11 June 2012
I have a long history with passwords, but the latest LinkedIn compromise brings passwords to mind again and I’d like to share some thoughts on a simple method for creating complex, unique, memorable passwords that are hard for the bad guys to crack.
As this Gibson Research calculator makes clear, length and complexity add a lot of security to a password. But how can you get length and complexity and still remember your passwords, especially when it is essential that you give every site a different password? The best answer I’ve come up with is similar to the answer at Gibson: padding. But my padding is a bit more complex than theirs.
I devise a prefix and suffix that is complex but easy to remember. For example, the prefix “PW:” and suffix “;don3“. These provide the complexity and some length. They have upper and lower case letters, some punctuation, and a number. You should not use these (these are not even the ones I use), but come up with your own along similar lines.
Then for every site I come up with a simple but unique middle. So my Amazon password might become “PW:books;don3” where my Apple password might be “PW:steve;don3“.
The result is a unique password for every site with the length and complexity to fend off easy attacks. Some horrible sites force me to change my password every few months, for those I just add an number I increment, like “PW:silly2;done3“.
Unfortunately, some vendors insist on coming up with rules of their own and I inevitably have a few sites that rule out my method for no good reason (one awful example: a bank that limited passwords to eight characters!). This is why I also use a piece of password “vault” software to keep track of passwords. My preferred vault is 1Password, which exists for Macs, Windows, iOS, and Android devices.
Have fun out there, and use a long, complex, memorable, and unique password at every site you value!