29 July 2009
How to Create a Memorable Super Secure Password
[Update: Lot's of amazing ideas in the comments. Thanks everyone!]
The recent Twittergate Scandal really emphasizes the need to make sure you’re using secure passwords. With that in mind, here’s how to create a great password.
The problem with secure passwords is that they’re impossible to remember, so here’s a handy method that Eric Meyer taught me.
Simply combine two words that you won’t forget, with a random number in between.
For example, choose your hometown (Example: Denver) and your last name (Wonka) and combine them by picking the first letter from ‘Denver’ and the first letter from ‘Wonka’, then the second letter from ‘Denver’ and the second letter from ‘Wonka’, and so on, like this:
dweonnvkear
Then throw a random number in between, like this:
dweon89nvkear
Bam. You’ve got a totally secure, memorable password.
Forgot Your Password?
Another potential problem with using web apps for important company documents, is the ‘Forgot your password?’ functionality.
Often, web apps will ask you a question like “What is your mother’s maiden name?” which if answered correctly, will email a new password. If these answers can be easily guessed (or Googled) then you have a serious security breach waiting to happen.
Make sure your team hasn’t chosen password reminder questions that are easily discoverable and you’re on the road to being much more secure.
Please share any other security tips below in the comments. Thanks.
[Photo Credit: flickr.com/photos/cypherone]
Enjoy this article?
If you liked this article, feel free to re-tweet it to let others know. Thanks, we appreciate it :)
We love .net Magazine
We're big fans of .net so they've hooked us up with a rad deal: Save 50 percent on your subscription.
Alec Harden
# July 29, 2009 - 11:56 am
Nice, simple, useful information, hard to come by these days!
Most companies ask you to create a password but never give any guidance so you simply get an office full of people with passwords which are the same as the user name or if people are really clued up they might add the year of their birth on the end!
Martin Bean
# July 29, 2009 - 11:57 am
Even if an attacker did manage to find out your mother’s maiden name, new password’s should only be sent to the account owner’s email address. Unless that two has been compromised ; )
Kevin Davies
# July 29, 2009 - 12:00 pm
I think this was the case in the recent Twitter security hole.
Joaquin Windmuller
# July 29, 2009 - 2:57 pm
Passwords should not be sent to emails, period. Read this for more info http://www.fishnetsecurity.com/sites/com.fishnetsecurity/downloads/Forgot_Password_Best_Practices_v1.0.pdf
Kevin Davies
# July 29, 2009 - 11:58 am
Another good approach that I’ve used is to think of a song you really like, pick a good line and take the first letter of each word…
For example, if you’re a huge fan of the current UK number 1 by JLS (I’m not personally! :) ), you might like the line:
“Losing you could be the end of me”
So you’d take the password: Lycbteom
To make it even more secure you could replace ‘o’ with ‘0′, ‘e’ with ‘3′, etc
Ryan Carson
# July 29, 2009 - 12:01 pm
Great idea – like it.
Jason
# July 29, 2009 - 12:10 pm
I like the song lyric approach, good idea! I’ve also used a short & obscure movie quote that happened to have a number in it. Perfect, because it has no searchable connection to me or anyone around me, but it’s so deeply engrained in my “movie memory” that I’ll never forget it ; )
grrlfriend
# July 29, 2009 - 6:59 pm
I’ve been using the lyric approach for almost 15 years…by far the easiest method for me to remember even when replacing ‘O’ with ‘0′ (zero), etc. Most password evaluators tag them as ’strong’ passwords too.
Khürt Williams
# July 31, 2009 - 10:44 am
I use this approach as well but use phrases from a sci fi novels or movie. “The force is stong with this one” or “Nothing unreal exists”.
James Proud
# July 29, 2009 - 12:05 pm
For my passwords, I look in my MSDN list of Microsoft product keys and take half of a key, and sit there memorising it. I think I’m currently using a password based of FrontPage Professional 2003 key. Probably the weirdest method I’ve come across
Rich Adams
# July 29, 2009 - 12:05 pm
Another good method is to pick a phrase/sentence from a book you like, or a quote from your favourite film. Then use the first letters of each word (keeping the case and any punctuation) and throw a few symbols and numbers in for good measure once you’re done.
For example, suppose you really like the film Goodfellas, you could use something like,
“For as long as I can remember, I always wanted to be a gangster.”
