AppellaTech: Tips on Creating Strong Passwords

As any parent of young kids knows, getting kids to eat their vegetables is a constant struggle. They're important for good health, and they're not nearly as bad as most kids make them out to be. In fact, once you give them a chance, you realize they're actually really good. (If you cook Brussels sprouts right, they can be down right amazing.) And yet, the goal of getting kids to eat vegetables is a constant struggle. If you're like me, you end up making eating vegetables a prerequisite for a desired reward (dessert).

There's an adult equivalent of this. It's getting full-grown adults to form a safe password.

You did it, didn't you? You rolled your eyes and thought, "oh no, not THIS conversation again"! Passwords are important for your computer/financial/online-anything health! It's really not as bad as you're making it out to be. Plus, once you give it a chance, it can even be fun! Okay, maybe "fun" is overselling it. Let's go with interesting.

I'm not going to spend a great amount of time telling you why you should work on having a good password. If you don't already know that by now, I can only conclude you are completely devoted to a campaign of willful ignorance, rendering my explanations useless. Instead, I want to devote the bulk of this article to providing tips on creating strong passwords.

But maybe I can do a little bit of both by way of setting up what makes passwords good or bad. A bad password is short, has common words, and is used by the same person across a variety of accounts.

Let's start with short. As of 2012, it was possible to hack 7-character passwords within six hours. (This is for encrypted files. Online passwords on websites that limit your number of tries are different.) Each additional character significantly increases the magnitude of time needed to crack a password.

The hazard of common passwords should be obvious. If it was an easy idea, then a lot of other people also thought of it and use it. A common password is naturally commonly guessed by hackers. "Letmein" is not a good password. And almost everyone loves pizza. Seriously, stop putting "pizza" in your password. Because this is a Texas-based newsletter, I will warn you that "comeandtakeit" is also a really bad password.

Then there's use over multiple accounts. If you have one password, even a really complex password, that you use for every single thing requiring a password, then you only need to be hacked once before every other account you have is now compromised. So not only has your Instagram account been compromised, so has your email account, your bank account, and your credit card account. Plus, once your email account has been compromised, the hacker can quickly learn what other accounts you have, leaving only your password as your protection.

As you've by now guessed, then, a hard to hack password is long, uses random letters and characters, and is used for only one account. While such a password is ideal, it runs up against an inherent problem with human memory. We are terrible at remembering multiple sequences of random letters and numbers. If you try that, while you've effectively prevented anyone from accessing your accounts, you will likely end up one of the people effectively prevented from accessing your accounts.

So the trick to coming up with a strong password is to create one that looks random to everyone else but has a hidden meaning that only you can easily remember.  I'm going to spend the rest of this article recommending three different methods to try to achieve this.

Before I begin, though, I have to emphasize something. I will be using examples to illustrate the principles for creating passwords. DO NOT USE THE EXAMPLES AS YOUR PASSWORD! While this column has not yet achieved world-wide popularity, it is nevertheless publicly available. By using a password that is publicly available, you've defeated the entire goal of making a hard to guess password. Use the principles given, but base it on your own unique formulation.

The Sentence-Acronym Method

What's a sentence that you can rattle off the top of your head with little thought? Let's take the first sentence of the Gettysburg Address. "Four score and seven years ago our fathers brought forth on this continent, a new nation, conceived in Liberty, and dedicated to the proposition that all men are created equal." What does that look like if we take the first letter of each word (preserving capitalization)? FsasyaofbfotcannciLadttptamace. (Yes, this is unnecessarily long. As I said, it's an example.)

What if we change the number-words into actual numbers? 4sa7yaofbfotcannciLadttptamace. Just looking at it, it looks random and it has uppercase letters, lowercase letters, and numbers. But you know it's the Gettysburg Address, which you memorized in middle school and has been rattling around in your brain ever since. Now it's your shield against hackers. Thanks, Abraham Lincoln. First emancipating slaves, now this!

Mind you there are two critical features you need here. First it is preferably something you already have memorized and that you memorized a long time ago. If you memorized it a long time ago and still remember it, that means you're more than likely going to continue to remember it. If you've only recently memorized something, you don't know that you have it stored in long term memory yet. A hard to guess password that you can no longer remember is a real problem. If you want to go with newer, try it out on a less-important account for a while.

Second, try to make it something you have memorized but few other people have. For that reason, the Gettysburg Address may not be the best candidate. (It's rattling around in a number of other heads.)

As you may have realized, this still suffers from the problem of being only one password. If you use the same one for every account, you still have a weakness. So how do we avoid this? Add a unique identifier at the end that is relevant to the account.

