Creating (and Remembering) Secure Passwords

A guide to creating and remembering secure passwords

Over the last few articles in this section of the site, we’ve taken a look at the various ways in which we get password selection wrong. Whilst that’s all very well, we’ve not yet looked at the best ways to create strong, hard-to-crack passwords.

This article is going to take a look at strategies we can employ to improve our password selections and, therefore, their strength.

Part One – Before We Begin

This section contains a list of the things that you need to consider about password creation and use

  • Accept that you’re as likely a target as any other online computer/device user.

Due to the myriad of ways that hackers are able to make use of personal information for their own personal gain, everyone (and I mean everyone) has information contained within online accounts that’s potentially of great value to them.  Just because you haven’t been targeted up to now, doesn’t mean that you won’t be.

  • Keep the whole password affair as impersonal as possible.

Think ‘outside the box’ and don’t choose words or phrases that hold a particular significance for you, such as birthdays or relatives names.  Anyone looking to try and hack into your online life will do their homework first. They’ll scan social media accounts, posts we’ve made on forums or within other online services and build a picture of who/what is important to us.  This information can then be used to build a list of potential passwords.

  • Don’t share your passwords with anyone.

Really, this little gem should go without saying.  And yet, there are a surprising number among us who do share our passwords at some time or another.  Consider it the equivalent of permanently handing someone a set of your keys to your house.  They’re then free to come and go as they please until you change the locks.

Part Two – Choosing Your Password

When it comes to choosing a password, the world really is your oyster and the options limitless. This section contains a few tips for choosing passwords that are both strong and not too hard to remember:

    1. Use a sentence or phrase as the basis for your password –  Rather than choosing a single word or two as a basis for your password, think bigger.  Think of an entire phrase as your starting point for what you’ll use to secure something.  (More on this below)
    2. Make It Long – As we looked at in a previous article, password length can make a big impact on the length of time it takes to crack it. At least 8 characters is ok, more than 10 is ideal.  (It’s worth noting here that some websites and applications limit password length so in some cases we might have to choose slightly shorter ones)
    3. Mix It Up – use a variation of CapItAl and lOwErcASe letters in your password, as well as a couple of numbers.  At least one of each within your password makes a difference, but jumbling a handful up is even better. Try to avoid grouping them together too much if you can.
    4. Give It Some Space – Ok, so many password systems won’t allow you to add physical spaces (although there are a few that will). However, the _underscore_ makes a fairly nice alternative to a physical press of the spacebar and is just as efficient.
    5. It’s All A Bit Symbolic – in addition to CAPITAL letters, lowercase letters and numb3rs, make sure that there’s at least one symbol in there too (@#!*&).  This adds another frustrating curveball for any would-be hacker.  (In some places, I’ve read suggestions to use the computer’s character map/palette to insert special characters.  However, I’d advise against this as entering the password across different platforms might become difficult or impossible.  It also adds more hassle for us to enter them at all and, ultimately, won’t increase our password security that much)
    6. Change Is As Good As Rest – Change your passwords periodically.  Once every three to six months should be adequate in the majority of cases, but you might want to change it more often in some circumstances.
      NOTE: If you have any concerns that any of your accounts might have been compromised, change it’s password IMMEDIATELY


Part 3 – A Working Example

In this section, I’m going to go through the process of creating a secure and fairly easy to remember password, together with explanations behind the choices.

1. Choose My Sentence or Phrase
For this, I’d suggest using a mnemonic device to come up with something.  One such example is the Person-Action-Object (PAO) method.  Just go onto the internet and find an image of a person performing an action to or with an object, something that has an appeal or sticks in your mind.

And here’s mine:

And my POA phrase from this is “cute squirrel dances in the woodland”.

2. Use My Sentence to Create a Password
The easiest way to do this is to take certain letters from our phrase to assemble a password that’s not too hard to remember. In this example, I’m going to choose the first two letters from each word, giving me:


Already, we can see that the above password is little more than a random set of twelve letters and on it’s way to being tough to crack. But we’re not quite there yet.

3. Spaces/Uppercase/Lowercase/Numbers/Symbols
Now we’re going to mix things up a little more with the addition of some random characters. These characters will still hold some meaning though.

a. First of all, lets add a space after what the squirrel is doing, but before we know where he’s doing it:


b. Now, lets throw a couple of numbers in. A useful way to do this is often in place of certain vowels. This will give us:


c. Now, capital letter(s):


d. And lastly, another symbol:


And there we go, we’ve just created a password that’s based on a dancing squirrel. Not bad for ten minutes work huh? Not only that, it’s a password that’s got all the ingredients of being strong, hard to guess and apparently nonsense.

