You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
Home > Knowledge Articles > Strategies for Creating Secure—and Memorable—Passwords
Strategies for Creating Secure—and Memorable—Passwords
print icon
Madison Lendy
May 28, 2024
views icon 100

You just received a notification from Lucidoc or another resource that you need to change your password. Maybe instead it's the password you use to access your organization's corporate network. Regardless, you need to come up with a new password.

 

Your organization may require passwords to be at least a certain minimum length and have a selection of uppercase letters, lowercase letters, numbers, and sometimes special characters. It may enforce these requirements by configuring the network or application to reject passwords that don't meet the requirements. How do you create a password that satisfies the requirements but is memorable enough that you're not tempted to record it on a sticky note hidden underneath your keyboard?

 

This article relates a few strategies that you can employ to create passwords that are secure and memorable.

 

Two qualities figure into password strength: length and complexity. Let's look at each of these.

 

Length

Length is the more important quality you should seek when you create a password. A long password (14 characters or more) of random letters or words strung together will usually be more secure than a short password with lots of complexity.

 

Hackers break passwords with the aid of a computer, which can try passwords against an account far faster than a human can. A "brute force" effort to crack your password consists of a computer systematically trying all possible combinations of the characters on your keyboard one combination at a time, but so fast that regardless of complexity, a short password is cracked in no time. An eight-character password is no longer enough. Twelve is better, but more than that is preferred. Every character you add to your password length substantially increases the time required for a brute force attack to succeed.

 

For example, according to at least one online password-strength checker, this 11-character password would require four months to crack: Ym0d@x4la$8

 

But add one character to it—Ym0d@x4la$8+—and you increase the time required to crack it to three years; add yet another character, for a total of 13, and you increase the time to 31 years.


As computer speed increases over time, passwords will need to be longer, but you get the idea: longer is better.

 

Complexity

Complexity refers to the different kinds of character sets that you incorporate into your password. The lowercase English alphabet of 26 characters is one set; the uppercase English alphabet is another; numerals 0 through 9 are yet a third; and "special characters," these symbols compose a fourth:

 

~`! @#$%^&*()_-+={[}]|\:;"'<,>.?/

 

If you incorporate at least one character from each of these sets, a computerized attack must try a larger number of possible combinations before it can find your password.

 

So how can you possibly construct a password that has the necessary length and complexity that is also one you can remember? The answer is with a strategy and a little creativity. Let's start with passphrases.

 

Passphrases

Passphrases are the password method Microsoft recommends for its internal security training. Passwords created using this method are very long but easy to remember.

 

Passphrases consist of a sequence of words or other text. You may have been instructed not to use a word as a password because hacking tools compare dictionary words in multiple languages to your password looking for a match. But passphrases string multiple random words together in an unpredictable order. The words and the order in which they appear may mean something to you but not to anyone else.

 

For example, say you and five of your friends take a trip to ride the zip lines through the forest at Canopy Tours Northwest on Camano Island in Washington State. Later, you commemorate that event with a password: 6PeopleZipLineCamano.

If your organization requires you to include special characters, you might add a sideways smiley face: 6PeopleZipLineCamano:-) or more idiosyncratically 6PeopleZipLineCamano(-:.

 

A 23-character password like this one would take centuries for hackers to exploit using today's technology.

 

Initialism Passwords

This method is recommended by the U.S. Department of Defense and included in cyber security training to servicemembers.

 

Think of a sentence of at least 12 or 13 words. It can be a famous quotation, a couple (or more) lines of a song, or something else you can remember. Take the first letter of each word and assemble the letters in a string. Capitalize the letter representing the first word in the sentence and those representing any proper nouns. If there's a number in the original sentence, substitute the numeral for a spelled-out number; if the sentence contains punctuation, add it. You can get creative and substitute a special character for one of the words; for example, the dollar sign $ for an "S" or the @ symbol instead of the word "at." You can make up substitutions based on your own associations, but you need to choose substitutions carefully because you need to remember them.

 

For example, you decide to use the first two lines of Verse 2 of Rhiannon, by Stevie Nicks:

 

She is like a cat in the dark

 

And then she is the darkness

 

Converted to an initialism, these lines render as: SilacitdAtsitd.

 

At 14 characters, this is a strong password. If you must add a numeral or a special character, you can substitute a numeral 1 for the lowercase "L" and/or substitute the ampersand (&) for "And." In some cultures, the @ symbol reminds people of a cat's tail, so if you can remember that, you might substitute the @ symbol for the word "cat." Without using the actual words from the song or its title, you can write yourself a mnemonic that reminds you what inspired the password; for example: "Stevie 2-1&2." For anyone else to make sense of this note, they must not only recognize the reference but also know what strategy you used to construct the password and what substitutions you made.

 

Kaspersky.com suggests a related strategy they call a "Story Algorithm." We recommend you take a look at it. See https://www.kaspersky.com/blog/false-perception-of-it-security-passwords/7036/.

 

Avoid

Don't use sequences of letters or numbers—or even the order in which special characters appear on the keyboard. These sequences weaken a password. A password like ABCDE54321!@#$% may be strong, but the sequences of letters, numbers, and special characters are vulnerabilities that a hacker might exploit.

 

Don't use names of family members, your Social Security Number, birthday, or anything someone could glean by knowing you or studying your Facebook page.


Conclusion

There are multiple strategies for creating secure passwords. The two qualities you need to consider are length and complexity, with length being the more important. Think about phrases, events, and stories that mean something to you and weave them into a password that you can remember. Whether you choose to create a passphrase or an initialism, remember that you should choose something that employs an association that is uniquely yours and not a popular meme. By doing so, you can create passwords that are both secure and memorable.

Feedback
0 out of 0 found this helpful

close button
scroll to top icon