This then becomes,
“FalaIcr,Iawtbag.”
Now just throw in some extra symbols and numbers that you can remember and you’ve got a really secure password.
“%$Falalcr,9302Iawtbag.^”
Enrico Foschi
# July 29, 2009 - 12:07 pm
To make it even more secure (and still keeping it memorable), the second word should start with an uppercased letter. In this case, the brute-force process to find it is going to be hell of a lot longer because of using also all the uppercased alphabet.
On lockdown you find stats about how long would it take to crack it:
http://www.lockdown.co.uk/?pg=combi
Ryan Carson
# July 29, 2009 - 12:36 pm
Good idea – Cheers Enrico.
Jemima
# July 29, 2009 - 12:09 pm
Hice tips, but the problem is not so much having one, good, secure password, but what happens when that super secure password gets compromised. The ideal is, surely, to have multiple secure passwords. But how to remember them all, and which is used where?
James Proud
# July 29, 2009 - 12:10 pm
I just switch between two secure passwords. If one password doesn’t work, it’s bound to be the other one. And always have your email passwords different to the one you use on websites. Provides a good barrier if one of your web app passwords gets compromised.
Deborah Jordan
# July 30, 2009 - 1:31 am
I use a method that makes my password unique to each website, so in case your superstrong password does get compromised, it can’t be shopped to other sites easily by bots. This method is memorable as long as you keep to the same formula.
The formula: random/memorable keyword + uppercase initials of website or first three letters + random but memorable number.
Looks like: waterCAR999 (for this website – Carsonified’s first three letters).
Or, to make each section as long as you like by spelling out the entire first word of a site or making the number longer…mash up your own!
Ivan Jovanovic
# July 31, 2009 - 12:05 pm
There is something better than remembering several complicated passwords. Take one complicated password and one rule that will produce indefinite set of complicated passwords by applying the rule to the already complicated base. Then apply the rule until you password for the particular site. Of course, for sites that you use everyday, you’ll know it already without applying the rule.
Also for sites that are not so important take simpler passwords and apply less complicated rule to them. Less complications :)
Ollie Judge
# July 29, 2009 - 12:10 pm
While this is a good guide for the average password remember for particularly secure stuff to use capital letters and symbols as they are much harder to crack when it comes to brute force or rainbow table attacks.
So try to vary the case of the letters and add in an exclamation mark or an apostrophe if you can it may make it slightly harder to remember, but will act as a deterrent if you do come under attack.
Greg Newman
# July 29, 2009 - 12:10 pm
Nice idea, I’ve been revising my password usage since twittergate. One problem with this solution is you still end up with the same password on all sites so if its compromised on one then you could be compromised everywhere. To get around this, I drop some letters from the url into my passwords, so in the example above could add CA from the start of carsonified.com dweon89nvkearca. Using the url, means you don’t have to remember the password for the site.
Simon Starr
# July 29, 2009 - 12:14 pm
One of my favourite techniques is to think of a phrase or quotation, then take the first letter of each word and throw in some capital letters, punctuation and numbers for good measure.
This Winston Churchill quote for example: “However beautiful the strategy, you should occasionally look at the results”
Becomes: Hbts,ys0l4tr
You can then make a note of something that reminds you of the phrase to jog your memory without making it obvious what the password derived from it is.
KeePass (http://keepass.info/) is a great cross-platform tool for storing passwords too. It also has a handy password generator which is good for coming up with really secure (and impossible to remember) passwords for things you don’t often need, like the root account on your servers, for example.
Des Smith
# July 30, 2009 - 11:44 am
Totally agree with the password app approach (I use RoboForm as it fills in most forms for me as well). It allows me to have random 16 (or more) character passwords that are different for every site and all accessible with one random (to any one else) secure password for me. It also has a ‘virtual keyboard’ to aid stopping keystroke logging
Ross Bearman
# July 30, 2009 - 8:16 pm
Once I got over the idea of having my passwords stored in the cloud, I began to swear by LastPass. I can use it on all my devices, on any computer and everything is encrypted client side.
It generates random passwords, based on criteria you specify (length, punctuation, numbers, capitalisation.)
I use it for absolutely everything, keeping the password file backed up on an IronKey and several non-networked drives.