However, the above example I’ve provided might not be the best in terms of being able to memorise it. It’s a random squirrel in a random picture and holds no significance for us. However, we can translate the above into our personal lives.

Say I’ve got 3 children; Larry, Barry and Cornelius (poor bugger) and that their favorite hobby is soccer, which they all play together every Saturday from 11am.

This can give us: “Larry, Barry and Cornelius play Soccer every Saturday at 11am”.

And my password is: “La,Ba&CoplSoevSat@1100”

I’ve stated a series of facts that I’ll remember, I’ve mentioned no full names or other details, the password includes all the right ingredients (upper/lowercase letters, numbers, symbols) and it’s 22 characters long!

Actually, that might be a bit too long. So lets make it a bit shorter: “L,B&CpseS@11”

There we go, now down to just 12 characters and still plenty secure enough.

Part Four – Memorising Passwords

Now that we’ve chosen our password, the next thing we need to do is ensure that we remember it. In some cases, this might not be too much of a problem but what if we have several accounts and we need to remember which one goes with which?

The first thing I’d suggest here is to use a similar “cypher” for all of your passwords. Have certain rules that you use in order to create them. For example:
In any password you create you;

  • only use the first two letters of each phrase word
  • every ‘e’ in the password is replaced with a 3
  • any number is prefixed with # (not including our letter changes)

and so on.

This provides a structure to our password creation and assists in remembering them.

It’s also ok to write them down (in hardcopy) and keep them in a safe place, away from your computer and from any prying eyes. Remember, we’re defending against people trying to remotely access our accounts via a network connection, not from someone rooting through the bottom of your underwear draw. If you do happen to forget a password for a particular account, it’s easily sorted out.

It’s also possible to ‘code’ your written down passwords so that if anyone should happen to see the list, it’s still of very little use. The easiest way to do this is to add an offset pattern, where each coded character is a number of alphabetical letters or numbers higher than the actual character used.

For Example:
with a +2 offset pattern would become:
where the first character (in this case ‘2’) is the offset number. Notice that I also changed the symbol ‘&’ into ‘(‘, because that’s 2 digits higher on the keyboard.

In any case, be creative. Don’t just use the examples I’ve provided here. As I said at the beginning, think bigger!

Part Five – Password Managers

An alternative to a fair amount of what I’ve described here is to use a Password Manager.

“A password manager is a software application or hardware to assist in creating, storing, and retrieving complex passwords from a database. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database. Some password managers store passwords on the user’s computer (called offline password managers), whereas others store data in the provider’s cloud (often called online password managers). However offline password managers also offer data storage in the user’s own cloud accounts rather than the provider’s cloud. While the core functionality of a password manager is to securely store large collections of passwords, many provide additional features such as form filling and password generation.”

Source: Wikipedia

I’m not going to go into any further detail on Password Managers here, but if it’s something you’d like to consider PC Magazine have reviewed both free and paid versions. I’ve linked both articles below.

Password Psychology

A lttle explanation around the reasons for our password choices

We’re sitting there, in front of the computer and in the middle of signing up for a shiny new account on some website or another and the usual sorts of questions are there:

What’s Your Name?

Yup, I know that one..  No problem.”

What’s Your E-mail address? 

“Damn, was it dot-com or dot-net?  Ahh, here we are; dot-net.  Sorted.”

What Password Are You Going To Choose? 

“Ummm..  Errr.. Hmmmm.. What can the hell can I use for a password?”

And here’s our first problem.  Unless we’ve given it some thought before we’ve gone to whatever-we’ and started filling everything in, we’re under pressure.  We need to come up with an answer to that fateful question and most of us feel the need to do it fairly quickly.  Anxiety starts to set in (for the average computer user, it really does), or we’ve got to go and feed the cat, pick the kids up from school or simply want get the order done because ‘it’s just so shiny’.

So our thought process leads us to think of things based on two different but related themes.

  • Familiarity:  We’ll think of things that are familiar to and have meaning for us, normally something that has lasted the test of time.  Alternatively, it could be something that’s still in our short term memory.  Perhaps that film we saw last night or the brand new Ford Mustang we saw this morning while filling up with fuel. All these sorts of things will pass through as we’re considering the options.
  • Memorisation:  The majority of us, whilst considering such things as the new Mustang this morning, will disregard those as options relatively quickly.   This is because we’re less likely to remember them over time than things that have a lasting meaning for us. Obviously, our being able to remember the passwords we choose is vital, otherwise we’re soon going to find ourselves unable to access whatever we’re signing up for.

