At last - a strong yet memorable password method

I apologise if this is well known, but I’ve just discovered it. I’ve always been concerned about the pathetic weakness of my passwords that I use as I wander around the internet. My problem is that I’d like them to be obscure, while at the same time being memorable - something I’ve never managed to achieve.

Until now; I came across this solution in a magazine. Take a phrase or sentence that means someting to you: for example, ‘my mother is 57 years old’, and take the first letter of each word or number. In this case, ‘mmi57yo’, or ‘My favourite film is The Taking Of Pelham 123’: MffiTTOP123’. Brilliant.

This is the best that I have across to date. I am now the password master. (Well, it’s a lot better than what I did before.)

That is the method I recommended years ago when I was in information security. If it is case sensitive use a number sequence (say a PIN) to make those characters the opposite case.

Mind you mffi followed by a film title with a number in it is probably in most hacking lists as would be mfbi (band) mffti (football team, probably sf49) etc.


Personally I like lines from songs myself. Obscure songs.

And I thought I was doing so well. :frowning:

Yes, I see that they ought to be more obscure. How about: Omca3c:1r,2b

(On my chair are 3 cushions: 1 red, 2 blue)

This is similar to the method I recommend. I suggest finding a line from a song or poem that you like; when people give me bovine looks of incomprehension I’ll suggest a mother goose rhyme for them. Then I put in a punctuation mark, a capital or two, and I change a letter or two in it to a number. So they might get Mha11,wfwwas (Mary had a little lamb whose fleece was white as snow).

Perfect if the platform allows ASCII codes from 33 to 126 as most do but I’m not sure that everything allows :.

But that is the principle - a phrase that you have picked. Hackers use password dictionaries that just pump through words in the dictionary plus every combination they can think of. There are a limited number of words, names, dates etc but an 8 digit apparently random arrangement of letters, numbers and special characters is about 20 trillion combinations. Needs a big input file and takes a long time to run.


Just think up one password that consists of a group of letters or numbers that mean something to you, but doesn’t have any meaning in any language that you know. “Meaning something to you” is an abstract concept - it could be a pattern of the position of keys on a querty keyboard, it could be the musical key changes to your favorite melody or it could be something else entirely. Keep this password in your head and never write it down.

Select a math formula that will transpose those numbers and letters in a predictable sequence.

Write that formula down somewhere where you will remember it. It really doesn’t matter too much if someone discovers it. The key is in your head.

You can now use the same formula, to make different passwords for all your needs, you just have to remember, or write down, the order of passwords that you make.

In the past, my favorite trick was a way to safely write PINs down in your wallet.

Have one good old favorite PIN that you always remember, say 2745.
Now, when you need a new PIN, just choose a totally random one, say 5988

Here’s the trick: no-carry add each digit of your new PIN to the favorite old one and then write it down in your wallet

5 9 8 8 + 2 7 4 5 = 7 6 2 3
(remember, drop the carry. we are adding digits individually)

Now, when you need the PIN, whip out your little slip of paper with 7623 written on it and subtract your one favorite PIN from it (subtract each digit in isolation, providing an extra 10 where needed).

7 6 2 3 - 5 9 8 8 = 2 7 4 5

It’s a simple way to safely write down a boatload of different PINs without anyone ever figuring it out.

NineToTheSky, when you get that smartphone you ordered, why not find a good password safe application?

I use a tool called SplashID on my iPhone and it currently has close to 200 passwords contained within, for anything from Unix machines at work to my Victoria’s Secret credit card number (for the wife!). All of these bits of info are encrypted and locked up with one key password.

Whenever I need a new hard password I hit the “Generate” button and it creates one for me of any desirable length and composition. This is one of my most important smartphone apps.

The reason I put in punctuation marks is because I read somewhere that they make the password stronger.

Quite right but if you tried to create my user name at many other sites it would be impossible because of the ', they just don’t allow it.

This may be the perfect demonstration as to why I’m not very good at passwords. but, if I understand your method correctly, shouldn’t that last sum be
7623 - 2745 = 5988?