Jim Moran
# July 29, 2009 - 12:15 pm
I think one of the biggest issues (especially where I’ve worked) is that companies ask you to change your password every month, 2 months etc.
This leads to the phenomenon of people using a simple word with an incremental number at the end such as:
password1
password2
password3
The other issue is password “rules” (must be 8 characters, must contain only alphanumeric characters, etc.) – all these cause weak password choice.
Where possible, I never use password reminders – I simply have a base password that is very secure and 8 characters long. For every website or app I then append this (at a position of your choice) with some characters from domain of that website or the name of the application, for example if it was the first and last characters:
ebay : eF8thDm31b
google : gF8thDm31o
twitter : tF8thDm31w
By following a rule like this, you’ll never forget your password, and you’re not going to be using the same one everywhere.
Having said that – I always forget whaich email address or username I’ve used – usually as the one I want has been taken!
Oliver Waters
# July 29, 2009 - 3:52 pm
Also use and recommend this method – very secure to keep passwords different across services and this also keeps them memorable.
Simon Starr
# July 29, 2009 - 12:17 pm
Heh, it seems I wasn’t the only one to come up with that quotation idea. That’ll teach me to post a comment without refreshing the page first!
Aaron Bassett
# July 29, 2009 - 12:33 pm
We should be moving away from passwords and trying to get our users (and ourselves) to use pass *phrases*.
Rather than a relatively short word with some mixed in numbers/special characters just create a memorable phrase. It could even be a quote from your favourite movie or a line from your favourite song. Something like:
‘I fart in your general direction. Your mother was a hamster and your father smelt of elderberries.’
You now have a ~100 char pass-phrase which is easily memorable. Ok it takes a little bit longer to type, but not much more.
Either that or use strong randomly generated passwords like ‘2sSB&TmNF857CGo#J7R9~QpUQo*mzW’ and a password app like KeePass to store them (good luck remembering them without a password app!)
Sean McArthur
# July 29, 2009 - 5:39 pm
Agreed. Why take the first letter of each word of a phrase? Honestly, it makes it slightly harder to remember (sentences flow better), *and* you’ve made it less secure. A 30 character password takes so much longer to brute force than an 8 character password, even if you throw in symbol.
Alistair Woodward
# July 29, 2009 - 12:49 pm
This feels like something you would still have to work out rather than something you’d remember straight away, so you would actually remember 3 things the personal items you’re using (hometown and last name), random number and the way in which you’re encrypting it, in this case alternate letters and number in the middle (could be simple cesar cypher etc.).
Which is okay i would think, but for the first x number of times you use most people aren’t going to have it memorized so they’d have to work it out and probably typing each character, thinking about which is next character each time.
If it’s a sign-in where you will only rarely need to re-enter your password e.g. browser saves it/remember me then it seems sensible to have something that might take you additional time to type in/work out or in the case where you entering the password everyday then you’ll memorize it in no time.
However a lot of people undoubtedly sign in to things regularly but not often so enter the passwords every time in which case it feels like you’d be self inflicting a barrier to login due to speed. The trade for this is obviously security.
I’d be interested to know what was thought about other password security measures like having to change password every x months/password expiry and forcing password rules on people rather than letting people decide their own tradeoff between memorability and security.
-Ali
Ryan Carson
# July 29, 2009 - 12:59 pm
I found that after a couple days, I had memorized the password. I don’t have to manually put the words together anymore – super quick and easy :)
Leo White
# July 29, 2009 - 12:52 pm
Many good tips above – some of which certainly do help.
As a dyslexic who suffers from a character sequencing form of dyslexia, I’m really interested in ways of dealing with multiple secure passwords that don’t contain any substituted characters or follow convoluted rules that those of us with this issue find hard.
With everyone struggling more and more with this challenge as well as systems such as captcha isn’t it time that we thought laterally about accessibility and security? surely there is a better solution than character based passwords?
sean
# September 1, 2009 - 12:59 pm
Most of my passwords are simply patterns on the keyboard. I’d struggle to tell them to someone in words – I have to see the keyboard in order to type the password. They are still character based, but it’s all in how you look at it :-)
John Faulds
# July 29, 2009 - 1:08 pm
Mmm, I don’t find any of the methods mentioned here that easy to remember. Although it’s a couple of years old, I found this article had some very interesting things to say about password security.
