Back when you only had to remember your email password and maybe a couple of others, it wasn’t too hard. But now, you probably have dozens or even hundreds of secure sites that need a password. If you use an easy password like your birthday or your dog’s name, hackers can guess it easily. Even if you try to remember a really random password like Q,ga3{6n]9j0[4TJ1}[x, it’s not good if you use it on more than one site because a breach at one service could expose all your others. The only solution (and it’s a good one!) is to rely on a password manager. With the help of such a tool, creating and remembering a different strong password for every website is easy. We’ll show you how.
Hard to Guess Can Mean Hard to Remember
Full-scale password managers work on all your devices, such as desktops, laptops, smartphones, or tablets. They create passwords that are hard to guess, like VjwF(wj]]SH1eeuw, remember them for you and automatically use those saved passwords to log in to your secure sites.
But there’s one problem with this plan! Almost every password manager needs a master password to lock up all those saved passwords. The master password must be strong because anyone with access to it can unlock all your secure sites. But it must also be memorable, unlike the gibberish from random password generators. If you forget the master password, nobody can help you. On the positive side, this also means a dishonest employee can’t break into your password store, and the NSA can’t force the company to turn over your data.
Let’s say you’ve taken all the right steps for security. You’ve got an antivirus or a security suite installed. A Virtual Private Network (VPN) keeps your network traffic secure with encryption. And you’re using a password manager to handle all your passwords. However, there’s one challenge left – remembering a super-secure master password to protect that password manager. Here are some tips on choosing a password that’s easy to remember but also extremely hard to guess.
1. Make Poetic Passwords
Everyone has a favorite poem or song they’ll never forget, whether it’s from Shakespeare, BTS, or the Bonzo Dog Doo Dah Band. You can actually turn it into a password. Here’s how.
Start by writing down the first letter of each syllable. Use capital letters for stressed syllables, and keep any punctuation. Let’s try this line from Romeo and Juliet: “But soft, what light through yonder window breaks?” From that, you’d get bS,wLtYdWdB? You could add A2S2 for Act 2, Scene 2 if that’s something you’ll never forget. Or 1597 for the play’s year of publication.
If the passage doesn’t have a strong meter, you can simply take the first letter of each word, using the existing punctuation and capitalization. Starting with the quote “Be yourself; everyone else is already taken. – Oscar Wilde”, you could come up with By;eeiat.-OW. Adding a memorable number rounds out the password, perhaps 1854 (his birthdate) or 1900 (his death).
Your poetic password will be completely different from these examples, of course. You’ll start with your own meaningful song or quotation and convert it to a unique password nobody else could guess.
2. Make Your Password a Passphrase
Password experts always advise including all four types of characters: uppercase letters, lowercase letters, digits, and symbols. The idea is that by expanding the pool of characters, you vastly increase the time required to crack the password. But sheer length also makes cracking harder, and one way to achieve a long, memorable password is to use a passphrase.
The snarky and smart webcomic XKCD took aim at wacky password schemes that suggest starting with a common word, replacing some of the letters with similar-looking numbers, and tacking on a few extra characters. That can leave you wondering. Was it Tr0ub4dor&3, or Tr0ub4dor3&? Or maybe Tr0m30ne&3? A passphrase like “correct horse battery staple” is significantly more difficult to crack due to its length, but also much easier to remember.
Not all password managers allow spaces in the master password. No problem! Just choose a character like the hyphen or equals sign to separate the words. Here’s a pro tip—avoid using a character that requires pressing the shift key. Select words that don’t naturally go together, then create a mnemonic story or image to link them. What would you picture for “iceland-wired-red-totally?”
If you struggle to come up with unrelated words for your passphrase, there are many online passphrase generators, including the aptly named CorrectHorseBatteryStaple.net. You may reasonably worry about using a passphrase generated by someone else’s algorithm. In that case, you could generate multiple passphrases and clip out a word from each.
3. Make Longer Passwords
PC expert Steve Gibson recommends the secret to be long; strong passwords are padding. If an attacker can’t crack your password using a dictionary attack or other simple means, the only option is a brute-force scan of all possible passwords. Every added character makes that attack much more difficult.
Gibson’s website provides a Search Space Calculator that assesses any password you enter based on the character types used and the length. The calculator estimates how long a brute-force attack would take to crack a given password. It’s not a password strength meter but rather a cracking-time meter, and it’s helpful to see how the cracking time increases when you lengthen the password.
I don’t attempt to watch people enter their passwords, but I’ve noticed many that, based on hand motions, seem to end in three exclamation points. That’s not the padding I’d recommend. First, it requires the shift key. Second, it’s too predictable. I wouldn’t be surprised if password-cracking toolkits already included “!!!” in their dictionaries.
Instead, choose two close-at-hand keys and alternate, adding something like vcvcvcvc. Or choose three characters, like lkjlkjlkjlkj. Gibson’s calculator says it would take over 45 years for a “massive cracking array” to crack bS,wLtYdWdB? (the Romeo and Juliet password from my earlier example). Adding vcvcvcvc raises that to more than a quadrillion centuries.
Long, Strong, and Memorable
Once you’ve got a password manager and changed all your logins to strong, unique passwords, the only password you still need to remember is the one for opening the password manager itself. This master password unlocks everything else, so it’s crucial to spend time creating a master password that’s easy for you to remember but nearly impossible for others to guess or crack.
Create a password based on a poem, song, or famous quote. Alternatively, connect unrelated words with a memorable image or story by forming a passphrase. Finally, add some easy-to-type padding. This way, you’ll have a master password that’s both easy to recall and highly secure.
