Strong Password Methodology

Key Stats

  • It can be hard to remember good, secure passwords
  • This article shows you an easy way to create memorable, impossible to crack passwords
  • Go from using MyFirstPet1981 for every site you use to the seemingly complex an7q8fjo71d
  • Create a memorable phrase of 8-20 words known only to you
  • Use the acronym and text slang (CUL8R) and/or leet to get some non-alphanumeric characters in there
  • Append a consistent variant per site to have a different password for each site that’s memorable or at least derivable… by you

Like most people these days I struggle to come up with enough passwords that are both strong enough and memorable enough. Nearly every website I interact with requires some sort of login credentials. I could, like many people, just use the same password over and over again. I could even change it from time to time but the thought of doing so and then having to recall which sites I’ve changed it for is daunting.

Password Matrix
Tough passwords to crack are hard to remember. Easy to remember passwords are a cinch to crack. This method offers the best of both worlds. Memorable and strong passwords that can vary site to site.

A lot of the methods proposed to create a strong password are pretty easily cracked by brute force and/or dictionary hacks. Anything that is done is predictable way can easily be cracked. Some people suggest compound passwords like: BobHasFleas This is obviously crackable in seconds as all the words are standard and just mashing them together doesn’t achieve anything.
Of course a user can play tricks with this and try b0bhazFleaz but swapping an o for a 0 and an s for z is common and easily handled algorithmically. Even putting the whole thing into ‘leet’, which might make it look strong — b()|3Ha5fLE@5 –but this is, again, predictable and easily cracked. Here’s a link to a leet generator, if you’re a n00b.
The reason for this is that the password, at its root, is made up of words from the dictionary and simply has layers of ‘shifting’ applied to it. This shifting, however, is predictable and quickly unpeeled by a few lines of code. Even really long passwords with tricks like keyboard shifting BobHasFleas ——> VivG\aDkw\a (in this case each letter goes to the left one space) and then sticking that into leet ——> v!vg4dkwa makes what looks like a totally random, tough to crack password, especially if it had been a longer phrase like MyFriendBobHasFleas which becomes nydeuwb5viv6adkw@ and looks super tough to crack, is again, very easy to programmatically disassemble.
So where does that leave the user? How do you create a password that is both memorable and secure without falling into the trap of using dictionary words or easily torn down tricks like Leet or keyboard shifting?
One solution that I’ve started using is coming up with a personal phrase that only you know and converting it to either an acronym or a mix of acronym and words. For example, let’s say the personal phrase you decided on was “The quick brown fox jumped over the lazy dog” (we wouldn’t use this as it’s a common phrase. Better to pick one that you come up with that is memorable). Here’s the process:

  1. Source Phrase: The quick brown fox jumped over the lazy dog
  2. Make it an ‘acronym’: Tqbfjotld
  3. (optional): stick it in leet: 7q8fjo71d

What you’ve got now is a strong base password that doesn’t have its root in any dictionary source, is memorable, known only to you (unlike the example, you’d choose a phrase of 6 – 12 words that you can remember and that is known only to you … e.g. “When I was 17 my pet dog died” ——> WIw17mpdd). No algorithm can break this down and the longer the phrase and resulting acronym, the longer it will take to crack.
To further secure your online activity it’s a good a idea to have a different password for each site you use. In practice this is a huge pain. However, with our very strong root password created, we can now use a common method for prefixing or suffixing that root for each site. For example, using the above root password, 7q8fjo71d you can alter it by sticking on the front some memorable combination for each site, say the first and last letter of the site’s name. Your password for Amazon might become [an] + [7q8fjo71d] = an7q8fjo71d. Ebay would become [ey] + [7q8fjo71d] = ey7q8fjo71d. Facebook would become [fb] + [7q8fjo71d] = fb7q8fjo71d. And so on.
You can layer on whatever you want at this point: put it in leet; use full words like Alpha or Echo, or further obfuscate the characters. I think that just the letters are good enough. It hits a nice balance between ease of recall and toughness of cracking.
Of course, the chances of someone singling you out to crack you passwords is very slim. However, if you can use a simple method that scales across the dozens of sites you need to generate logins for, why not start to use it? It can’t hurt and it could help protect you one day.