Creating a password

LOL As if, "password already in use."

I recently shared with my friends a method that I developed, for making passwords. I like it, and it works for me. It might not be for everyone, but maybe the general idea could inspire you!

For example, I start with two simple words that I can relate to. I'm rather a hippie, so let's take Tree and Leaf. Then, I combine them! Treeleaf. Now, I can choose either first letter of either word to be capital. Usually one capital is enough. Let's use treeLeaf. At this point, I want to make it stronger, instead of ridiculously simple (dictionary words are just that.) So, I use the leet language!

Leet:
A = 4
E = 3
O = 0
I = 1

Sometimes, other letters get more numeric representations, but you get the idea. We only need a couple, or so. So:
treeLeaf -> tr33L34f

Password strength? Amazing! It's still logical, which makes it not impossible to crack (hackers), but it's better than most. Most people still use 1234, their name, a name of a relative or pet, or their birthdate in different formats. All of those are worse than this.

Enjoy.

Does anyone else have good ways of creating strong passwords? My work makes me choose a new password every three months for one system and about every month for the other system, what with banks and other accounts, I'm finding it easy to get confused!

The best passwords are just a long string of words that you can remember. When a system requires numerals and special characters, I usually put in a "1!" at the end.

Hi Nancy,

Most families have a private language of select words and phrases that have meaning to members of the family but not to outsiders.  I look in that direction when I am seeking a password. For most private languages I have encounter, these are comprised of modifications of words or experiences.  To invent an example, maybe a kitten that hung around the kitchen was referred to as a Kittchin by your child in the first house you lived in after you were married.  Your young child, Debbie, had trouble pronouncing her name.


Dobbie’s1stworthingtonkittchin

You would easily remember that password.  It would not be guessed.  Of course, there is room for numerous modifications.

Nancy Reading wrote:Does anyone else have good ways of creating strong passwords? My work makes me choose a new password every three months for one system and about every month for the other system, what with banks and other accounts, I'm finding it easy to get confused!

I have a system. I feel it is not wise to tell my system.

Jeremy VanGelder wrote:The best passwords are just a long string of words that you can remember. When a system requires numerals and special characters, I usually put in a "1!" at the end.

Came here to say this: XKCD explains it well, thank you.

My trouble isn't just creating one strong password and remembering it, it is having a good one, and then having to change it each month! At the moment I'm thinking I could do something with song lyrics - pick one or two songs, take a word off each and mix them together - adding !1, ?2, or whatever is a good idea thanks Jeremy!
So I could have Seargean Pepper and Strawberry fields forever:
"It was twenty years ago today Sergeant Pepper taught the boys to play"
and
"Let me take you down, 'cause I'm going to Strawberry Fields"
could become:
"ItwasLetme!1"
then
"Twentyyearstakeyou"2"
and so on

As long as I remember the song used, I can work out a new password and remember the last one. The only downside is that if someone knows your previous passwords, they could probably crack the system too. I guess if the password field characters are limited, you'd have to truncate the words, but that would be doable.

The goal with creating a good password is to force a hacker to do a brute force hack. They will start by guessing all the common passwords and variations and lists from hacked accounts. If none of those work, then they have to do a brute force hack where they start with 1 letter and keep adding until they figure it out. Like trying every single combination on a combination lock... they will get it eventually but it will take a long time. They start with a, then b, then c, etc. Then aa, ba, ca, da, etc. This is very tedious even with powerful computers. If you can create a password that is not on any lists, then they are forced to guess it 1 character at a time, which is called brute force hacking. And if you can get to that point, then length matters more than complexity.

From a brute force hack standpoint "3&RF08gj" is easier to crack than "D0g......." and yet the second is FAR easier to remember. There is a site that talks about this and also has a free password calculator. It calculates how long it would take to brute force hack a password. Keep in mind that if the password is a common one or is on a list somewhere, it will be found out much faster because they wouldn't be brute forcing it, they would be comparing it to a list. https://www.grc.com/haystack.htm

As for creating passwords, I usually suggest people look around the room and pick three unrelated things, put them together with a number, capital, and symbol. A puppy, a water bottle, and a glove becomes Something like "3PuppyBottleGlove!"

Something that I use every day is a password manager. I like Lastpass myself. These password managers are much more secure than what is built in to the browser. They allow you to come up with 1 really good password that you can remember, and that locks up a vault of all your other passwords. All those other passwords don't even have to be remember-able because the plugin can fill it in for you, or you can copy and paste the password. That was how they came up with their name, the last password you will ever have to remember. Most have a built in password generator, so you can great things that are 25 characters long very easily without having to remember them.

Nancy Reading wrote:Does anyone else have good ways of creating strong passwords? My work makes me choose a new password every three months for one system and about every month for the other system, what with banks and other accounts, I'm finding it easy to get confused!