Chris
# October 9, 2009 - 11:58 am
I have also read and benefited from that article you mention, and I’m surprised no one has commented on it. I say that because unlike ALL the rest of the comments here, he has gone through the trouble of actually benchmarking his assumptions of what works and not. His findings are among others that you *should* split up words and use as a “pass phrase”, not a single “pass word”, like this article suggests.
So if we should use pass phrases with spaces for security, why not “Keep It Simple, Stupid” and write full sentences with proper punctuation. These would be hard to brute force, and are extremely easy to remember. They are long enough and contain the special characters+numbers needed at some sites, they can be adjusted over time and differ for each site/domain:
Company pass phrase:
“My 5th Company pass!”
Somebank.com account:
“Somebank: Chris the 3rd!”
@_nige
# July 29, 2009 - 1:12 pm
The key to security really is just strong passwords – and NOT TELLING them to anyone or writing them down in any sort of unencrypted fashion..
And of course a properly patched system and good quality anti-malware software just so we don’t get any of those nasty drive by web scripting nasties installing any key loggers or similar trojans.
Personally I’m a fan of PasswordSafe (http://passwordsafe.sourceforge.net/) I just remember one long 16 character password made up of random (to anyone but me) numbers and upper and lower case letters. PasswordSafe does all the rest for me, generating and remembering random strong passwords.
NigelGos
# July 29, 2009 - 1:14 pm
After reading the article about how the twitter attack was conducted (http://slnk.me/z2d) I did a search on my inbox for ‘password’. The results showed a couple of passwords I use. It’s quite scary how easily the domino effect works, even when you don’t have any passwords in your inbox. The ability to request your password from services is still a security risk.
I think one important thing is to have your bank passwords very strong and different to all other
passwords.
When I pay for something online my bank they have implemented a new system where it verifies using a password. When I can’t remember this password, which is often as when it’s reset I can’t use a previous password, all I have to know is my DOB. How weak is that!
Sebastian Steinmann
# July 29, 2009 - 1:21 pm
On the web I always use http://supergenpass.com/
That way I can use my own password, but never sending it to untrusted parties.
Hoping for browser support for this, but the bookmarklet works like a charm!
Nate
# July 29, 2009 - 1:33 pm
Personally, I hope the days of having an individual password for every web based service and application is coming to an end.
Give me a way to validate my identity through a centralized method and I’ll gladly forgo having to jump through the “Forgot your password?” hoop several times a month. Half the time I have to be reminded what my user name is on account that some other ’super_duper_cat_lover999′ has taken my usual moniker and I can’t remember what I dreamed up to replace it.
Seriously, how about someone cook up a way for me to use my cell phone to validate via BlueTooth so it doesn’t matter where in the world I am or whose machine I’m using. What’s the point of 1Password or FireFox remembering my logins if I’m not using my machine?
So here’s the method I’ll be using until someone smarter than me figures out how to do the above…
Pick a few stupid words that paint a clear picture in your mind:
Bubble Butt Monkey
Jazzy Fish Lips
Smarmy Nudist Moose
You get the idea.
If you’re like me you’ll choose three or four or five to use for different levels of security.
One for monetary transactions, which ’should’ change frequently (or when your favorite socks where out).
One for information services, that changes occasionally (at least before the boy band of your generation is replaced by the next heart throb wind-ups of the next).
And one for the lesser sites; Where user names and passwords are more about getting your demographic info than providing you with any valuable services. Which I plan to change the next time the planets poles switch or the GOP unequivocally acknowledge human influenced climate change.
Next, drop the spaces and sub some vowels for numbers (but keep the capitalization):
Bubbl3ButtM0nk3y
J4zzyF1shL1ps
Sm4rmyNud1stM00s3
I know it’s an imperfect method but it’s an imperfect practice.
Someone, get on that cell phone thingy, please!
Rich
# July 29, 2009 - 1:37 pm
I reckon that’s quite complex actually. What about just using fun made-up phrases, they’re very memorable and completely un-rainbow-tableable with todays technology.
e.g. ryanblogsatcarsonified or getyourkicksandfiddlemysticks.
I use passwords like this, which is why it really shits me when people have password rules like:
Must be 6-12 characters, at least one number, blah blah blah.
Rules like that only assume that you are smarter than the user.
Eric Martin
# July 29, 2009 - 1:45 pm
Nice article on creating a secure password.