An excellent idea. But unlike your method above and my OP method, aren’t you dependent on that program? If it gets erased or corrupted - you’re stuffed, aren’t you?

This is what I use, a line or two from a song I know the words to.
Oh, say can you see
By the dawn’s early light
Becomes OscysBtdel (2 caps, random should be fairly strong) You can write down Francis Scott Key as the password hint.
Or if you are a Glen Campbell fan
I am a lineman for the county
And I ride the main roads
becomes Iaal4tcAIrtmr (random, 3 caps, 1 number should be very strong)
I can write down Witchata or lineman, or Glen Campbell for the hint,
Anyway this system works for my 3 watt brain.

Someone on the SDMB also advised preceding a password with a non-letter or number character, as most brute force attacks begin with the alphabet.

I also repeat a phrase 1-3 times too, including the non-letter character. And substitute numbers for letters where obvious. And capitalize where logical.

So “Mary had a little lamb” could be %Mh4ll%Mh4ll%Mh4ll

Ridiculously complex, yet very easy to remember. You could even write down “Mary had a little lamb” and even someone who knew your method would spend forever trying to crack it.

Where length is not a big issue (WPA2 passphrases, for example), the whole phrase should be plenty strong enough (i.e. ‘So bring us some Figgy Pudding’ as opposed to ‘SbusFP’) - with the advantage of being even more memorable.

-Because although real, whole words are technically susceptible to dictionary attack, with AES encryption. I don’t think there’s any way to crack them one word at a time - in the above example, attempting to use “So bring me some Figgy Pudding” should be just as unsuccessful as an attempt to use any other string of random characters.

The problem for me is that I have a hard time remembering a lot of different mnemonic devices, each for a different password. Instead, I’ve often used keyboard patterns. For instance: zse4$RFVvgy7&UJM. This is an “M” pattern going up from Z, going down from 4, going back up at V, going back down at 7, holding down the SHIFT key alternately.

For PIN’s, I’ve written them in my contact list as a phone number. If my PIN for Visa, for example, is “1234”, I might write it as “Victor 345-1234” (the three number extension is irrelevant). I figure that if someone finds my contact list, they won’t assume that’s something fishy because I don’t have a friend named Victor.

I do combinations like the first three letters of my first pet’s name, the number of the house I lived in when I was a baby, and the last two letters of my mom’s maiden name, the only other rule is that any letter that comes after a number is upper-case. So I get stuff like:


If there must be a strange character, it goes before the number, like hun%513Re.

To refresh my password, it’s the next pet, and next house.

Further to all this, how likely is it that someone is going to attempt to crack my password? Is all this complexity actually necessary?

In my experience, hackers often don’t even find it’s necessary, they just use social engineering, such as phishing. And I’m amazed at the number of people who still put their passwords on post-it notes under their monitors, or leave their logged-in computers unattended. We have IT security people here at work who patrol for just such foolishness.

I’ve been doing this for years, since way before cell phones; I just made it a “contact” in my good old-fashioned address book or calendar, which I was still carrying in my purse as late as 2004.

When I was they system admin at a hotel, company policy required a new password each 30 days (you couldn’t repeat a password within 12 months time) AND get this, you had to have at least one number one uppercase letter, one lowercase letter and one NON-letter symbol like % or & or *

This was always a complete mess. It resulted in everyone locking themselves out of the computer. (Only had three tries before it locked you out) Of course everyone solved this issue by writing their password on a sticky note and putting it on their computer


At one time I had bookmarked a site that generated passwords. It allowed the user to specify a pattern of digits and letters, for example, aaaNaaaAA, where the small a’s are random lowercase letters, the big A’s are random uppercase letters and the N’s are digits. For some reason I find it easy to remember passwords with this pattern as long as each of them start with a different letter. For instance, if I can remember that the password of my workstation starts with ‘n’, then the rest of the pattern just comes to me. I have a about a dozen in my head that I rotate though.

Aw ha, here it is.