Secure Passwords without a Password Manager
A shocking number of people use criminally insecure passwords on for their online accounts. Unfortunately many websites (including some financial institutions…) limit characters and password length. If they’re storing passwords properly, there shouldn’t be a realistic limit on password length. A Password Manager such as LastPass, Roboform, Dashlane, or countless others can aid with the epidemic that is insecure passwords.
Some people question the legitimacy or the security in trusting a third party with their passwords, and passwords they can’t remember nonetheless. Since Password Managers create a randomly generated password for every site, such as
%_HX6rT^V+mzm:d^, it’s understandable to be a little leery of using them.
While I can personally vouch for LastPass and Roboform, I understand the concerns, risks, and benefits of using a Password Manager. The point of this article is to show you how to make your own passwords that are secure, memorable, and different for each and every website. Without revealing too much, my current passwords utilize more characters than 3 average passwords combined, are rarely duplicated, and most importantly, I remember them all. I’m here to tell you how to do this yourself.
Many people use an insecure password such as
PASSWORD2017, which make my skin crawl. Others are a little further ahead and use a variant name of a beloved pet such as
Mitt3n$2017. While more acceptable, it’s still a short and insecure password, and undeniably used on more than one website. For this example, we’ll extrapolate a secure, memorable, and different password from the pet name “Mittens”.
Our beloved pet Mittens has probably been a part of our lives (and passwords) for a long time, so
Mittens is a great place to start, but a terrible place to stop! We can expand Mittens a little bit, such as with other common names we attached to him, such as “Mister Mittens”.
MisterMittens is hardly secure though, so let’s go a bit further, and perhaps add the age we were when we got him, let’s say 12.
MisterMittens12 is looking better, but we’re not there yet. If you’ll notice, the “1” and the “2” key have symbols on them as well, let’s use those too, to meet those “special character” requirements by tacking them onto the end
So this password is starting to look pretty good, but how do we make it different on every website? By using the website name or URL itself! Let’s take the last four characters of the URL, and stick it on there, perhaps even capitalize it. So for Facebook we can start with
MisterMittens12!@BOOK, and for Twitter we can start with
MisterMittens12!@TTER, and so on for other websites.
Looking Good! Password length is one of the best strengths a password can have, so let’s add to it a bit more. We can use our birth year, say 1980, and similar to the age when we got Mister Mittens above, we can add the corresponding symbols, in this case
!(*) and easily remember them.
So now our Facebook password would be
MisterMittens12!@BOOK1980!(*) and our Twitter password would be
MisterMittens12!@TTER1980!(*). These 29 character passwords are very secure, entirely different on every website, and arguably most importantly, easy to remember, despite being obscenely long. Internally, we’ve referred to this is a “password schema”. If you ever feel your schema has been compromised, you can update it by changing pieces of it: a different pet, a different year and symbols, such as your anniversary, or adding more to the end.
So let’s compare these passwords with our old one that was used everywhere. If you go to this website HowSecureIsMyPassword.net and paste our fake password
Mitt3n$2017 (note: While I trust this site, DO NOT paste your actual passwords into it), you’ll see it would take an average computer 400 years to crack. Sounds pretty good, but it’s still relatively weak, since password crackers use very powerful networks of computers, so it may take much less time to crack. In comparison, if we paste our new secure password
MisterMittens12!@BOOK1980!(*) into the site, it would take “4 Undecillion Years” to crack (4,000,000,000,000,000,000,000,000,000,000,000,000 years) – I’d wager that it’s pretty darn safe.
This method is not perfect, and some websites won’t allow you to have certain characters, or passwords longer than 12 or 18 characters, which is asinine in today’s day and age. Some passwords may also be the same, such as your password for Facebook.com and Notebook.com. These passwords are also harder to type on a phone, but you get used to it eventually. If you don’t trust a Password Manager, follow the above lesson and create your own secure, memorable, and different passwords. And please please please do not use
MisterMittens12!@BOOK1980!(*) if the cat you get when you were 12 was named Mittens and you were born in 1980. These passwords were for example purposes only. You also shouldn’t follow the exact same schema. Put the age/symbols or your birth year/symbols in the front, or type them backwards, just to be safe.