How to Create Strong, Safe Passwords

Movies like to show hackers breaking passwords with fancy software and ludicrous gadgets. The reality of busting passwords open is much more mundane. Simple as it may sound, most passwords are broken purely by guesswork. Check out this infographic from ZoneAlarm, as well as this list from the Wall Street Journal of the fifty most common passwords gleaned from the 2010 Gawker hack. If your password is on one of those lists, you need to change it. Right now.

Even if you're savvy enough to be using something other than "password," you need to scrap any passwords based in personal info. Lots of people like to use names of kids, significant others or pets. Birthdays and anniversaries are commonly used as well. That might not seem like such a big deal. You might be thinking, "That's not an issue. How would a stranger know any of that about me?"

I invite you now to hearken back to the 2008 US presidential election. Do you recall when Sarah Palin's email was hacked? It wasn't a hack, really. The whole to-do was caused by somebody who looked up a few details about her personal life in order to fake their way through Yahoo!'s password recovery steps. I imagine the entire process didn't take more than ten minutes, tops.

Now, granted, most of our lives are much more private than that of the average politician. But are you on Facebook? Twitter? Do you have a blog? Chances are that your personal info isn't too hard to find, either.

When it comes to keeping your accounts secure, nothing beats alphanumeric passwords. The safest way to go is to have an entirely random string of numbers and letters, but unless you're some kind of android, remembering a meaningless string of numbers and letters is going to be tough. My recommendation is to choose a memorable, non-obvious word and then get creative with your spelling.

What do I mean by a non-obvious word? Well, take the common variation "passw0rd." Replacing one letter in the most easily-guessed password ever is hardly going to do the trick. When choosing a new password, I like to start with a word that describes something that I can see from my desk. Let's put one together right now.


First things first, we'll throw some capitals in there. I'll use P and C, because they sound most like my initials.


Next, let's swap out a few letters.


And for the icing, we'll toss in some special characters. Now, not all sites will accept special characters, but it's always worth a shot.


Not bad, huh?

Random objects are just the tip of the iceberg. Acronyms are pretty solid, too. For example, "I Love Super Secure Computer Passwords" becomes "ILSSCP" (or "iLsSCp," or "1ls$cP"). If you want something easier to remember, think outside the box. Instead of your spouse's name, create a password based on your first date or an old inside joke. As long the end result can't be found in a dictionary, you're good to go.

...that is, you're good to go for your first password. Having one password for everything is risky business. Imagine if somebody gained access to something fairly inconsequential, like your reader account on a popular blog. If you use the same password for everything, they'd have access to your email, your bank, your credit cards. That's why using multiple passwords helps to keep the rest of your accounts safe in the event of an isolated security breach. I've got one password for my email, one for my bank, one for my web host, and a handful that I swap around for my other online accounts. I change them all every six months or so.

Some folks understandably have a tough time in remembering multiple alphanumeric passwords. Writing yourself notes is okay, but be smart about where you store them. Don't leave them lying around on your desk, especially in a shared office. Tearing them up after you've memorized your passwords is always a good idea. Whatever you do, don't keep a master list of your passwords in your email, on your computer, or on an online storage service.

One of the best methods I've seen for keeping safe records of passwords comes from a former co-worker of mine. Every time she changed passwords, she printed out a spreadsheet of them. The spreadsheet file was immediately deleted from her computer. The physical copy was locked in a safe. It may sound like overkill, but I honestly can't think of a safer method.

If remembering passwords really isn't your strong suit, you might be interested in a program called 1Password. 1Password creates random passwords, stores them for you, and fills in login pages on your behalf. I haven't used 1Password myself, but all the users I know have nothing but good things to say. Feel free to chat about it in the comments if you've got any feedback.

Photo by Nino Barberi


Great tips, thanks Becky. I like how you manipulated the word pencil. I will have to try something like that next time. I would be curious to hear from someone who has used 1password. I think I would be hesitant to have any third party store my passwords, what if they get hacked?

Great tutorial, I'm somewhat surprised by the top 50 passwords used. I was expecting admin and Motorola to show up somewhere on there. I'd like to point out Pencil is a great example for this tutorial, but shouldn't we be staying away from dictionary words as a basis for our passwords @becky? "3" for e's "$" for s's I guess its more secure then letters, but given the password's length....I feel some additional info needs to be added to your tutorial. I highly recommend 1passwords, just be careful using it via your mobile device. Standalone devices emphasizing mobility are infamous for being stolen/compromised.

Thanks, David. As far as dictionary words go, so long as the password no longer has anything that a dictionary can recognize, you're a whole lot safer. For example, "coffee123" is bad, because it's still got a full dictionary word in there. "c*FF3e123," on the other hand, isn't going to cause any issues. As long as your password doesn't look like a word when you're done with it, it's okay to use a real word as your starting point. But you are correct about the length of the sample I used. Eight, nine or ten characters is a better password length.

Even that's not as far as it should have gone, I think. I have many '1337 speak' dictionaries that ultimately make this 'protection' worthless. There are programs to 'mutate' words into millions of variations and guess them.
A strong password has many more angles than one would think.
All of my personal passwords are the maximum site allowed length, with full ASCII characters. That way, even if a hacker gets my password hash, they could never see my real password. Random jumbles is the only safe way to go.

What I do is have a TrueCrypt container with a .txt file in it, containing all of my passwords. So one master password is all I need to remember (this is still a single full ASCII password).

Share Your Thoughts

  • Hot
  • Latest