I recently visited a client whose kids boasted that they know her passwords better than she does. They weren’t wrong. Like many people, she finds it difficult to make up and keep track of her passwords, and so she makes up very predictable ones and reuses them often. This was a problem, because one of the things I was called to do was restrict her children’s access to certain things on the computer, and doing so would require, among other things, the creation of some passwords that would have to be kept from the kids.
After a while, the demeanor of some of the kids began to irritate me, as their comments were increasingly disrespectful. At one point, one of them announced that the project was a waste of time because – he claimed – he could guess any password. I didn’t answer, but what I was thinking at that moment was, “Buddy, I have almost 50 years more life experience than you have, and you know almost nothing about me. If I can’t come up with a password that you can’t guess, then there’s something wrong with me.”
If you often find yourself in a similar situation to this child’s parent, or maybe you just have difficulty with passwords, then this post is for you. I am going to show you how to devise a strategy that makes it easy to come up with hard-to-crack passwords and keep track of them without maintaining a password reference notebook.
Let’s start by clarifying the problems. The first problem is password complexity. The days when you could get away with silly passwords like “123456789”, “11111111”, or, heaven forbid, “password” are long gone. Apart from the fact that these are the first three that anyone who wants to guess your password tries, most systems won’t let you use them. Nowadays, most systems impose password complexity requirements, and the most common rule is a minimum of 8 characters, and those characters must include at least one upper-case letter, at least one lower-case letter and at least one numeral. Some systems let you use a punctuation character instead of the numeral, and some require a punctuation character along with the other requirements. A lot of people find it extremely difficult to come up with passwords that satisfy all these requirements, much less remember them.
The second problem is just the sheer number of passwords we all must keep track of. Unless you’ve been living under a rock for the last few years, you know it’s a bad idea to use the same password for everything you need to log into. You don’t want one stolen password to give the thief access to your credit card accounts, e-mail and social media along with whatever system he already knew was associated with the password he stole. But a quick, informal web seach indicates that the average person has 80 to 100 different passwords as of this writing, and that number will only get higher as time goes on. So, many people succumb to the temptation to reuse passwords on many sites, even though it’s a security risk.
The simple solution to both of these problems is to use a consistent system to generate your passwords. I’m not talking about using a computer system to generate passwords, although I’ll address that possibility at the end of this post. What I mean is that you can come up with a simple set of rules for making up your passwords. I will show you three such systems that are easy for you to remember, hard for anyone else to guess (including snarky kids) and satisfy most password requirements; you can either use them as they are or derive your own using these concepts.
System 1 – Romances + Purpose: Let’s start with the number of people you dated steadily before you got engaged. I’ll claim two steady dates for the purpose of this exercise. (If you had a more interesting dating career than I did, let’s limit it to four, for the sake of both modesty and brevity.) So, the first character of all my passwords will be 2. Next, we’ll include the initials of our steadies. Mine were GK and EM, so I will add those letters, capitalized, so all my passwords will begin with 2GKEM. For the Purpose – remember, the name of our system is Romances+Purpose – we will use the first syllable of each word of whatever we need a password for. If our first one is Fidelity Investments, my password will be 2GKEMfidinv. Well, now, look at that — it’s more than 8 characters long, includes at least one upper-case letter, at least one lower-case letter and at least one number, so we’re probably all set. Now let’s say I need a password for Microsoft 365; that one would be 2GKEMmicthree. A password for Shell Fuel Rewards? That would be 2GKEMshellfuelrew. See how easy this is? It’s a snap to generate the passwords, you probably won’t guess wrong more than once when you need to remember one, and unless you’ve been sharing way too much information about yourself both online and offline, nobody other than you should be able to figure out how you came up with the first part of each password.
System 2 – Old Address + Purpose: This system works just like the previous one, but we’re going to base it on an old street address. But don’t use your current street address, or even one from as much as 20 years ago, because anyone who knows a little something about you could probably Google it. Instead, use the first address you can remember, from when you were very young. If you’re too young to remember life without the Internet, then pick on an address that isn’t associated with you, such as one where your grandparents lived, or maybe just an address you remember because you spent significant time there, such as a school or place of worship. I’m going to use the address of the first house (not apartment) that I lived in. I’m sure that this address is not associated with me in any databases, because I only lived there as a very young child for one year more than 40 years ago, and my parents didn’t even own it; they rented it. For privacy reasons, I’m making the address up rather than revealing what it really was, so let’s say I lived at 31 Harley Avenue, Leroy’s Point, NC. Taking the address number and the initials of the street and city, I have 31HALP. That will be the beginning of each password I generate using this system. For the rest, I’ll use the first syllables of each word of the name of whatever the password is for. So, for example, a password for Adobe Creative Cloud might be 31HALPadcrecloud, a password for the Illinois Department of Revenue might be 31HALPilldeprev, and so on.
System 3 – Tagline + Number + Purpose: OK, suppose the systems above are just not memorable enough for you. Or maybe you had a lousy romantic life before you met your spouse (or maybe you’ve never dated or been married), or you had an awful childhood and would rather forget all the addresses at which you spent significant time. No problem, here is something completely different. Let’s start with a phrase that’s memorable to you. I’m going to use the first line of a ridiculous poem that I once heard: “I gave my love a rubber peach”. We’ll take just the first letters of each word, all in caps, so I’m starting with “IGMLARP”. Next, I’m going to add the number 2. This is just to satisfy the “at least one numeral” rule that most sites require a password to include, so you could use whatever number you like, but to keep things easy to type, I would limit this to one or two digits. So, each of my passwords will start with “IGMLARP2”. Finally, we add the first syllable of each word of whatever we’re logging into, as before. So, my password for Jewel-Osco would be IGMLARP2jewosc, my password for Target would be IGMLARP2tar, and so on.
You have now seen three different methods that can be used to generate unique passwords that are easy for you to remember and hard for anyone else to guess, even if they know you well. Could you come up with passwords that are more secure? Sure, you could, but these are good compromises of ease of generation, ease of remembering and security.
Of course, even the best passwords can be stolen, perhaps by someone looking over your shoulder as you enter one, or by you falling for a phishing scam. That’s why there are password managers that can securely store your passwords for you, make up passwords that are far more complex than anything you could type or remember, and automatically provide your logon credentials when you need to log into something. These password managers associate web site logon credentials with the web addresses of the sites they’re for and aren’t fooled by fakes, so they even help thwart phishing attempts. In addition, there are more secure methods for logging into systems, such as two-factor authentication and hardware-based authenticators that use your smartphone or a USB device to log you in. But each of these deserves its own discussion, which will happen in future blog posts.