Right now you’re scrambling to change all your passwords. If you’re not, you should be. In the wake of a couple of massive security breaches—one at LinkedIn that nabbed 6.5 million passwords and another at eHarmony that compromised 1.5 million accounts—security experts are advising that people change their passwords at the affected sites and at every other site where you used a similar password. By now you’ve probably heard the time-worn guidelines for creating strong passwords: Don’t use your name or other common words. Use different passwords for different sites. Change them often. Choose security questions that don’t involve information that everyone knows about you, or stuff that crooks can easily find on Facebook.
For a lot of people, myself included, these rules are too much trouble. We’ve all got too many online accounts, so keeping track of different, ever-changing strong passwords for each site seems like a gargantuan task.
Well, I’ve got a better way. In 2011, I stumbled upon a foolproof system to fix all your terrible, vulnerable passwords in just five minutes. My method, which I nicked (the irony) from a commenter at a security forum—who says Web commenters are good for nothing?—generates very strong passwords that are also very easy to remember. This means that you can create good passwords for every site you visit.
Enough preamble. Here we go.
The old, still very good way to fix your terrible passwords: Come up with a short phrase you’re likely to remember. Just like in school, it helps to make your mnemonic really bizarre—the stranger the phrase, the easier it’ll be to remember. For example, Kelly Brook is the most amazing woman in all the world, or Jeremy Clarkson decided to make 10 waffles. Notice that my phrases use a mix of capitalized and lowercase words, and I added some numbers as well.
To make a password, just take the first letter of each word in your phrase. The sentences above would turn into KBitmawiatw and JCdtm10w. Both of those passwords are extremely strong—they’re long, and they’re free of common English words that can be guessed by a computer.
You can generate different passwords for different sites by varying your phrase slightly for each one. The phrase LinkedIn is terrible at securing its passwords so it’s my 10th favorite socialnetwork will create a password for LinkedIn (LIitasipsim10fsn) as well as for Twitter (Titasipsim9fsn), Facebook, MySpace, and on and on.
You’ll want to reserve the most distinct passwords for sites where breaches would cause you a lot of trouble—your financial institutions and your webmail accounts, which hold the keys to the rest of your online life. (If a bad guy gets into your email, he can use the password reset feature to get into lots of other accounts, too.)
The new, even better way to fix your terrible passwords (which sadly doesn’t work everywhere): Start with the same method as above—choose a short, memorable phrase. And that’s it. Instead of turning the phrase into a one-word password, just use the whole phrase as your password. For instance, kelly loves when clarkson makes waffles. That’s a memorable phrase. It’s also an extremely strong password just by itself—stronger, even, than a password made up of that phrase’s initial letters. Instead of shortening the phrase, just type the whole thing in as your password. That’s easier than typing a jumble of symbols and uppercase and lowercase letters, and it’s easier to remember, too.
I didn’t come up with the idea of using a short phrase as a password. The credit should go to Thomas Baekdal, who runs the online magazine Baekdal, and who wrote about this method way back in 2007. Baekdal points out that if a crook were using a “brute force” attack to find your password—that is, a program that repeatedly tries to guess your password by using every potential combination of characters—the attacker would need about 219 years to guess a six-character password like J4fS<2. That’s not bad, but a short phrase of common words is even stronger. For instance, the phrase this is fun is 10 times stronger than J4fS<2—it would take a brute force attack 2,537 years to guess that phrase. And, obviously, this is fun is much easier to remember. The online comic strip XKCD repeated Baekdal’s point in a wonderful strip last year. The caption: “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.”
I tried this method at several of the sites I frequent most. It works at Gmail, LinkedIn, Twitter, and Facebook, among others, and I encourage you to use short phrases as passwords there. But it doesn’t work at my bank, nor is it allowable at the many other sites that impose a maximum length on passwords and/or don’t allow spaces in passwords. Both of these requirements are pretty stupid. Limiting the number of characters in a password only makes them less secure, and a ban on spaces forces you to use special characters, which are harder to remember. I’m hoping that eventually, all sites come around to dropping their arcane password rules in favor of a much simpler password dictate: Pick a short, unique phrase.
But that could take a while. In the meantime, either use a password manager or the first or second of my suggested methods, depending on the site. Whatever you do, just do it—your passwords are a mess, and you should really, really fix them now.