {}, <> — or mix+match: open with “[” but close with “}” — or even reverse them
- Use the last letter of each word instead of the first
- and so on