How to make strong, easy-to-remember passwords

One of the best ways to protect your online security is to have strong passwords that you change periodically. But that's easier said than done. Coming up with hard-to-guess passwords is hard enough, but it's even harder to have separate passwords for different sites and to remember new ones after you change them.

One way to create a password that's hard to guess but easy to remember is to make up a phrase. You could type in the entire phrase (some sites let you use spaces, others don't) or you can use the initials of each word in the phrase, for instance, "IgfLESi85" for "I graduated from Lincoln Elementary School in '85." An even better one would be "MbfihswE&S" for "My best friends in high school were Eric and Steve." You get the idea--upper case numbers, letters, and symbols that are seemingly meaningless to everyone but you. Microsoft has an excellent primer on passwords and a password strength checker.

But even if you do come up with a clever and hard-to-remember password, don't use it for every site. Since lots of people do that, there's the risk that a sleazy site operator--or a sleazy person who works for a legitimate site--could use it to break into your accounts on other sites.

Password managers
One solution is to use a password manager. There are several available programs and Web storage services, but the ones I'm most familiar with are RoboForm and Lastpass. These programs can generate passwords for you and remember them so you don't have to. Both programs are, themselves, password protected, though you have the option of running RoboForm without a password or having Lastpass remember its own password on your PC. That's OK as long as no one else has access to your machine. I recommend that you manually enter your master password on a laptop that could more easily fall into the wrong hands.

RoboForm has a free trial version that's limited to 10 passwords after the trial ends. Lastpass is free.

Joe Siegrist, Lastpass CEO

(Credit: Lastpass)

RoboForm has been around for a long time, but Lastpass is a relatively new offering. Company CEO Joe Siegrist describes the program as a hybrid because it stores your passwords and usernames both on your machine and on the Web. You can download the browser plug-in to a PC or a Mac to work directly with Firefox on either platform or Internet Explorer on Windows, but there are also ways to use it with Safari and Chrome. Because it has a Web interface, it can work with any Web-enabled device, but the plug-ins for IE and Firefox make it easier to use.

On Firefox and IE, Lastpass records your usernames and passwords when you first enter password-protected sites and then enters them for you automatically for subsequent visits. Passwords are stored in a "vault," which is actually a Web page stored on your PC, as well as the company's servers, so you can access it from any device, including a borrowed machine. The password vault on your machine is automatically synchronized with the server, so you don't have to worry about synchronizing or backing up your data.

Password data, according to Siegrist, is encrypted on the PC and on the servers. He said that no one--himself included--can decrypt them without the master password that only you know. Assuming the encryption is as good as he says it is, this should protect your security even if their servers are compromised. The company provides a lot of security information on its FAQ.

There are also versions for Blackberry, iPhone, Windows Mobile, and Android as well as a Web site for phones and browsers that aren't supported directly.

For a lot more on this password management, see CNET News reporter Elinor Mills' post, "Facing the pain of passwords."

[Harlan879]

Another possibility is PwdHash (https://www.pwdhash.com/), a Stanford project that lets you use any password you like everywhere. The software combines the password with the domain name, then hashes the result (a one-way computation), so that even if someone knows you're using PwdHash, and knows your gibberish password on their web site, they can't use that information to log into any other web sites under your name. There's a Firefox plugin, and a web site (so you can use this on any computer) that runs the computation in Javascript on the local machine, so the password never goes over a network unencrypted. Pretty clever!

[martalli]

A similar Linux program for this purpose would be gringotts. Gringotts can store almost anything securely, and can use almost anything for a "password", including files. However, you can certainly create a simple text file of passwords with gringotts. I have been using gringotts for years.

[Linuturk]

Keepass is superior in my opinion. Totally cross platform. www.keepass.info

[Seaspray0]

I'll give it a try. btw, it's open source and free to use.

[raekwon]

On the Mac, you can't beat 1Password for this. http://agile.ws/

[discern]

With a Mac you can create a password that would be next to impossible to crack (or remember) and store it in the Keychain, without having to install the programs mentioned above. There it is securely stored, and entered automatically on the website it is associated with.

I'm flummoxed by some sites' password policies (Delta Airlines comes to mind) which limit you to 4 (or 6) characters. Some sites won't let you use anything but alphanumeric characters (no symbols, dots or dashes).

Another problem is with sites that don't allow your Keychain (or other password management app) to deal with the password (such as many bank websites). Again, with these apps, security wouldn't be an issue, because they allow you to use strong passwords. But if you are forced to remember it, it will most likely be a weaker password. In this case, the techniques mentioned in this article would be helpful.

[aniruddh.dodiya]

Passpack is also a good choice..

[dabear1985_rule]

I use Password Safe. http://passwordsafe.sourceforge.net/

[Seaspray0]

another way to make a decent password is to pick a pattern on the keyboard. i.e. cvfder43 (type it and you'll see the pattern). I looks like gibberish but is easy to remember. Don't pick a pattern that goes in a straight line, give it a couple of turns or jumps. For those that have to change passwords on a regular basis, all you have to remember is where to start on the keyboard.

