(Credit: René Ramos; WeerajitJames, New Africa/Shutterstock.com)
More than 20 years ago, Bill Gates declared password technology dead. It's true that lots of websites these days allow login using passkeys instead. But they still support passwords as a backup. Most of us still use passwords every day, dozens or even hundreds of them, and remembering them all is just impossible. If you use an easy password like your birthday or your dog’s name, hackers can guess it in a trice. Even if you strain your brain to memorize a painfully random password like &!pR8B>5.F$h%TCf, it’s no good if you use it on more than one site because a breach at one service could expose all your others. The only solution (and it’s a good one) is to use a password manager. With such a utility, using a different strong password for every website is a snap. We'll show you how.
Hard to Guess Can Mean Hard to Remember
Proper, full-featured password managers work across all your devices, whether desktops, laptops, smartphones, or tablets. They generate unguessable passwords like BnRB?,S3%2ZBoATD, remember them for you, and automatically use them to log in to your secure sites.
But there's one snag with this plan. Almost every password manager relies on a master password to lock up all those individual passwords. The master password must be uncrackable, because anyone who has access to it can unlock all your secure sites. But it must also be memorable, unlike the gibberish from random password generators. If you forget the master password, nobody can help you. On the plus side, this also means a dishonest employee can't break into your password store, and the NSA can't force the company to turn over your data.
Let's assume you've done everything right, security-wise. You've installed an antivirus or security suite. A Virtual Private Network, or VPN, wraps your network traffic in protective encryption. And you've enlisted a password manager to deal with your plethora of passwords. You’re still stuck with remembering one insanely secure master password to lock down that password manager. Here are some tips on selecting a password that's both memorable and unguessable.
1. Make Poetic Passwords
Everybody has a favorite poem or song they'll never forget. It might be a line from Shakespeare, a Taylor Swift tune, or something snarky by the Bonzo Dog Doo Dah Band. Whatever the stanza or verse, you can turn it into a password. Here's how.
Start by writing down the first letter of each syllable. Use capital letters for stressed syllables, and retain any punctuation. Let's try this line from Romeo and Juliet: "But soft, what light through yonder window breaks?" From that, you'd get bS,wLtYdWdB?. You could add A2S2 for Act 2, Scene 2 if that's something you'll never forget. Or 1597 for the play's year of publication.
(Credit: Keeper Security/PCMag)If the passage doesn't have a strong meter, you can just take the first letter of each word, using the existing punctuation and capitalization. Starting with the quote "Be yourself; everyone else is already taken. - Oscar Wilde", you could come up with By;eeiat.-OW. Adding a memorable number rounds out the password, perhaps 1854 (his birthdate) or 1900 (his death).
Your poetic password will be completely different from these examples, of course. You'll start with your own meaningful song or quotation and turn it into a unique password that nobody else could guess.
2. Make Your Password a Passphrase
Password pundits always advise including all four character types: uppercase letters, lowercase letters, digits, and punctuation. The reasoning is that by expanding the pool of characters, you vastly expand the time required to crack the password. But sheer length also makes cracking harder, and one way to create a long, memorable password is to use a passphrase.
Snarky, smart webcomic XKCD took aim at wacky password schemes that suggest starting with a common word, replacing some of the letters with similar-looking numbers, then tacking on a few extra characters. That can leave you wondering. Was it Tr0ub4dor&3, or Tr0ub4dor3&? Or maybe Tr0m30ne&3? A passphrase like correct horse battery staple is significantly more difficult to crack due to its length, but also much easier to remember.
Not all password managers permit spaces in the master password. No problem! Just pick a character, like a hyphen or an equals sign, to separate the words. Pro tip—don’t use a separator that requires pressing the shift key. Pick words that don't naturally go together, then invent a mnemonic story or image to link them. What would you picture for nether-urgent-account-donkey?
If you have trouble coming up with unrelated words for your passphrase, there are many online passphrase generators, including the aptly named CorrectHorseBatteryStaple.net. You may quite reasonably worry about using a passphrase generated by someone else's algorithm. In that case, you could generate multiple passphrases and clip out a word from each.
3. Pad Your Password to Make It Longer
Venerable PC maven Steve Gibson suggests the secret to long, strong passwords is padding. If an attacker can't crack your password using a dictionary attack or other simple means, the only recourse is a brute-force scan of all possible passwords. Every added character makes that attack massively more difficult.
Gibson's website offers a Search Space Calculator that analyzes any password you enter based on the character types used and the length. The calculator estimates how long it would take a brute-force attack to crack a given password. It's not a password-strength meter but rather a cracking-time meter, and it's instructive to see how the cracking time increases as you lengthen the password.
(Credit: Gibson Research/PCMag)I don't try to watch people enter their passwords, but I've noticed quite a few who, based on hand motions, appear to enter three exclamation points. That's not the padding I'd suggest. First, it requires the shift key. Second, it's too predictable. I wouldn't be surprised if password-cracking toolkits already included "!!!" in their dictionaries.
Instead, pick two close-at-hand keys and alternate between them, adding something like vcvcvcvc. Or choose three characters, like lkjlkjlkjlkj. Gibson's calculator says it would take over 45 years for a "massive cracking array" to crack bS,wLtYdWdB? (the Romeo and Juliet password from my earlier example). Adding vcvcvcvc raises that to more than a quadrillion centuries.
Bonus Tip: Use Multi-Factor Authentication
Congratulations! You’ve devised a long but totally memorable master password. There’s just one thing. A shoulder-surfer with a good memory who sees you type that password could use it to open your password vault. More likely, a hacker using a data-stealing Trojan could capture the password. Now what?
The solution is to bolster master password protection with an additional form of authentication. Multi-factor authentication typically involves at least two of these three types: something you know (like a password), something you have (like a smartphone app), and something you are (like a fingerprint).
Most password managers let you use an authenticator app for added security. Now, a password thief can’t get into your vault using the password alone. Without the code from your authenticator app, there’s no way to access those treasured account passwords.
Long, Strong, and Memorable
Once you've invested in a password manager and converted all your logins to use strong, unique passwords, the only password you’re still stuck with remembering is the one that opens the password manager itself. That master password unlocks everything else, so you really need to spend some time coming up with a master password you can remember easily, but that would be impossible for someone else to guess or crack.
Work up a password based on a poem, song, or famous quote. Or create a passphrase by linking unrelated words to a memorable image or story. Then, add some easy-to-type padding. You'll wind up with a master password that's both memorable and uncrackable.
For more password tips, read our guide to building your own uncrackable password generator.