I’ve been doing a lot of thinking since the “Twittergate Scandal”, which I believe was a result of using the same password for multiple services. While creating a “good” password is very important, I think the bigger issue is how to do that uniquely for every password you need.
I believe it boils down to 2 options: 1) use information unique to each place a password is used in order to create it and/or 2) use some sort of password keeper that stores all of your unique passwords.
Neither option is all that great. 1) Since we are human and would have to remember many different unique passwords, there most likely would be a pattern – which potentially could be figured out and 2) all it takes is for someone to gain access to that list and it’s all over.
I’d be interested to hear others thoughts!
Enrico Foschi
# July 29, 2009 - 2:48 pm
A friend of my friend, told me that her friend (no…. it’s not me….) told me that has problems in remembering more than 3 passwords. So he decided to go with this method:
- a password for uninteresting sites (forums, free useless but ‘nice to have’ subscriptions, etc…)
- a password for social networks, online identity networks (Facebook, Linkedin, …)
- a very, very strong password for all the payment sites / banking (Paypal, eBay, online banking) etc….
Then, real key is to use a password that contains “Mixed upper and lower case alphabetic characters plus numbers and 8 digits”: according to http://www.lockdown.co.uk/?pg=combi it will take years to get it with a brute force attack (and more or never, if you consider connection lags, possible IP ban, etc….).
Improving Ryan’s method, think about a word you will remember:
- Coraline
Put a number in the middle (your age?):
- Cora56line
And make one letter uppercased:
- Cora56liNe
Now, decide a pattern, like:
- I will always use 56 as a number
- N will always be uppercased
- The number will be after the 4th character
and you can easily build up other two passwords and remember them.
And… no, that’s not my password (I’m not 56, yet)
Dan
# July 30, 2009 - 9:50 pm
I use a similar idea. Restrict my most secure password to things like my main gmail account. Use random passwords for my clients sites and a common “easy” password for things like random forums/webapps etc.
Frank Stallone
# July 29, 2009 - 2:54 pm
Believe it or not I read a UPC barcode once on a packaged good and thought to myself, “That would make a great password”. It is a variation of letters and numbers 11 characters long and I can easily change it every 60 days since that is the requirement here at work. Other than that replacing o’s with 0’s among other things works well I think too.
Haris
# July 29, 2009 - 2:55 pm
I think the best way is to create a pattern for your password like a fixed word (1337ified) + a sign (one of these : @$%^&) + last four letters of the site or stock exchange keyword or anything creative that comes to your mind.
That way, most of your password is fixed but the last part is variable.
Fabio Varesano
# July 29, 2009 - 3:03 pm
I would rather prefer to just remember one account/password and then just use them as OpenID credentials. That would really make things easier .. The only problem is that it is still not ubiquitous…
Dan
# July 29, 2009 - 3:10 pm
That’s pretty solid advice. My password strategy involves a central theme or word and then depending on the site or app a different variation is applied to it, similar to what Haris has suggested.
The beauty of this system is you simply remember your central word (which, of course, must be kept a secret and must be impossible to guess based on any publicly available information) and you can keep the key to the variations written down as, without your central word, it is meaningless.
So let’s say you choose the word “rockstar” as your central keyword and know that your password will involve this word. You would also memorise the way in which the variables will be applied (a wildcard character every two letters of the word, for instance). You can then set your password to something like ro$ck29st&ar and keep a note of $29& somewhere if you needed to.
So in your notes you could have:
Flickr: $29&
Facebook: @22]
…and so on. The secret part remains known only to you and is easy to remember and the complete password is very hard to crack.
Okay I’ve probably made the system sound more complicated than it is but it works fine for me and I have yet to have a password cracked or an account broken into.
Haris
# July 29, 2009 - 3:30 pm
Taking notes of password keywords can be disastrous. If you lose them, you will have to go through the complicated process (on some sites) of resetting your passwords on every site you come across.
But, each to his own. Just my 0.02 cents. :)
Dan
# July 29, 2009 - 3:41 pm
That’s true, but let’s not forget that no matter what option you choose there is always a risk that you will forget/lose your password and have to reset it.
Thankfully, I have a very good memory and don’t write anything down.
