It's impossible to expect people to be able to use a password like j8^bEr3$k7 without writing it down or worse. But does that mean that if you don't make your passwords long, complex, and mostly meaningless, you're at risk? Not necessarily. There is a middle ground.
The Phrase Trick
While short phrases and exceedingly famous ones are likely in hacker dictionaries, the vast majority in the world won't be. "Four score and 7 years ago" would likely be no good becuase it's so well known, but "The needs of the many7of9" would.
Phrases are great because they're very long, but at the same time very easy to remember. No matter what you pick, be sure to make it abnormal in some way. To simplify this, I recommend you come up with personal password rules that you'll do for all your phrase passwords. For example:
- Always capitalize each word (Capitalize Each Separate Word)
- All numbers spelled out or written using numbers (forty four, 44)
- Use * instead of spaces (this*is*a*sentence)
- Replace the word "the" with "bat" (It was bat worst of times)
It doesn't really matter what you choose, just be consistent. It won't do you any good to remember the phrase, but not the changes that you made to it.
The Suffix Trick
The suffix trick is a method of quickly taking weak passwords and adding length and complexity to them in a simple way. For example, say you have three passwords at three different sites: cat, money and camero.
These are all strikingly weak passwords, but you may have used them for a long time and not want to get rid of them. Fair enough. But take my advice and you can secure them all without changing them too much.
To use the suffix trick, first pick your suffix. Here are some suggestions:
@site.com – Where "site" is any word you want and ".com" is any domain (like ".gov", ".org", ".co.uk" etc.). Here you are making your password into something that looks like an e-mail address. The beauty of this one is that it adds special characters and good length while being super easy to remember.
For example, you could use "@hubris.jp" or "@gonzo.uk". Note that using country codes works well because they're more random than ".com".
2^3=8 – Math is great because it's all numbers and symbols, but it's easy to remember and understand.2+5=7
- 3141592 – Pure numbers. This is good for sites that don't let you use special characters in your password. You can go completely random, but in this case, it's pi. Another really great trick here is to use a number that means something to you, but no one else. For example, a friend used his 6-digit employee number from a company he used to work for.
- three3 – Numbers and letters. Again, useful for sites that don't let you use special characters.
&7sh3 – This is truly random. Pick something as complicated as you can think of (so long as it's only 4 to 6 characters). This is better than some of the other picks because even if a web site admin looks at your password, they probably won't figure out the trick (where some of the other suffixes are pretty obvious).
Again, good length and now your passwords have numbers AND special characters.
Now that you have a suffix, you're going to go to every website and webservice that you can and add the suffix to your passwords. No matter how long or hard the suffix is, since you're using the same one everywhere, it becomes easy to remember.
For example: cat2^3=8, money2^3=8, and camero2^3=8
Even if someone were to figure out the trick you're using (which is unlikely unless they can already see several of your passwords), they still have to guess the rest of your password (which will be at least as strong as your password was without the suffix).
In other words, there's a chance that someone might be able to figure out your trick and your passwords lose the extra security, but in all other cases, your entire online web presence has become more secure with very little effort. This is the least you should do right now until you have time to pick better passwords for your more important accounts.
For a quick and easy proof of this theory, go check your current password at the online Password Meter and then try it again with your chosen suffix.
The Levels Trick
You don't really have to have a completely unique password for absolutely every online account. The question to ask is, "what level of password is needed?"
For example, I have a special account name and password combination I use for any site I don't like, don't trust, don't care about or think I'll never come back to (but that has something I want and requires registration).
For those sites, I use my "throwaway" information which might look like this:
- Username: Hotdog
- Password: relish808
Even if a site requires e-mail address as a login, I still use the throwaway password if I just don't care about them and if that account gets hacked.
Now, if I ever come to a site that requires login and I think I might have been there before, I can try my throwaway information first and see what happens.
For sites that would be inconvenient, but not drastically bad to lose control of, I use what is probably the easiest possible way to make secure passwords that anyone can remember. Here's how it works:
- Pick rule that you'll use on a website's name. It doesn't matter what it is so long as you are consistent and use it the same from now until you die. For example, let's say I choose 5 characters, proper case (meaning the first letter is uppercase and the rest lower).
- Next, choose a suffix from above. Math is pretty easy, but anything is fine so long as you pick a good one.
So now you have two pieces. Put them together like this:
|If the site is…||Then the password is…|
Note that because bofa.com (Bank of America) is less than 5 characters, I stop when I run out. Your rule could be to fill the fifth slot with the '&' sign or whatever you want.
Now have good length, upper, lower, numbers and special characters, but the second you see the website, you instantly know the password since the suffix is the same EVERYWHERE and the rest of the password is based on your rule.
All accounts that protect your money, your reputation, or privacy should use your strongest, most important, most secure password of all. For example, take your most important online account of all… your e-mail. "E-mail? Are you kidding!?", you say? Actually, I'm not.
What you see here is a password reset form. Using it, I can enter your e-mail address and a quick verification number that's shown on the screen and they'll either send the password back to me or reset it to some random value (which they'll send to me). Either way, if I'm in your e-mail, I can unlock your account.
Because of password reset forms, access to your e-mail account is access to your world. Keep your e-mail account secure!
For these websites, I most recommend using the phrase trick or anything that's both long and complicated. If you have to write it down, go ahead, just don't keep the password in an easy-to-access place like your wallet or laptop bag.