How To Choose And Remember Secure Passwords

How To Choose And Remember Secure Passwords

From email to online banking, passwords are an essential element of your online life. How can you make sure that they’re secure and memorable?

Australians are gradually becoming more aware that ‘password’ and ‘0000’ don’t really cut it when it comes to setting passwords (or pin numbers). According to the recently released 2009 Salmat VeCommerce Identity Verification Study, 51% of Australians think their passwords are at risk because they’re too easy to guess.

However, there’s a big gap between recognising that problem and doing something about it. Follow the guidelines below to create passwords that are relatively secure and not too hard to remember. Yes, a lot of this advice may seem obvious to experienced geeks — but bitter experience shows that far too many of us ignore it.

What makes for a good password?

Here’s the basic guidelines that are pretty much universally promoted when creating passwords:

Don’t just use a single dictionary word. These are far too easy to guess, and can potentially be defeated with “automated attacks” which just try every conceivable word. While lots of online services don’t allow multiple login attempts, why take the risk?

Use a mixture of numbers, lower case and upper case letters. It’s much harder to guess a sequence that includes both letters and numbers. (You can also use punctuation marks for further variety, but some applications won’t accept these.)

Aim for at least eight characters. Longer passwords are harder to crack. Six characters is often the minimum requirement, but eight or more is better.

Many online services enforce these rules when you create a password, blocking any passwords that don’t meet those requirements. But even when there’s open choice to create whatever password you like, they make good sense.

Things not to do with passwords

Don’t use any of the many obvious choices. These include: your name, your maiden name, your home town, your birthdate, all or part of your phone number, and the words ‘password’ or ‘admin’. Anything that’s obvious information associated with you is a needless password risk, especially in an era where people openly display their favourite things on social networking sites.

Don’t use the same password for multiple, sensitive applications. It’s tempting, once you’ve come up with one strong password you can remember, to use it on multiple web sites and applications. But that multiplies the risk: if someone discovers your password, they’ve got access to all your applications, not just one. For one-off passwords (like registering for free software downloads that don’t gather much personal information), repetition may occasionally be OK, but on the whole it’s best avoided.

Don’t record passwords in obvious places. As well as the obvious physical locations (post-it notes, address books), keeping your passwords in a file called ‘passwords’ on your PC is a dumb idea, especially given the speed of search features these days.

A final pointer: make sure that you are running good security software (check our our best antivirus software and best malware removal software Hive Fives for some suggestions) and that you regularly install operating system patches. That minimises the risk of keyloggger malware (which records every keystroke you type, and can potentially be used by hackers to discover your password) being surreptitiously installed on your system.

How am I supposed to remember my passwords?

Knowing the rules is one thing, but how can you apply them and have any hope of remembering all the relevant passwords? Here’s a few popular techniques — see if one of them appeals.

Have a master password and a site rule. One popular technique is to have a basic secure password, and then a rule for adjusting it on different sites. For instance, if your “master password” is a34tklbbcr, you might create passwords for sites by placing the first two letters of the name in front, and the next two at the end. Hence your eBay password could be eba34tklbbcray, while your Gmail password could be gma34tklbbcril.

Use the “first line of a song” trick. A good way of creating non-dictionary words is to grab the initial letters in the first line of your favourite song. For instance, let’s suppose you’re a big fan of “You’re The One That I Want” from Grease. The opening line is “I got chills, they’re multiplying and I’m losing control”. Take the initials and you get igctmailc.

Substitute letters for numbers. Sometimes referred to as “leetspeak”, this approach allows you to meet the letters/numbers requirement and still have vaguely memorable words. Common substitutions are the number 1 for I or L, 3 for E, 5 for S and 0 for O or D. Applying them, you could change lastone to 1a5ton3.

Glue together a few words. If you really have trouble remembering words, stick a few of them together and mess around with the capitalisation: This is probably less secure than the previous approaches, but still better than plain single-word passwords.

Automating the process

There are plenty of ways you can ensure that your passwords are safe but not have to devote huge acres of mental space to remembering them. Here’s some posts we’ve featured in the past on useful products and techniques:

Lifehacker 101 is a weekly feature covering fundamental techniques that Lifehacker constantly refers to, explaining them step-by-step. Hey, we were all newbies once, right?


  • My pet hate when it comes to security is services that themselves force me to neglect the “Don’t use any of the many obvious choices” rule.

    Picture this: you’re signing up for a new online service. Because they are security conscious, they want you to pick a password at least 8 characters long, with a mix of upper and lower case letters, numbers and punctuation. All well and good so far. Oh, and in case you forget your password and need to do something with your account, please provide answers for these security questions.

    …really? So, anyone who can state my mother’s maiden name, the town I was born in, and the first car I drove (or some other obvious information) can access my account? Because that’s not accessible at all with half an hour’s work on Facebook.

    Some services offer you an option to write your own question, but many don’t. Apple’s iTunes was the most infuriating for me: very restrictive on passwords and for some reason requiring that I supply them with two email addresses (one of which became my log-in) , but with a common list of 9 security questions. I tend to treat them as if they were more password boxes, and put my own non sequitur (at least to outside eyes) responses in them.

Show more comments

Log in to comment on this story!