[larrymagid]

The danger here is if you use a pattern that is easy to guest. Your advice about "a couple of turns or jumps" mitigates this to some degree but certainly no one should use qwerty or other relatively obvious patterns like qazxsw

[ldpldp]

I learned a much easier way of creating passwords which I call geographic patterned passwords. Instead of a password that means something, plot out a password geographically on your keyboard. For example, use a pattern where you begin with the number 1, and go down the key board 3 keys, and then start at 2 and go down 3 keys, e.g., 1qaz2wsx. All you need to remember is the first number or letter and go in a particular pattern. Another example, qwerfdsa. Remember to start with q and go right 3 letters, go down one letter and back to the left 3 characters. You can make passwords that are really long (real safe) or short passwords where required. You can also double click on the same numbers or letters, e.g., ssxxddccffvvggbb Just remember what letter or number to start with.

The pattern can be easy or complicated depending on what you can handle. What is cool is that you only have to write down the first key letter or number. You can hide the number in plain site on your desk. Just don't tell anyone why that little yellow sticky in the corner has just one number or letter on it. Remembering a pattern is much easier than learning a new phrase every time you need to create a new password.

[sebastien.kalonji]

I prefer 1password. Best pasword manager out there!

[WRandyK]

Here are some possible password management solutions. Each has advantages and disadvantages in terms of portability, security, and convenience.

Desktop software: 1Password, Keepass, SignUpShield, Roboform

Web app: Lastpass, Mitto, Passpack

USB drive: Ironkey, ID Vault

Standalone: Atek Logio, Mandylion Labs

Whatever solution people choose is likely to be better than writing down passwords on a loose piece of paper or an insecure computer file, using the same passwords everywhere, or using easy-to-guess passwords.

[DesktopIntegration]

OpenSpan can be used to automate logging into almost any desktop application, not just browsers. SInce you write (visually) the login process, you can choose to store the passwords anywhere YOU like in any format - e.g. on AMazon Cloud (SimpleDB), any database, local or server, or through any service or API (Google etc.,) or even build your own encryption for your own desktop. You can automate even starting each application, login to each application and be ready to go. Say you want banking and have 5 apps (3 browser and 2 client apps). Load your banking project and let it take care of the login). Here's the clever bit - you can even have it automate the log-out, clear the cache and shut down the applications :)

[Weyrand]

I don't get how this can be hard, think about this part:

"An even better one would be "MbfihswE&S" for "My best friends in high school were Eric and Steve.""

Now, an even even better one would be to just use that sentence! I mean, why not?

"My best friends in high school were Eric and Steve."

That's a really strong password because it is very long. As as a sentence you came up with, it should be easy to remember. It contains some special characters as well as at least one upper-case letter, and it's extremely fast to type for anyone used to typing on a computer - meaning it's harder to shoulder-sniff it. But the length is its big strength, together with it's resistance to dictionary attacks.

My passwords are generally something like "Today will certainly rock!" or "Did I lock the door?" and are frequently changed and easy to think of. Before I went the passphrase route I had the same problems as anyone else with coming up with and recalling (and typing) passwords.

It's also very easy to add "salt" to specific websites... like "Lineage2 will always rock!" where you substitute Lineage 2 with whatever site or tool it's used for. Obviously this will only prevent reuse of hashes - as anyone could guess the pattern if it was decrypted - but it's better than nothing? ^^

[yunlin12]

I use PasswordMaker, primarily as a Firefox plug-in, where I can generate and fill in password on web forms with 1 key stroke. It's also available as a standalone app, java script, and hosted online.

[larrymagid]

The issue with phrases is whether the site lets you use spaces. Some do and some don't.

[blakestar]

I don't know why we can't just use public keys to authenticate and ditch passphrases all together.

[cvaldes1831]

Public keys can be stolen.

A better solution would be two-factor authentication, something like a passphrase and a token (like an NFC cellphone such as the Osaifu-Keitai system in Japan). This would require readers/scanners in devices.

[tokyololas]

Is this a direct response to Manjoo's Slate article (http://www.slate.com/id/2223478/) or is this just an unofficial Password Awareness Month...? If the former, it should be stated directly...

[synaptik]

KeePass! Seriously, it's the best. Multi-platform too. http://keepass.info

[danathompson]

I've been using Billeo for a few months now. It's a free browser plug-in that manages passwords, saves receipts and auto fills forms. Very handy! Works for me. https://addons.mozilla.org/en-US/firefox/addon/12715

[Eludium-Q36]

Larry, the algorithm you promote requires WAY too much effort, especially when you're talking about maintaining complex passwords for dozens of sites we all have to log into. Online password managers simply require too much effort, too. Also, many sites limit the password length, so you can't have a really long sentence-style passphrase.

What I've found that's worked for me - and my day job is as a process efficiency specialist - is to use some form of the site's name with some form of a relative's name. This means every password is different yet similar enough only to me and no one else. For those sites that require passwords to have a number in them, I've selected a number and place it in the same spot.

Due to the algorithmic beauty of this system I don't have to keep any records at all, yet I can instantly determine my password for any site, and no one else could ever guess it because even though you now know the concept of the algorithm you could never determine the specifics of it.