How to create a good, strong, random but memorable password

The world is moving to the cloud and so securing your accounts and personal data is more important than ever.  In fact, it is essential.  The step in this process is to make sure that your passwords are “strong”.

The Wikipedia definition of a strong password is:

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability

The problem is that most people are generally terrible at picking passwords – certainly at picking “unpredictable” passwords.

So here’s my approach for selecting passwords for people that I am sure will help you too.

We’re going to use the PCTools.com Random Password Generator for a lot of this.

1. Once we connect to the site above, let’s select the following options:

The options are:

  • Password Length – this should be at least 8 characters long – but not more than 10 characters if you want to make easy to remember (which we do)
  • Show Phonetics – this can be useful but not essential.
  • Include Letters – we absolutely want passwords with letters in them
  • Include Mixed Case – although not essential, adding mixed case can really strengthen a password and so I would recommend that you use this option.
  • Include Numbers – this will help strengthen your password to and does not simply mean replacing “O” with “0” (oh with zero)
  • Include Punctuation – this setting will totally wreck the “easy to remember” element of this process and so I leave this setting switched OFF.  We can always add punctuation after – manually.
  • No Similar Characters – this is a useful option to have switched ON so that we don’t get 1’s and l’s which can be confused and impact its memorability.
  • Quantity – we want to have the largest number of passwords to choose from, so bump this up to the highest number – 50.

Once you have these settings correct, then press “Generate Password(s)” and see what your options are:

As you can see, this is just a quick excerpt from the list of passwords.  What I do is scan the list looking for passwords that are completely random and odd.. but ones that you could remember.  These are usually ones that have a nice distribution of vowels to create combinations that could be words.. but aren’t.

For example, here is one that I would select from this list:

So as you can see – spava6AN – is a completely random password.  It includes mixed case, a number and should be relatively easy to remember.

Let’s try it in a useful too called “How Secure is My Password“:

As you can see – this password would take a “standard” desktop PC using a “brute-force” methods to crack passwords – 10 days to do so!

What’s also nice about this tool is that it also points out an element that might be missing from your password – in this case it doesn’t have any symbols or punctuation that can really help strengthen your password further.

Let’s add an exclamation mark (“!”) to the end of our password – spava6AN! – and try it in the same tool to see what we get:

And there you go – now your password would take 12 years to crack just using standard technology.

So – please change your simplistic passwords to something more secure and use the approach outlined here to help make them easy to remember too.

2 Responses to How to create a good, strong, random but memorable password

  1. Ivesomthingtosay December 19, 2011 at 2:22 pm #

    http://xkcd.com/936/ <— pretty telling
    https://www.grc.com/haystack.htm <– shows that spava6AN can be cracked in less than a day with a sustained botnet attack, and spava6AN! can be cracked in less than 3 months. As XKCD points out, it's not the complexity, it's all about the length. Complexity is just a crutch for lazy typists.

    "correct horse battery staple" would take "about 2 nonillion years" according to "How secure is my password?". I know which one would stick in *my* head more successfully. In fact, "oooooooooooooooo" would take 5 million years to crack according to "How secure…?" And you know what? "Correct horse battery staple!" is off the hook…

  2. issty December 19, 2011 at 3:50 pm #

    A secure password …
    … Is long enough (10 characters minimum would be)
    … Has minimal repetition
    … Has nothing recognizable
    … Is a combination of letters, numbers and symbols