Let's say this is your bank account password and you bank with Bank of America. Add the name of the bank to the end (still going with first letter acronyms). 4sa7yaofbfotcannciLadttptamaceBoA. This offers a slight improvement, but the variation is still rather guessable. Let's add a little more. Say you have multiple bank accounts, but Bank of America is your primary account. In your head, think, "Bank of America, primary bank account." BoA1ba. Add it to your sentence, and you have 4sa7yaofbfotcannciLadttptamaceBoA1ba. Then your JP Morgan Chase account (your secondary account) becomes 4sa7yaofbfotcannciLadttptamaceJPMC2ba.

Those are some pretty darn good passwords you've got there.

How about a play on the Dos Equis advertising campaign? "I don't always use social media, but when I do, I primarily use Facebook." IdausmbwIdI1uF. Three parts of that password change for varying accounts. "Social media," "primary," and "Facebook." This increases the complexity of your password for would-be hackers.

Another possibility: "I want to rock and roll all night and use Google primarily to send emails." IwtraranauG1tse. There's at least one theme song from a TV show you watched as a child that you could still belt out at a moment's notice. Make use of it. Remember that song you used to sing over and over again as you pined for your massive crush? (You remember. "Strumming my pain with his fingers...") That song is never going away. Bet that refrain could make a great password.

Play around with it and it could start being interesting or (dare I say it?) fun.

The Unique Image Method

The next idea is to take four common but unrelated words and stick them together. The example from xkcd is "correct horse battery staple." While each word by itself is common, the four together are not. The challenge, then, is how to remember this random collection. Granted, it's only four words (or more, if you wish). But remembering them can still be a challenge. The idea is to come up with an image that contains all four words and (preferably) indicates the order of the four words. Humans are better at recalling images than written words, and this method plays off of that memory trick. Returning to the example in xkcd, the image is of a horse looking at a battery with a staple in it, saying, "battery staple," and someone else saying "correct." (The efficacy of this method is proven by looking at the image in the link instead of relying on my description.)

I have heard that the less G-rated an image is, the easier it is to remember. But proceed with caution on that. There will be times in your life that you will have to share your password with someone. Make sure it's something that won't make you stammer and turn red when conveying it.

This method, like the one above suffers from the problem of only being one password. You can either try coming up with four words that you associate with the account. (You'd have to be loose on the association, though. Otherwise, you make it guessable.) Or you can add acronyms on to the end like in the example above.

The Nonsense Rhyme Method

Like visual images, we are better at remembering rhyming phrases than a non-rhyming random string of words. This is why ballads were a popular form of entertainment for centuries. The story teller could better remember long stories by memorizing a series of rhyming words that told the story. If it was good enough for Chaucer, then it's good enough for your passwords!

One of the examples that I enjoyed from the paper was "And British fiction engineer; Travolta captured bombardier." Like the Unique Image Method, it helps to memorize this phrase by coming up with a mental image that you can recall to help you enter the password. The hard part is coming up with a random phrase that rhymes. Worry not, the authors of the paper that propose this idea have offered to do it for you! Just email the authors, and they will send you your very own personalized rhyming password! (The link is to the Washington Post article, which explains how to contact the authors.)

Just like all the others, you can still improve on this method by adding a short identifier unique to each account (described in the Sentence-Acronym Method) at the end. This way, if someone is able to access your password for one account, they aren't automatically granted access to all other accounts you hold.

Email Variation

One last idea. This has less to do with passwords, but is related to the strength of having different passwords for different accounts.

Many email service providers allow you to create what I call "sub-accounts." They're not really different accounts. You can just designate different suffixes to your account name and that modified email address will still result in your receiving the email. For example let's say your account is standardemail@gmail.com. Going back to the examples of having a Bank of America account and a JP Morgan Chase account, let's say you tell Bank of America that your email address is standardemail+BnkAm@gmail.com. That email works and shows up on your regular email account. Then you can tell JP Morgan Chase that your email is standardemail+JPMorg@gmail.com. Just like the Bank of America account, emails will show up in your regular account. But both of your bank accounts store differing email addresses.

The reasons this is beneficial is that, if you use a standard password across accounts (or one with the modifiers at the end that I suggested), someone who learns your email address for Bank of America will not automatically know your email for JP Morgan Chase or any other account you have. Sure, they'll know your standard email address. But they won't automatically know what you told JP Morgan Chase was your email. And they need to know that PLUS your password in order to gain access to your online account. It's an added layer of complexity (for hackers) that is relatively easy for you to remember.

If the hacker gains access to your email, all of your extensions will also be revealed. (Are you seeing why your passwords for your email addresses are perhaps your most important ones to protect?) But if a hacker gains access to anything else, they still have to guess how to access the other accounts.

Many email providers have a method for doing this. There are instructions for Google, Yahoo, and Hotmail. There's a good chance that other email providers offer the same. It's worth using if it's available to you.

See that wasn't so bad, now was it? As a reward, here's a recipe for a delicious way to cook Brussels sprouts.