I recently described some of the problems with so-called complex passwords -- passwords that consist of a mix of upper- and lower-case characters, numbers, and special characters.
So here are my suggestions for creating passwords that are both strong and relatively easy to remember -- ones that should provide sufficient security for most applications while preserving ease of use:
1. Don't use strong passwords on accounts that you create solely because a website requires a login, but which does not, from your perspective, protect anything of value. Most of us have many "accounts" that we have created in order to access free resources; we never conduct online commerce with such sites nor provide them with any confidential information. The requirement to register and login is solely for the benefit of the site owner -- to track users, etc. If it doesn't matter to you if a criminal breached your "account," use a simple password. Doing so will preserve your memory for sites where password strength matters. Some might argue that it is even acceptable to reuse the same password among multiple such unimportant sites.
2. Understand that there are different levels of sensitivity. Your online banking password should be stronger than your password to a store at which youshop with one-time credit cards, which in turn should be stronger than the password used on a site on which you comment solely on unimportant matters. Keep in mind, however, that social-media authentication may be used at multiple sites -- so even if you just post cat pictures to Facebook, your Facebook account may be considered sensitive. As alluded to in the first suggestion above, unless you have a photographic memory, creating overly strong passwords for unimportant sites might make it harder to remember strong passwords when they are actually needed.
3. Whenever it is available for a site requiring security, consider using multi-factor authentication that requires you to approve logins from new devices by entering a code texted to your cellphone. I am not suggesting using weak passwords in such situations, but your use of multi-factor authentication can weigh into your decision as to how strong a password needs to be for such sites. Keep in mind, however, that other people might have access to the devices that you use to access the site.
4. For sites that need strong passwords, create a memorable, strong code by doing the following:
- Combining three or more unrelated words and proper nouns, with numbers separating them. For example: "desktop8jonathan3goats." Such a password is far easier to remember than "w4x&Py6Q." In general, the longer the words the better.
- You can ensure compliance with systems that require the use of a special character by adding a special character before each number (e.g., "desktop!8jonathan!3goats"), and still keep things easy to remember by using the same character after each word in every strong password. Such an approach is not the best way to do things from a security standpoint, but it makes memorization much easier, and the security should be good enough for most purposes anyway.
- Ideally, use at least one non-English word or proper name with which you are familiar but which others wouldn't easily guess that you selected as part of a password (so if your significant other has a non-English name don't use it!) - e.g., "louvre!8iyengar!3goats."
- To increase password strength even further without making memorization difficult, consider using a couple of capital letters that always appear in a particular location throughout all of your strong passwords -- just don't put them at the start of words. For example, the last two letters of the second word -- "louvre!8iyengAR!3goats." You can also vary the rules by site type -- e.g., capitalizing the second letter for banks, the third for credit card companies, and the fourth for all other sites. You could also capitalize the letter corresponding to the length of the name of the site being accessed -- e.g., the fifth letter for chase.com, etc. A password created with approaches like these is a lot easier to remember than a complex, unintelligible mix of letters, numbers, and symbols, and since the pattern is similar for all of your strong passwords, it makes memorizing many of them much easier as well. As before, the security tradeoff once a password is already relatively strong is likely worth it when compared with the improvement in usability.
- There are many adjustments that can be made to the overall three word approach -- you can dramatically improve the strength, for example, by switching to four words -- but the primary point is that there is a way to create a significant number of strong passwords without resorting to having to memorize many passwords like "w4q6zC4g&" and that the risk created by of using similar structured passwords seems far smaller than the risk of improperly storing, or frequently forgetting, complex passwords.
5. Of course, you can use a password storage tool for a smartphone -- but make sure that the app is secured with extremely strong security and is legitimate. Imagine the damage that you can suffer if you utilize such an app and somehow it is compromised or infected with malware.
6. One more thing: Do not change passwords too often. This recommendation may go against conventional wisdom, but that's because many security professionals seem to think theoretically without a good understanding of human weaknesses. The AARP itself states "Change critical passwords frequently, possibly every other week." Think about that for a moment. If you have a bank account, mortgage, a couple credit cards, a phone bill, high speed internet bill, utility bills, social-media accounts, email accounts, etc., you may easily be talking about a dozen or so critical passwords. Changing them every two weeks would mean 312 new critical passwords to remember within the span of every year. How many people stand a chance of remembering that number of codes, never mind complex codes?
Changing passwords often makes if far more difficult to remember them -- increasing the odds of their being written down and stored insecurely, of people selecting poor passwords to begin with, and of new passwords being set the same as old passwords with just minor changes (e.g., "password2" replacing "password1"). The recommendation to change all of one's passwords regularly sounds, in theory, like good advice, but, in practice, can actually harm security.