Revealed: Our picks for the best password strategies

Our readers offer hundreds -- literally -- of good ideas for building and managing strong passwords. Who's idea comes closest to covering all the bases?

If you’re looking for tips on how to create, recall and manage strong passwords, you would do well to listen to our readers. They don’t seem to have the bad habits that lead to the weak, easily guessed passwords that abound on systems and Web sites everywhere.

Earlier this month, we reported that data security company Imperva had analyzed 32 million passwords stolen from an application developer and listed the 10 passwords most commonly used. At the top of the list was “123456,” the network equivalent of “Joe sent me” at an old-time speakeasy. Most of the rest were equally bad, such as the Web site's name used as a password, and, of all things,  “password.” If you visit these folks and they're not home, don't worry: The key is right under the mat.

So we asked our readers for their ideas on creating and managing strong passwords, and made it into a contest. The response was impressive. We received a total of 218 comments to our stories on this issue, and every single one of them was better than “123456.” A lot better, in fact. And we don’t think people were in it for the loot – we humbly offered a T-shirt as the prize – but were more interested in spreading the word on secure authentication practices.


Related stories:

Strong password management: You got a better idea?

Strong passwords: You DO have better ideas!

Are password rules just bad magic?


As we count down to our winner, let’s looks at some of the better ideas.

Quite a few readers take an acrostic approach to building their passwords, selecting phrases familiar to them, lines of poetry, song lyrics or recent memories. JCL, an avid golfer, builds passwords based on his most recent good round, something no golfer ever forgets. Another writer bases his on slang words he used in Asia while stationed there in the Army.

Once they have their basic password down, most of our contributors then substitute capital letters and special characters here and there. Using @ for a, and 1 for I, for instance, can keep the substitutions easy to remember.

Some writers stress the importance of password length, pointing out that adding even two added letters makes a password considerably harder to crack. Both BB from Ohio and Michael from Offutt Air Force Base, Neb., recommended using short basic passwords, of three to seven characters, and then repeating them to make a longer password.

And several people, including dmiller of Washington, D.C., recommended using keyboard patterns rather than thinking about specific words or phrases. “I use spatial patterns to create my passwords,” Miller wrote. “The advantage is that all I really have to remember is the starting point, ending point and the pattern. In fact, I probably couldn’t recite the characters of my password from memory if tortured.” Another advantage of this approach is that changing a password requires changing only the starting point, so even if a user wrote down the first character, someone who found the list wouldn’t know what follows.

All solid ideas. But the real trick to password management, as many readers pointed out, is remembering and protecting the passwords for many log-ins. At least one reader mentioned having 128 passwords; several others cited 50. How do they keep them all straight and secure?

Jack Holbrook of Lacey, W.Va., recommended building passwords from a favorite book, based on a combination of page number and line numbers. “You can even keep the page and line number written down and somewhere in plain sight,” he writes. “No one knows your favorite book or where it is located.” (Note to social media mavens: If you use this approach, don’t list your favorite novel on Facebook.)

There also is the more digital approach of using password management tools, recommended by quite a few readers. Ben Walker in Washington, D.C., uses KeePass, a free, open-source tool that was among those reviewed by the GCN Lab (and compared with the old-school, Post-it note method).

Utilities such as KeePass, RoboForm, 1Password and LastPass have the distinct advantage of leaving you with just one strong password to remember – the password to get into the encrypted utility, where the other passwords you need are kept. And you can cut and paste passwords from the list to whatever system or site you’re logging onto, which is a defense against keylogging software.

Of course, no system is perfect, and these tools do create a single point of failure if they’re ever compromised. And if you use multiple computers, you have to have them loaded onto each machine. Still, they do offer a secure, efficient way to keep a long list of passwords.

Which brings us to – drumroll – our winner. Ron from northwest Indiana wrote:

“While all the suggestions above are good, none are as strong as random generated passwords. I work for a business that stores business and medical records that must be kept secure. Also, we use the cloud for document management. Since any information is only as secure as the password needed to access it, I create 16-24 character passwords, encrypt them on a flash drive that I carry with me at all times, and duplicate in a safe spot, e.g., safe or safety deposit box. I need remember only one password to access the list (and like everyone else, it's a long list) if I've forgotten something. Keeping the flash drive safe and accessible is easier than you might think. Like any other system it takes some adjustment, but I know that my information and my clients' information will remain accessible only to those who are authorized to view it. Of course, we take other precautions. Passwords are only the first step in a long line of security procedures, but one of the most important.”

Ron’s approach covers just about every step security experts recommend. The passwords are strong. He keeps them in an encrypted file, but one that is mobile, so it can travel with him and be used on multiple machines. If he loses it, the files are still encrypted – and he has a backup, so he still has his passwords. And, perhaps most important, he and his organization recognize that passwords are only one part of a secure computing environment.

Whether this system would work with a BlackBerry or other smart phone might be problematic, but, as we said, no system is perfect. However, if you have a lot of passwords and a need for security (which covers practically everyone these days), this system is a good one. Congratulations, Ron. Your T-shirt will be on the way soon.

On a final note, several readers questioned the whole idea of offering password tips. “The first rule about passwords is don’t share your rule,” wrote Larry Frank. “If rules are commonly shared, then systems to crack passwords use those rules to limit their search.”

That’s a fair point, but since our readers offered so many different methods, we figure we have safety in their variety. If you’re looking for a new password method, choose the one you like – just don’t tell anyone.

Or, as Christopher, with tongue in cheek (we think), put it: “I've devised a foolproof method for creating easy-to-remember passwords that are impossible to crack. If I describe it, though, I'd have to kill you.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.