I am in the same boat, and my solution is to "go nuts" with the kooky passwords and write it all down in a little notebook i keep in a drawer in my desk (call me old fashioned but i am not thrilled about password keeper companies that might close and leave me in the lurch, and the physical keyfob things here cost way too much money for me, also don't work with some things like my banking apps). It lets you be really creative with what you choose without worrying you won't be able to remember.

I think all of these will result in good passwords.
The US government used recommend a lot of complex password rules, but recently scrapped all of it in favor of a simpler recommendation (NIST SP800-63b):

Go long. At least 8 characters.

I never thought of using a phrase.  I use simple words that mean something to me that no one else knows.  Usually a street, a flower or dog.

I also use numbers that have a meaning like a house address or telephone number.

My special character also have a special meaning.

I also use backwards and forwards...

My company has rolling password resets and it can get frustrating at times trying to remember a variety of different logins.

I TOTALLY wouldn't do it but I have heard of someone who just keeps adding an additional "*" character to their usual go-to password every time.

Timothy Norton wrote:My company has rolling password resets and it can get frustrating at times trying to remember a variety of different logins.

I TOTALLY wouldn't do it but I have heard of someone who just keeps adding an additional "*" character to their usual go-to password every time.

Which is actually why NIST switched their recommendations. They found that the recommendation to reset the password every 60-90 days did not increase security at all, as it was plenty of time for an attacker to do whatever they wanted, and it actually reduced security, because people did just that. They would just add a 1, and the next time switch it to 2, and so on. That is where a password manager can really help. It allows you to change them when you have to, but make good ones each time without worrying about remembering it.

I have read both that: using a phrase makes for a safer password *and* that changing them less often improves security. However, in Nancy's case, she doesn't get to choose.

So consider thinking up a series of Q&A's that few people would know the answer to?

For me, one possible question would be: Where was your favorite place as a child? Here is a made up answer: I loved our cottage on Beaver Lake. The number of people still alive who would remember the real location of our cottage that was sold 50 years ago, is small and getting smaller. Thus, this sentence  would be hard to guess. Similarly, a sentence including the name of my stuffed toy that I remember garbaging 50 years ago, would be very hard to guess.

Similarly, a note book in my desk that had the questions written in them, with some innocuous title on the page like, "stories I'd like to write," would help you remember without writing down the actual password.

And in an effort to help out your future selves, name your pets something unusual and bizarre! Spot doesn't make the cut. Venus Fly Trap is better!

I would strongly recommend a decent password manager and if you don't like having a company involved then keepass is a good option.

Personally I use bitwarden (it can be self hosted) and have used Lastpass (not really recommended as their history isn't great.).

Matt McSpadden wrote:Which is actually why NIST switched their recommendations. They found that the recommendation to reset the password every 60-90 days did not increase security at all, as it was plenty of time for an attacker to do whatever they wanted, and it actually reduced security, because people did just that. They would just add a 1, and the next time switch it to 2, and so on.

It's too tempting to do something like that. I wish the Post Office would do something sensible like that too!

Thank you all for some great suggestions!

Timothy Norton wrote:My company has rolling password resets and it can get frustrating at times trying to remember a variety of different logins.

I TOTALLY wouldn't do it but I have heard of someone who just keeps adding an additional "*" character to their usual go-to password every time.

My first employer had a rule that the password couldn't be any of the last 4 passwords, which ruled out adding the season to the end of my password. So I added the number of times I needed to change my password instead.

So I really like having different passwords for every website. I don't like writing them down or trusting password apps to save them so I made up a formula that mixes my core password phrase and the url of whatever website I'm needing to log in to. For example permies.com has 7 characters (not counting the dot com) , and permies starts with a p and ends with an s. The 7, p, and s are mixed in to my standard phrase creating a password just for permies which I can figure out just by looking at the url. So
7andPorSmakesmypswd!

Google would be
6andGorEmakesmypswd!

This way when some site gets hacked, and it turns out they weren't storing passwords encrypted the password won't work on any other site, since they are all a little different. If someone was specifically targeting me they could figure out my pattern but that's really unlikely. Not quite as secure as other methods but I can login to an account I haven't used for years without stress.

Buster Parks wrote: permies.com has 7 characters (not counting the dot com) , and permies starts with a p and ends with an s. The 7, p, and s are mixed in to my standard phrase creating a password just for permies which I can figure out just by looking at the url. So 7andPorSmakesmypswd!

Oh dear. That reminds me of the time I saw a riddle that said something like

They say there is only one thing that all girls want. And that it starts with P and ends in S.

And then I ended up in a second-hand shop in town and found these two fellas and simply HAD to bring them home!

On a related note.