In an earlier article I described some of the problems with so-called complex passwords - passwords that consist of a mix of upper and lower case characters, numbers, and special characters.
So, here are my suggestions for creating passwords that are both strong and relatively easy to remember - passwords that should provide sufficient security for most applications while preserving ease of use:
1. Don't use strong passwords on accounts that you create solely because a website requires a login, but which does not, from your perspective, protect anything of value. Most of us have many "accounts" that we have created in order to access free resources; we never conduct online commerce with such sites nor provide them with any confidential information. The requirement to register and login is solely for the benefit of the site owner - to track users, etc. If it doesn't matter to you if a criminal breached your "account" use a simple password. Doing so will preserve your memory for sites at which password strength matters. Some might argue that it is even acceptable to reuse the same password among multiple such unimportant sites.
2. Understand that there are different levels of sensitivity. Your online banking password should be stronger than your password to a store at which youshop with one time credit cards, which in turn should be stronger than the password used on a site on which you comment solely on unimportant matters. Keep in mind, however, that social media authentication may be used at multiple sites - so even if you just post cat pictures to Facebook, your Facebook account may be considered sensitive. As alluded to in the first suggestion above: unless you have a photographic memory, creating overly strong passwords for unimportant sites might make it harder to remember strong passwords when they are actually needed.
3. Whenever it is available for a site requiring security, consider using multi-factor authentication that requires you to approve logins from new devices by entering a code texted to your cellphone. I am not suggesting using weak passwords in such situations, but your use of multi-factor authentication can weigh into your decision as to how strong a password needs to be for such sites. Keep in mind, however, that other people might have access to the devices that you use to access the site.
4. For sites that need strong passwords, create an memorable, strong code by doing the following:
5. Of course, you can use a password storage tool for a smartphone - but make sure that the app is secured with extremely strong security and is legitimate. Imagine the damage that you can suffer if you utilize such an app and somehow it is compromised or infected with malware.
6. One more thing - do not change passwords too often. This recommendation may go against conventional wisdom - but that's because many security professionals seem to think theoretically without a good understand of human weaknesses. The AARP itself states "Change critical passwords frequently, possibly every other week." Think about that for a moment. If you have a bank account, mortgage, a couple credit cards, a phone bill, high speed Internet bill, utility bills, social media accounts, email accounts, etc. you may easily be talking about a dozen or so critical passwords. Changing them every two weeks would mean 312 new critical passwords to remember within the span of every year. How many people stand a chance of remembering that number of codes, never mind complex codes? Changing passwords often makes if far more difficult to remember them - increasing the odds of their being written down and stored insecurely, of people selecting poor passwords to begin with, and of new passwords being set the same as old passwords with just minor changes (e.g., "password2" replacing "password1"). The recommendation to change all of one's passwords regularly sounds, in theory, like good advice, but, in practice, can actually harm security.