Bruce
# July 29, 2009 - 3:19 pm
I have to generate passwords for other users, and I want them to be memorable but not easily attacked. I find Chris Pound’s language confluxer to be very useful:
http://www.ruf.rice.edu/~pound/
It has changed a bit since I downloaded it, but I think the easiest way to start is with the ‘lc’ program and the English words list to prime it. It will generate a bunch of almost-words like ‘chapwitorn’ or ‘gloodkasis’ which my users generally find easy to remember because they are pronounceable words in the style of the language your brain is used to. Of course you can add in numbers, punctuation or upper case where you wish, but at least you have the start of a good password.
Comment choisir un mot de passe à la fois sécurisé, et mémorisable ? | Geekly News Astuces
# July 29, 2009 - 3:24 pm
[...] pour trouver un mot de passe à la fois blindé et facile à retenir. Suite à la lecture de ce billet sur Carsonified aujourd’hui, j’ai eu envie de vous faire part de mon propre langage de mots de passe. [...]
Martin Wright
# July 29, 2009 - 3:25 pm
You can try https://passpub.com for strong, unique passwords. They are provided in a variety of formats such as mnemonic, keyboard combinations and vehicle reg numbers so there should be a format that is easy for you to remember.
ArleyM
# July 29, 2009 - 3:28 pm
I recently compiled all of my login credentials into a Google Docs spreadsheet – I have over 180 sites / accounts / client projects that have passwords; and I’m sure I’m not the only one here who has trouble. It would be any of my 8 passwords / variations I use!
The sortable spreadsheet password-manager has the URL, the email, the user, the category (eg. emails, social networking, shopping etc.) and a password column.
Rather than actually putting the password in like a rube, I give codenames. So like Ryan’s example “dweon89nvkear” might be D1 and “dweonnvkear” might be D2 etc.
It’s one less layer of confusion… or maybe one more.
Duncan
# July 29, 2009 - 3:46 pm
What I have been doing for many years is using addresses that I am very familiar with. For example 123 Fake Street, I would use all lower case for the name “fake” and for the street I would capitalize the first letter like so “Street” and then the number “123″ so it would look like “fakeSt123″.
007 Bond Drive = 007bondDrive and so on.
It may not be as secure as combining two words at the letter level but it is a great trade off for easily remembering your passwords. Just make sure you don’t use a current address.
Great post by the way Ryan, I discuss this with my clients all the time and it is a topic that is not very often discussed.
navin parray
# July 29, 2009 - 3:50 pm
The method I use is to have a common prefix (maybe something like this1is) then append a suffix related to the website (maybe every second letters). So for carsonified.com it would be this1isasnfe. I don’t have to remember passwords, I can compute the relevant password for a site easily. I’ve had cases where I hadn’t visited a site for maybe over a year but was able to login successfully on the first try. The benefit is each site has a different password so if it is compromised, only one site is affected. My email password has a totally different naming scheme so there’s a second level security there. I basically have only two passwords to remember for all the sites I frequent. Of course there are some unique cases but I can make up a rule that is a variation on my rules so it would be easy for me to remember .
Tim
# July 29, 2009 - 8:53 pm
I like the idea of combining two phrases that are easy to remember and alternating the lettering. Throw in a random number and you have magic. Think I may have to change my passwords. Its sad that this post is so valuable but in this day and age preventing cybertheft or fraud is a lifesaver.
Ryan Carson
# July 29, 2009 - 10:21 pm
Thanks for all the awesome comments guys :)
Shiju Alex
# July 30, 2009 - 6:12 am
Good article and very good discussions.
All the points mentioned here have their own merits and demerits (Eric Martin has evaluated his suggestions with pros and cons).
Some of my suggestions are:
1. Find a strong phrase as outlined in this article.
2. Use title case for the words, so that it becomes more difficult
3. Add a special character like * or # in the beginning, middle or end to make it stronger
4. Use it as a password key for all sites, for easy memorising
5. Alter this key for every site, with something specific to the site – Decide on a pattern
Some suggestions for step 5 would include
- Use the first 2 characters of the domain name (avoid www. :] ) in the beginning or end etc
- Use an abbreviation about the company (eg: Goo for Gmail or MS for hotmail)
This means there will be a pattern that can be memorised (and of course decipherable by someone else ;] ). But we can choose our per site customization strong enough based on our memory skills and ability.
