Skip to main content

How to generate a secure, easy to remember password

How to generate a secure, easy to remember password

Introduction

I recently created an email account for someone with the intent to use their existing password, which was ‘Z3n1th25!’.  I thought this was a decent password, but the password analyzer estimated that this password could be cracked in 1 millisecond. I imagine the problem was the password was based upon a dictionary word. The software I was creating the password for required that the password be strong enough to require 10 years to crack. So I decided to write about the process I follow to create a password that is both secure and easy-to-remember.

Secure and Easy to Remember

While the most important characteristic of a password is for it to be secure, if the password is not relatively, easy to remember, then it is much more likely to end up written on a sticky note or scratch pad. Once the password is written down, it is much less secure. Use the following steps to create a secure password that is also fairly easy to remember.

  1. Think of a phrase                                                 I love Nebraska football, live from Memorial stadium
  2. Convert the phrase to initials                              Ilnflfms
  3. Add a couple of 'purpose' letters                         Ilnflfmshd     (append 'hd'for HomeDepot.com)
  4. Add two digit year and an exclamation mark     lnflfmshd25!
                                                                                (I love Nebraska football, live from Memorial stadium, Home Depot 25!)

The Process

Step 1: Think of a phrase

I love Nebraska football, live from Memorial stadium.

I used three different password analyzers to estimate the strength of the passwords and https://bitwarden.com/password-strength was easily the toughest. To generate a password that would take at least 10 years to crack, I found I need an eight word phrase.

Step 2: Convert the phrase to initials

Convert the phrase to letters, using the first letter of each word. 'I love Nebraska football, live from Memorial stadium' becomes 'Ilnflfms' (capital I, lowercase L). According to password analyzers, making the 'N' for Nebraska capital doesn't help much, so for simplicity, I capitialize only the first letter.

Step 3: Add a couple of 'purpose' letters

Think of the purpose of this password and come up with at least two letters related to the purpose. The purpose will likely be the name of the store, business or website the password will be used with. If the purpose name/phrase is one word, then use the first and last letters of the word. Otherwise, use the first letters of each word of the purpose name/phrase. Adding these letters will help the password be different for different uses. 

Try to be consistent in how you choose letters from your purpose phrase. For 'Home Depot', would you use 'hd' (first letter of each 'word') or 'hdc' (if you want to include '.com')? I used 'hd'. Normally I don't consider the '.com' portion of a website name when considering the purpose letters unless I consider '.com' as part of the name. 

What would you use for 'walgreens', 'ws' or 'wg'? I use 'ws' because 'wal' isn't a word, so I consider the name as one word. What would you use for 'FBI''fi' or 'fbi'? Since I 'FBI' is initials, I would use 'fbi'

How you answer these 'what would you use...' questions is not important. What is important, or helpful, is to be consistent. If I use 'fbi' for FBI but 'ca' for CIA, then I have to remember that. But if I make the choice to always use all of the letters from a 'name' that is already initials, then I don't have to remember the details of the choices.

Step 4: Add two digit year and an exclamation mark

To meet most password requirements, you must have at least one digit. At one point, I chose to use the two-digit year for my digit(s). This causes problems because the digits will change as the year changes. At one time, I had to change passwords at least once a year for my job, so I really didn't have a choice. Each year I would chose a new phrase and use that for new passwords that year. Although I would change frequently used passwords to use the new phrase, I still ended up with multiple phrase/year combinations to remember.

Starting this year, I am going to pick a new phrase and redo my passwords using this new phrase and an unchanging two-digit year, like my birthyear. So someday, in theory, all of my passwords will be based upon the same phrase and two digits. If you think that changing your password regularly is good, then my past method works well. The 'experts' now suggest that changing passwords for the sake of changing passwords is not more secure, so my new method should be fine.

Final thoughts

According to the BitWarden analyzer, my final password, 'Ilnflfmshd25!' will take an estimated 31 years to crack. 

Back to top