Generally speaking, a very high percentage of our passwords are chosen through impromptu generation, based on that familiarity and memorisation. Looking a little deeper though, we’re able to break things down some more.

Based on a study carried out in 2002 by a British Psychologist, Dr. Helen Petrie, Ph. D, our familiarity/memorisation choices are centered in one of four genre subsets:

  • Family-orientated (almost half of those surveyed)
  • Fan-based (approximately one-third of those surveyed)
  • Fantasists (approximately eleven percent of those surveyed)
  • Cryptics (approximately ten percent of those surveyed)

Family-orientated password creators will generally choose names, nicknames, birthdates, places or other things that they have strong emotional or family ties with.  This subset of people tend to fit into the bracket of ‘occasional computer users’, often having fewer online accounts than the average.

Fan-based password creators will generally focus their attentions onto things that they really like.  Such as films, tv, music, games and so on.  Two of the top choices in this genre from those who were surveyed were Homer Simpson and Madonna.  In 2016, one of the top most common passwords was ‘StarWars’, following the release of Episode VII in 2015.  For this reason, this subset of people may have some of the easiest passwords to crack, their commonality and general public presence causing these words to hit most hackers lists.

Fantasists tend to be slightly narcissistic in their choice of passwords and will often focus their choices around terms of self admiration, whether knowingly or not.  Whilst the majority of those surveyed who fell into this genre were male, a surprising thirty seven percent were female.  Fantasists often have a sexual focus in their passwords, choosing words such as ‘sexy’ or ‘goddess’.  If you’ve taken a look at the 100 of The Most Common Passwords, you’ll maybe have seen that there are a number of similarly related words in there.

Cryptics are the most cyber-security conscious of us all.  Their passwords are often made up of meaningless and unintelligible strings of numbers and letters (e.g. jft922+x).  Whilst they certainly have the most secure passwords, they are also the least interesting.

Type ‘A’ or Type ‘B’ Personality?

One of the other things that affects the choices that we make in regards to passwords is our general personality type.  This is somewhat more vague than the findings of the above study, but does still hold considerable relevance in defining the words or phrases that we use.

Type ‘A’

Those of us that fall under the Type ‘A’ personality type tend to derive our passwords from a desire to be ‘in control’.  We have a tendency to believe that our accounts are not at risk and will often reuse passwords across different logins.  Some of this tendency is based around us wanting to ensure that we don’t forget the passwords we use.

Additionally, those of us who fall into this personality trait are often quite focused on details and will have a methodology around how we remember the passwords we use.  60-70% of us Type ‘A’s are normally quite proactive about trying to keep our online selves secure, even if our efforts might be a little misguided at times.

Type ‘B’

On the other hand, those of us who lean more towards the Type ‘B’ personality are more inclined to believe that our accounts are not at risk, mainly because they aren’t worthy of a hackers time.  This has a tendency to reinforce any bad habits we’ve got into around our password choices and, eventually, to make us believe that those bad habits are acceptable.

In fact, 40-50% of us Type ‘B’s are under the impression that we have nothing of value enough to a hacker for us to be targeted and will primarily choose a password based on how easy it is to remember.

Whilst password psychology does give us some indications as to why we choose the passwords we do, it’s not enough to be accepting of those reasons.  In order to keep ourselves, and those connected to us, safe from the attempts of hackers, we need to rethink and improve how we approach our password choices.

We Still Don’t Protect Ourselves – Some Password Statistics

A look at some facts and figures about password security

It’s absolutely everywhere.  Every account we have, every time we sign up for something online; “Choose a strong password”.  The vast majority of us know that strong passwords are one of the most important aspects to keeping our lives in cyberspace secure, and yet, it seems we’re hell bent on continuing to do the virtual equivalent of ‘leaving the key in the lock’. Continue reading “We Still Don’t Protect Ourselves – Some Password Statistics”

Improving Your Routers’ Security

How to greatly improve the security of your home network.

That wireless router which sits, silent and unobtrusive, in the main room of your house or on a shelf somewhere near a telephone socket, providing that all important connection to the (virtual) outside world is locked up and safe, right?

Well, actually. No. Continue reading “Improving Your Routers’ Security”