But alas! None of these can beat a keylogger :)
Sambert
# July 30, 2009 - 10:40 am
Shiju,
Some banks now have on-screen keyboard on the login page so you can type your password without using the mouse – this beats the keyloggers.
Some also have a ‘hover’ mode, so you don’t even have to click.
Of course, this method makes shoulder-surfing very easy, since it would take you longer to select characters on-screen v/s typing on the keyboard. (I wonder if eye tracking can be used to beat that!)
It makes sense for banks though, since you would/should not be banking when you have people around you.
Sam
Shiju Alex
# August 4, 2009 - 10:04 am
Hi Sam,
Yeah, I have seen those virtual keyboards.
But some of the keyloggers even take screenshots and screen captures. [To hell with the keyloggers]
BTW, I liked the idea of eye tracking :) and your blog is interesting too.
charlie
# July 30, 2009 - 6:30 am
this is such a great article. thanks for this one. now i know how to make a secure password. i can be sure that my accounts are safe especially the paypal.. ;)
Loopion
# July 30, 2009 - 1:58 pm
I personally use statistics to create/remember my passwords
o45%ufftbo
that’s give you:
“only 45 % user feel free to buy online”
Everybody have statistics in head! Don’t you?
Sparkling Ideas
# July 30, 2009 - 3:59 pm
Try http://www.lastpass.com, save yourself all this trouble!
Alex Jones (@BaldMan)
# July 30, 2009 - 4:10 pm
Nice write-up. A while back I wrote up my process for creating a complex, yet memorable site-specific password, which a lot of people have found useful. It follows the same path as this article, but it takes it a bit further. I did my best to include examples of each step to make it as easy as possible.
Creating and Remembering Complex Passwords
http://www.silverspider.com/2009/creating-and-remembering-complex-passwords/
I’d love feedback on the process from any and all!
shekatz
# July 31, 2009 - 1:51 am
That’s a very good topic to be discuss everyone. Security matters, especially for a private computer.
Bill
# August 3, 2009 - 1:17 pm
Nice Blog.
For home users there are thousands of solutions available to sort this password problems. But Imagine an enterprise where you have about 100-1000’s of workers employed, who use passwords for doing almost everything.
Especially with all those high tech computers, appliances, network devices and even Databases and critical info files, it is going to be an impossible task to manage all these passwords manually. The Password Manager Pro which a user friendly tool that can be used to manage 1000’s of passwords. It has all the features that are required to manage enterprise passwords.
Employees dont have to remember even a single password and this tool allows them to have their passwords changed automatically with a random password so that you can have your password in compliance with the organizational policies. Out of all, the tool is damn cheap and so it is not going to occupy a big palace inn your budget. More info about the tool is here…www.passwordmanagerpro.com
For more info about the security aspects and ideas, mail me at forever_shree@hotmail.com
Cheers,
Bill
Christophe Deliens
# August 3, 2009 - 1:34 pm
(nearly off topic)
If you use the “forgot password” feature on a website and it sends you your current password, it means the password in not encrypted on their side -> if that website gets hacked, so will your password! Not good :)
To website developers: store your visitors passwords in MD5 (http://en.wikipedia.org/wiki/MD5).
To log your visitors in, simply compare a the stored MD5 with the MD5 version of the password they submit in the login form.
Christophe Deliens
# August 3, 2009 - 1:34 pm
Hmmm, seems the blog broke my link.
Here it is: http://en.wikipedia.org/wiki/MD5
anansi
# August 3, 2009 - 2:33 pm
this is a great idea indeed. but the only problem could be the memorizing part. in my case, it always happens where i will forget the “super” password i created, despite the security questions. maybe a sign of old age? heheh.
links for 2009-08-04 « Giri’s Blogmarks
# August 4, 2009 - 6:02 pm
[...] How to Create a Memorable Super Secure Password (tags: tips howto) [...]
Oliver Lorton
# August 4, 2009 - 8:44 pm
There are some really interesting comments here. I’ve been recently thinking about this problem myself, and have found that Steve Gibson of the Security Now Podcast (www.grc.com/securitynow) has a really good run down of the different options in my opinion. See episodes #4 & #5.
On thing that he does point out is that contrary to popular opinion, writing down highly randomized passwords is a good solution. This is because the main vector of attack is over the internet, rather than in person, after all we are used to looking after and protecting things like our wallets, phones, car keys, etc.
