Although I write about passwords about 8 times a week, it seems, it occurs to me that I haven’t–at least not recently, that I can find–written about how to make up a halfway decent password.
So, here’s how to make a decent–I won’t say great–password.
The old advice used to be to abbreviate, make your password a mnemonic. When I got my first mainframe account as a college freshman in the early 1990s, the sample password they gave me was “gnmusic6.” The “6” was random, the “gn” was the author’s initials, and “music” was because the guy said he liked music. (Did he ever. But that’s another story.)
The problem with passwords like that is like the problem with pop music–too formulaic. Humans like formulas–they’re comfortable and catchy–but they’re also predictable, so computers are really good at guessing them.
So even though password strength-checkers will say “I’malumberjackandI’mOK” is a reasonably strong password thanks to its length, use of mixed case and apostrophes, it’s not good. It’s long, and uses lots of special characters, but it’s predictable. It’s English words strung together, but it’s also something frequently quoted.
The formula I recommend right now is to use facts. Facts that have numbers and symbols in them. Looking at the ad flyer next to me, here’s something that’ll make a decent password:
It’s long. It has numbers in it. It’s mixed case (I just capped the abbreviation) and it has a couple of symbols in it. And the symbols aren’t right at the beginning or end, where humans tend to put them.
If you get coffee in the morning, you could make up something about that–the size of the cup, the price, where you get it. If your morning get-going juice is a mixture of sodas, you could probably make a decent password out of that formula.
You get the idea, I hope.
I want to get rid of passwords altogether, but we’re a few years away from being able to do that. In the meantime, we’ve got to come up with something that strikes a balance between being possible to remember, yet hard enough for a computer and another human not to guess. I don’t like it being this formulaic, but the number of possibilities is very large, and the length will help. If the goal is being impossible to guess, this doesn’t cut it. If the goal is being better than 99% of the other passwords out there–remember, a lot of people are still using “password1”–so the bad guys hack someone else, then this is sufficient.