Skip to main content

How to generate a secure, easy to remember password

How to generate a secure, easy to remember password

Introduction

I recently created an email account for someone with the intent to use their existing password, which was ‘Z3n1th25!’.  I thought this was a decent password, but the password analyzer estimated that this password could be cracked in 1 millisecond. I imagine the problem was the password was based upon a dictionary word. The software I was creating the password for required that the password be strong enough to require 10 years to crack. So I suggested the following process as a way to create a password that was both secure and easy-to-remember.

Secure and Easy to Remember

While the most important characteristic of a password is for it to be secure, if the password is not relatively, easy to remember, then it is much more likely to end up written on a sticky note or scratch pad. Once the password is written down, it is much less secure. Use the following steps to create a secure password that is also fairly easy to remember.

  1. Think of a phrase                                                       I love Nebraska football
  2. Convert the phrase to initials                                    Ilnf
  3. Add a couple of 'purpose' letters                               IlnfacIlnfhd (for Amazon.HomeDepot.com)
  4. Add two digit year and an exclamation mark           Ilnfac25!Ilnfhd25!                (I love Nebraska football Amazon.comHome Depot 25!)
  5. Possibly, repeat                                                         Ilnfac25!Ihtfac25!Ilnfhd25!Ihtfhd25!  (I hate texas football Amazon.comHome Depot 25!)

The Process

Step 1: Think of a phrase

I love Nebraska football

Step 2: Convert the phrase to initials

Convert the phrase to letters, using the first letter of each word. 'I love Nebraska football' becomes 'Ilnf' (capital I, lowercase L). According to password analyzers, making the 'N' for Nebraska capital doesn't help much, so for simplicity, I capitialize only the first letter.

Step 3: Add a couple of 'purpose' letters

Think of the purpose of this password and come up with at least two letters related to the purpose. The purpose will likely be the name of the store, business or website the password will be used with. If the purpose name/phrase is one word, then use the first and last letters of the word. Otherwise, use the first letters of each word of the purpose name/phrase. Adding these letters will help the password be different for different uses. 

Try to be consistent in how you choose letters from your purpose phrase. For 'Amazon.com'Home Depot', would you use 'ac'hd' (first letter of each 'word') or 'am'hdc' (firstif andyou lastwant letters)to include '.com')? I used 'ac'hd'. Normally I don't consider the '.com' portion of a website name when considering the purpose letters,letters but with Amazon.comunless I doconsider because I always say the '.com' part as part of the name. 

What would you use for 'walgreens', 'ws' or 'wg'? I use 'ws' because 'wal' isn't a word, so I consider the name as one word. What would you use for 'FBI''fi' or 'fbi'? Since I 'FBI' is initials, I would use 'fbi'

How you answer these 'what would you use...' questions is not important. What is important, or helpful, is to be consistent. If I use 'fbi' for FBI but 'ca' for CIA, then I have to remember that. But if I make the choice to always use all of the letters from a 'name' that is already initials, then I don't have to remember the details of the choices.

Step 4: Add two digit year and an exclamation mark

To meet most password requirements, you must have at least one digit. At one point, I chose to use the two-digit year for my digit(s). This causes problems because the digits will change as the year changes. At one time, I had to change passwords at least once a year for my job, so I really didn't have a choice. Each year I would chose a new phrase and use that for new passwords that year. Although I would change frequently used passwords to use the new phrase, I still ended up with multiple phrase/year combinations to remember.

I am now going to pick one final phrase and redo my passwords using this phrase and an unchanging two-digit year, like my birthyear. So someday, in theory, all of my passwords will be based upon the same phrase and have the same two digits. If you think that changing your password regularly is good, then my past method works well. The 'experts' now suggest that changing passwords for the sake of changing passwords is not more secure, so my new method should be fine.

Step 5: Possibly, repeat

The bad news is that according to the password analzer, this password would be cracked within a day. I can think of three different options that I have used.

Option 1: Double the password

Instead of generating a different password, I repeat this password (Ilnfhd25!Ilnfhd25!). This is an easy way to get a longer, stronger password, but today I found that the BItWarden password analyzer considers this doubled password as only slighly better. The analysis must recognize that its a repeated password an stop calculatingthe strength. That makes sense in that it's easy to double a password and it's easy for a hacker to test a doubled password. I found that with the Bitwarden analyzer, you'd have to triple this password to make it sufficiently strong.

Option 2: Create a second, related password

Back to top