I personally write all my passwords down on paper (stored in my wallet) with a slight modification (same for each password), such as swapping the 1st and 5th characters, adding the number 4 to the 4th position, and ignoring the last character. So an attacker needs access to my paper hard copy and needs to know the exact process required to decrypt it.
Sandra
# August 4, 2009 - 11:43 pm
I use this simple method which has never failed. I simply use the word “password” but replace the “o” with a zzero (0), and make the “d” letter uppercase. Then I add a number to the end, which I increment every so often. So my last password was passw0rD31, and now it is passw0rd32 and so forth. Whilst I like your method using two words I think it is a little complicated and one could easily forget which words they had picked!
Media » Blog Archive » 5 Social Media Tips for Marketers
# August 7, 2009 - 12:44 am
[...] from a third-party site (e.g. Youtube, Slideshare etc) onto a corporate or branded website. Create super-strong passwords and limit then number of people who have access to them. Often if content from third-party links [...]
5 Social Media Tips for Marketers « digital CONSORTIUM
# August 7, 2009 - 12:46 am
[...] from a third-party site (e.g. Youtube, Slideshare etc) onto a corporate or branded website. Create super-strong passwords and limit then number of people who have access to them. Often if content from third-party links [...]
John F Croston III
# August 9, 2009 - 2:37 pm
At my current job we are required to have 10 to 16 character passwords, depending on system, that include capital letters, numbers, and even special characters. One of my old co-workers that had to help set up temp passwords for people used to ask them to give him the first three letters of the of the make of there car, then the year, model of the car, and some other random special characters. All you have to do is capitalize the first letter of each set of words and your done.
Here is an example – For89Fie#^ which would be for a 1989 Ford Fiesta (not my car). You could also add more numbers, the color of the car, lengthen the words, and/or add more special characters to make password as long as needed. In the end of year and a half of me listening to him ask hundreds of people this question only one time he had to do something else, because the person did not own a car and never had.
An old boss used to work at a grocery store as the manager so he had to change passwords a lot so he would put parts of random items from the store together with numbers and special characters in his passwords like – Ban39Card#^ for banana 39 card #^.
Hope these ideas are helpful.
MacDaddy Links of the Week: Aug. 2-8 | bkmacdaddy designs
# August 9, 2009 - 2:47 pm
[...] hodge podge of stuff that doesn’t fit in the above categories How to Create a Memorable Super Secure Password 20 Simple Productivity Tools for Bloggers Death To Creatives!!! IE6 MUST DIE: 70+ Sites Unite to [...]
dan
# August 24, 2009 - 10:57 am
What do people think about password managers on client side. Like firefox has a password manager built in. Just remember the one password, and it has lists of the others and the websites they correspond too, even fills them out automatically. You only have to create and remember one strong password.
Andres
# August 28, 2009 - 1:29 am
Have you seen http://www.passwordbird.com/ ?
Unique Jewelry - Body Jewelry - Diamond Jewelry - Peacock Ring
# August 28, 2009 - 10:57 pm
nice infomation
Kenali Dan Kunjungi Objek Wisata Di Pandeglang
# August 28, 2009 - 10:58 pm
so informatif
Kenali Dan Kunjungi Objek Wisata Di Pandeglang
# August 28, 2009 - 10:58 pm
so very good
Marian
# August 31, 2009 - 2:41 pm
What a great ideas. The things what I am pretty sure about even thought I’m not doing that anymore (however used to) is that people tend to use very same password for everything.
So if done that it is really very important to have kind of password which is untraceable.
Thank for all those great ideas.
Monthly Mother Lode of MacDaddy Links: August 2009 | bkmacdaddy designs
# September 1, 2009 - 12:46 pm
[...] hodge podge of stuff that doesn’t fit in the above categories How to Create a Memorable Super Secure Password 20 Simple Productivity Tools for Bloggers Death To Creatives!!! IE6 MUST DIE: 70+ Sites Unite to [...]
Comment choisir un mot de passe à la fois sécurisé et mémorisable ? | Geekly News
# November 23, 2009 - 5:25 pm
[...] pour trouver un mot de passe à la fois blindé et facile à retenir. Suite à la lecture de ce billet sur Carsonified aujourd’hui, j’ai eu envie de vous faire part de mon propre langage de [...]