Creating Great Passwords
I mentioned that I use a different password on every website, which is how I could immediately tell that the file of leaked passwords I stumbled across came from LbNA. It was the one website on the entire Internet that I ever used it--it HAD to have come from LbNA. Nor was it a simple, easy-to-guess password like "letterbox", "letterboxing" or "password" (which 181, 167 and 106 people used respectively on LbNA--please don't use passwords like this!) My password had lowercase letters, uppercase letters, symbols and numbers. All jumbled up into--at a glance--a random bunch of characters.
And a couple of people commented that they don't have my awesome powers of memorization, which is why they use the same password across a lot of websites. But here's the trick--I don't either! I don't memorize my passwords... I memorize patterns!
I use patterns on the keyboard based on the type of website, the name of the website, and password requirements for the website. For instance, on Atlas Quest, I could have a password of "sw2Q!@t5t". (This is NOT my password--this is for sample purposes only.) While my LbNA password could be ";p0NHY^&aq1q".
The passwords look very different--and they're both great passwords. They have lower and upper case letters, numbers and symbols. They aren't words found in a dictionary or names of relatives or friends. A stranger who stumbled onto this password... would be pretty well stuck with hacking into the one website it's good for.
But they're really easy passwords to "remember" as well. No written notes necessary!
They're patterns on the keyboard. Each of them can be broken down into three segments:
- sw2 Q!@ t5t
- ;p0 NHY^& aq1q
- Atlas Quest
- Letterboxing North America
- sw2 - "s" is just to the right of "A", then "w" is immediately above the "s", then the number "2" is immediately above the "s". s-w-2... Stop.
- ;p0 - ";" is just to the right of "L", followed by "p" just above it, followed by "0" just above that. ;-p-0... Stop.
- Q!@ - "Q" for Quest, then "!" (immediately above the Q) and "@" (immediately to the right of "!").
- NHY^& "N" for North, then "H" (immediately above the N), "Y" (immediately above the "H"), "^" (immediately above the "Y"), and "&" (immediately to the right of the "^").
- t5t - "t" for Quest, followed by "5" then bounce down a row back to "t".
- aq1q - "a" for America, followed by "q" just above it, then "1" just above that, then back down a row to "q" again.
Here's another trick I've sometimes used for passwords... Pick a couple of words that are easy to remember, and instead of typing that exact word or phrase, click the key immediately to the right of the actual key. "letterbox" might be the most commonly used password on LbNA, but I can definitely tell you, nobody uses the password ";ryyrtnpc"! This is the word "letterbox"--but it's a very simple substitution code that replaces every letter with the one next to it on the keyboard. It can help if you're a touch-typist and don't need to look at the keyboard for this type of encoding. I just put my fingers on the keyboard where they usually go, shift my hands over one key, then type the word I'm thinking like normal. o vsm yu[r rmyotr drmyrmvrd ;olr yjod brtu wiovl;u@
You'll probably want to have a few different sequences that you use regularly. Some websites--annoyingly--don't allow symbols, so a sequence that includes symbols won't work on these websites. Other websites require a symbol in your password! So you might need to use two different types of sequences to fit both requirements, which might just be the same sequence except you use the numbers where the symbol you'd normally use would be.
Some websites might have passwords that require a minimum length and your sequence causes it to fall short--so have a plan for extending your sequence as needed, which might be nothing more than repeating the first sequence. In my sample above, I ran out of words in "Atlas Quest" to create three groupings, so my fallback was to use the last letter of the last word. (If the website name only had one word, my fall back might have been to use the last two letters of the name of the website. So my Facebook password might have been "gt5O()ki8i".
If you have multiple accounts on the same website, you might try incorporating your usename into the pattern so you can have a different password for each account on the same website.
A lot of corporate accounts often make you change your password every few weeks, which is annoying and probably causes a lot of people to write down passwords or increase the number at the end of it by 1, neither of which are particularly secure. But you might use the "pattern" trick by including the current month in your password pattern, so the last sequence of characters is the first three letters of the month name, shifted to the left on the keyboard. Or something to that effect....
You might also consider how you'll usually have to type in sequences. I will admit, the sequences I use are frustratingly annoying when I'm trying to type them into a smartphone without a proper keyboard. What symbol is above the 5? I wind up typing stuff like "#*#$&@!" which looks more like a bleeped out cuss word than my actual password, but by the time I get my password correct, I've been locked out and am cussing anyhow. =) So if it's a password you'll use a lot on a smartphone, you might design a pattern that fits your smartphone keyboard.
I also sometimes have trouble logging into my accounts when I travel internationally and am using a non-US keyboard so all of the keys are in different locations on the keyboard. I actually drew myself a "cheat-sheet" when I was hiking through France of a US keyboard layout to help me log into accounts!
I also have a couple of different sequences that I use depending on the "importance" of a website. I use a shorter, easier sequence for websites with nothing particularly valuable on it and more complex sequences for bank accounts and such.
The "pattern trick" works for stuff other than website passwords as well. I use a pattern for PINs on my credit and debit cards, so every card has a unique, random-looking PIN that I don't have to write down or memorize. If you ever find my wallet, I can assure you, "1111" or "1234" will not get any of my money out of an ATM. Nor will knowing my birthday, address, social security number, etc. You just have to start guessing, and if you do manage to get lucky and crack one of the PINs (out of 10,000 possibilities, it's actually quite possible to crack it with brute force given enough time), it won't get you into any other card.
That's the trick to creating solid, all-but-impossible-to-guess passwords that are unique to every website you use. Take a little effort to think of two or three different types of sequences you can use, and the security of your accounts increases enormously.