What’s the best way to create long passwords one can actually remember?
Write a complete sentence that you can reproduce effortlessly, like the opening phrase to a favorite song. Start it with a capital letter, punctuate it at the end with exclamation or question mark. In one of the main words, replace some letters with numbers or additional special symbols, but you don’t need to do this throughout. e.g.
“Is this the real life? Is this just f@nt4sy?”
The best advice I’ve seen is to use word phrases and add numbers and symbols to comply.
TheStraightDopeMessageBoard22@@ is a ridiculous 31 characters but very straightforward.
#‘TheHungerGames:BalladOfSongbirds&Snakes’69 is even longer
Use your own life, things that, put together, are relevant to only you. Names of schools you went to. Cars you owned. People you knew. Places you’ve visited. If you can remember your own life, you can remember your password.
!Volvo240DodgeNeonFordCrownVicMazda3#
Usually, I’ll change one or more of the letter Os to zeroes, or change the letter S to a two, or a the letter I to a one.
You don’t create a password, you create a phrase you can easily recall then use mixed-case and sub-out a few letters for special characters. @ for a, ! for i, etc.
You can also take an easily remembered phrase and just use the initials.
Tbontbtitqwtnitmtstsaaoofottaaasotaboet
=
To be or not to be, whether tis nobler in the mind etc.
Then just swap in some numbers and special characters, and done.
This avoids dictionary type attacks that put real words together into phrases.
The absolute best way is to use a password manager and let IT worry. You just need to remember one long password/passphrase or use a hardware key like a YubiKey and a PIN.
I use RoboForm for work and Bitwarden for my family and both will generate secure long passwords or pass phrases on the fly. Both also test saved passwords against known breached passwords and notify you if they are vulnerable.
This^. Trying to create long memorable passwords is a mug’s game. And especially when you have over 300 of them as I do. And I doubt I’m atypical in that number.
Let your password manager handle all that stuff; that’s what they’re good at. Unlike a human mind which sucks at that skill.
When I misbehaved as a child, instead of a Time Out my parents would make me memorize famous poems, length depending on my age and how bad I’d been. Start with the second line, capitalize every word, add a standard symbol number finale … I’m well set for unique passwords for as long as my mind lasts.
Or more simply, choose two words and link them with an ampersand.
Straight&Dope
You can add numbers for additional security (of if you need more characters).
Wow - >300?!
I wonder if I have >20.
At work we had to change our passwords to 16 character minimum for security purposes after someone had theirs phished. If you notice an incongruity there congratulation, you are better than our IT personnel.
“K8ht_N_@_1@nds1!de,_No_ESC_frum_re@1!ty”
That is a completely insecure password. But of course, most bypasses aren’t direct, brute force attacks on passwords; they are “social engineering”, finding passwords in the trash, and back doors into the system to get access to a password hash table that can be broken at leisure. Multi-factor authentication, token or symmetric-key authentication, digital identity authentication, or biometric authentication are really necessary for secure authentication.
Stranger
Some fraction are obsolete. e.g. E-commerce vendors I’ll probably never buy from again. Although in the last week I’ve used two of those that hadn’t been touched in over two years.
Since retirement I culled all the truly work-related ones, but there are still outfits like the mass transit agency, the company-branded tchotchke vendor, etc., that originated from work but are not 100% useless. Yet.
OTOH, I have over 20 that are just the banks, brokerages, credit card issuers, insurance companies, and similar I’m actively dealing with. I don’t use every one every month, but so long as e.g. that credit card is live, so will be the need to be able to login to their site.
This is nearly the exact same thing I do. But I take a line out of a song I like, And use the first letter of each word in that line in the song. Sometimes hard to find a song with one line in it that is 12 words long. Add a Cap, number and special character as you see fit.
Sometimes compound words like, I donno, Anyone, will make you flub it. Avoid compound words if you can.
Works for me, and as far as I can tell unbreakable except with brute strength.
And you can remember it. We change ours every 6 weeks.
Who are you to say I will never again buy anything from BlackBerryCasesAndMore.com?
Frequent password changes like this are not recommended by NIST, in fact they don’t recommend routine password changes at all as it leads to writing the password down or just incrementing in an obvious pattern. Long secure passwords coupled with MFA are the best protection/
Couldn’t agree more.
This causes people to Throw up their hands and write it on a sticky note.
I think this is that TPTB think someone will get fired and then get in with their password. THIS kind of stuff is handled at a much higher IS level. And if someone is fired their account should be killed before they even know.
On the other hand, people do share pwd’s once in a while with a co-worker. Very, very bad practice of course. It happens when someone is away from work and asks a co-worker for info using their credentials.
A complete sentence is likely to be too long for many password prompts to accept. The suggestion in Cervaise’s post (use the initials of a long phrase) is more likely to generate a usable password. Preserve the capitalization(s) in the phrase for password prompts that insist on mixed case, and add something like “+1” at the end for password prompts that insist on a digit and a special character.
Password manager for things you never have to type, and, as said many times, a long phrase for things you do have to type.
For the long phrase, leave in the spaces. Most places that use long passwords will accept a space. It makes the password that much longer, and makes it easier for your language brain to type. “kickingaroundonapiece” is harder to type than “kicking around on a piece”. Add numbers and special characters as necessary.
If it is a password you type very frequently, then random, mostly letters. After typing it a few times per day you’ll remember it.
It is much, much more secure to have different passwords everywhere than one long password for lots of things: password manager.