Strong passwords: You DO have better ideas!

Our contest runs through May 24

Wow! We asked you for ideas on how to create and remember strong passwords, and the initial response has been strong. Dozens of ideas flooded in during the first few hours. Apparently, a lot of people still use really bad passwords, such as "password" or "1234567."

We'll keep the window open until next Monday, May 24, so keep the ideas coming. Remember, a key aspect of smart passwords is how to remember them without writing them down, while maintaining a different one for each site where you need one.

Don't give us any actual passwords you use, of course. We want everyone to come out more secure, not less.

Some of the suggestions we've received so far:

Joe Brosky uses a combination of sequential numbers, partial words and symbols, but maintains a consistent format to keep them easy to remember. For example, he wrote, he might use the numbers 910 and 1112, separated by words and symbols. "When I need to create new passwords, my next numbers will be 1314 and 1516. This makes it easy to remember them without writing them down," he wrote. For the words, "First, I come up with two words, such as, Pittsburgh and Cleveland. I shorten them as follows: Pitts and Land. Thus, my easy-to-do system creates a password as follows: 1112@PittsLand@1314. When it expires, I just change it as follows: 1516@LandPitts@1718."

Martin from Fairfield, Calif., describe using variations on memorable words. "I start with a proper name or two-word phrase that meant something special to me in a certain year. For example, I went to Disney World in 1996, so I start with '96DIsneyworld' (using upper-case for the first two letters). I precede that with two special characters that I always keep the same. Then I precede that with the first letter again in lower-case. That gives me d,,96DIsneyworld.' To avoid using the very same password on all my various accounts, for each one I add a lower-case letter just after the digits that represents the system to me (e.g. 't' for the Timesheet system, 'e' for e-mail). This would give me 'd,,96tDIsneyworld' for my Timesheet password. When I need to change my passwords, I try to change them on all my accounts at the same time, thinking of a new special word (for example, a crazy kid I remember from 6th grade named Bruce Roble). Since that was in 1989, my Timesheet password would become 'b,,89tBRuceroble.'"

Martin was one of several readers who suggested writing down mnemonic keys to the passwords, meaningless to anyone else but enough of a trigger for the password's creator to recall the significance.

Jack Holbrook of Lacey, Wash., suggested a literary fix. "Keep a favorite book around the office, in a drawer or on a bookshelf. Pick a page and a line number. Use a phrase from that line on that page number," he advised. "Now you have as strong as a password as you like and you don't have to write it down. You can even keep the page and line number written down somewhere in plain sight. No one knows your favorite book or where it is located."

Bill Branning from Clay County, Fla., suggested using meaningless but pronounceable combinations of letters. "I recommended using random combinations of consonants and vowels in non-word strings that could be pronounced," he wrote. "I found that if a user could pronounce a non-word combination of syllables, it could be remembered without having to make a written note. Since then I have also recommended using added or inserted punctuation and caps."

Branning added that in his opinion, organizations should not require password changes unless there's evidence that a password has been compromised. "When I run into a system that forces frequent changes I alternate between only two strong passwords," he added.

John, from Chantilly, Va., suggested using the initial letters of a meaningful phrase, spiced up with symbols and upper-case letters. "For example, 'Now is the time for all good men to come to the aid of their country' becomes 'Nittfagmtcttaot,'" he wrote. "While this not bad for starters, it lacks the complexity of having special characters and numbers. This can be solved by substituting digits for vowels and holding the shift key every other time a letter or number would appear. For example, if you chose to substitute 1,2,3,4,5 for a,e,i,o,u your password would actually be: N3tTfagmtcTt!4TC. The nice part of this is that you can choose phrases that have meaning to you. I have friends who like to [use] song lyrics, which is fine as long as they don’t hum too loudly."

Another reader suggested a method that could leave your passwords unknown even to you ... at least by sight. "With one hand, type a random key sequence using letters within reach of your fingers. With the other hand, press the shift key as often as you'd like to capitalize letters," wrote the reader, identified only as C.H. "Memorize the finger movements instead of the characters. When a password change is required, move the thumb of the character-typing hand to another key and repeat the typing movement sequence."

E. Miller of Portland, Ore., recommended making passwords out of stories. "'I walked down Bourbon Street with Sarah in 1992' can be 'bourbon1992Sarah' or many other variations," Miller wrote. "Getting individuals to understand security policy, weaknesses and responsibilities; that's another issue entirely."

Keep the ideas coming, and by next week all of our systems may be a little more secure!

About the Author

Technology journalist Michael Hardy is a former FCW editor.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Mon, Sep 9, 2013 Jessica

i want a new password

Fri, May 21, 2010 Jean Willow Grove

One of my favorite passwords comes from a fantasy I had when I was much younger. I remember the fantasy name well, and it was never shared with another human being. As a result, there isn't any way for anyone to guess it, since it never existed anywhere but in my mind. Now, of course, it is part of a more complex passphrase or password that incorporates numbers and other characters. Also, it should be noted that some systems will only check the first 4 or 6 characters when looking for recently used passwords. So, at least in those cases, you would want to have the first 4 or 6 characters change and maintain the last 6 or so. Also, one of the simplest password managers I know of (though I use KeePass), is an Excel spreadsheet or Word document, password-protected. If you must write them down, then put them in your purse or wallet - something you really value and will protect.

Fri, May 21, 2010

The easiest way to recall a password is by relating it to something that only you would associate and is silly. (Silly phrases are easier to recall) If you see the entry R@lphntyour$ would you know that Ralph was my childhood dog and not yours? What is the need to write that down? You will remember it when you try to get into the dog-gone system!!

Thu, May 20, 2010

Systems that require frequent password changes to the point where the password has to be written defeat the purpose of having passwords. Unless the password is shared, such as with system recovery passwords locked in a vault, passwords should never be written down.

Thu, May 20, 2010 John Hellville

This is virtually a mute point, if i am trying to break into your account/network i am going to try the typical u-name/password combination's such as admin/admin, admin/password....blah,blah, blah. if that doesn't succeed in finding at least one access point to your network then i am going to move on, there are way to many other vuln's available for me to use to waste time on your measly little 8 or 12 character password. if all else fails i will just ask for someones password (social engineer) then just grab the hash for your "admin" and sit at home in my easy chair and decipher it. And then wallah i have your password. My point is that we put way to much emphasis on passwords and not enough on overall security.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above