How to create a safe, memorable password in 5 minutes – UPDATED

Konami Code

With all the (well-deserved) hubub about the Heartbleed SSL security flaw which impacts 2/3 of the Internet, I thought I would share my method of generating safe, memorable, unique passwords.

There are only four steps. Don’t over-think them. This process should take less than five minutes.

How to create safe, memorable, unique passwords

Step 1. Pick a number. Any number. (Except that one.)

The year your favorite state entered into the union, numbers that spell out something funny on a phone keypad, your ideal outdoor temperature, whatever. Just make sure it isn’t easily associated with you. No phone numbers, addresses, SSN, birthdays, etc.

I’ll use the year Oregon was founded: 1859

Step 2. Pick a phrase

It could be a famous quote, song lyrics, or something funny your family always says. I’ll stick with the patriotic theme and go with “One nation under God.” Now, shorten/abbreviate the phrase:

1nuG
OnuG
onuG

I’ll go with the first one since it includes a number: 1nuG

Step 3. Identify the service

Pick a phrase that includes the name/type of service this version of the password will be used for. Then shorten it:

I heart [service] = I heart Facebook = IhF

[Service] is the best = Facebook is the best= Fitb

I always use [service] = I always use Chase Bank = IauCB

I’ll go with the first example: IhF

Step 4. Pick something that can rotate

It can be anything that’s sequential and easy for you to remember: colors of the rainbow, ages of your kids, cities along a specific route, etc. This is so you can easily create a new password when you need to without going through the whole process again.

Sticking with my Oregon theme, I’ll do cities down the 101 highway.

Example: Astoria.

Put it together

Taking my results from Steps 1-4 and adding a symbol between them, my new Facebook password would be:

1859.1nuG.IhF.Astoria

Using the same methodology, I can then use a similar (but not identical) password for my other accounts, too. Here’s an example of what my Twitter password could look like:

1859.1nuG.IhT.Astoria

Whenever you need to create a new password (every six months, a Heartbleed-type security bug, etc.) you can just swap out the rotatable element. The next time I need to reset my password, my new Twitter password could become:

1859.1nuG.IhT.Seaside

The result

There you have it. A very long (21-character) password that uses symbols, numbers, and letters (upper- and lower-case), is unique for each of your accounts, and is easily updatable. It’s pretty easy to remember, too. By the time you go through and update all your passwords for your different services you’ll have it down pat.

Bonus: if anyone nefarious ever looks at it, it’ll seem like complete gibberish.

Adapt as needed

Take the process and make it your own: change the order of the steps, do a shorter version (some sites limit the number of characters in your password), or pick entirely new steps. Tweak what you need to make it work for you.

Need a hint?

Instead of jotting down the actual password on a sticky note next to your computer (NOT SAFE) you can write down the mental process you used to generate the password.

THIS: Oregon, patriot, service, road trip.

NOT THIS: 1859.1nuG.IhF.Astoria

That should do it. Like it? Find a flaw in the method? Let me know in the comments.

 

 

BONUS PRIZE!

Mac user? Here’s a simpler way.

Apple will generate and securely store unique passwords for all the sites you go to online using iCloud Keychain. All you have to do is remember a single master password. It syncs from your desktop to all your iDevices so…yeah. Not a bad option if you use Safari and don’t want to be bothered with tracking a bunch of passwords.

 

UPDATE

LastPass

Through a series of fortuitous events, yesterday I was introduced to LastPass. After listening to an hour-long podcast about it, I’m convinced it’s super secure and a good place for my passwords. I changed nearly all my passwords yesterday with the LastPass password generator which creates and stores crazy-long/complicated/awesome passwords and stores them in a vault that only you have the key to.

How secure is it? Why would you trust LastPass with your passwords? Because even they don’t have your password. Everything is hashed (encrypted) multiple times using 256-bit SHA security on your machine, then it’s sent to their servers. That means if one of their employees is compromised by a secret, still-in-existence underground arm of the KGB, or if some teenager in China manages to get to your information on their servers, they won’t see your username and password. They’ll see something like this:

256 SHA Hash

I may to a follow-up post on it later. Either way, you should check it out and give it some consideration.

Image courtesy of Pixel Fantasy.

The S is for security

Courtesy of iMore.com

Courtesy of iMore.com

Word on the street is Apple is going to have a fingerprint scanner in the home button of the iPhone 5S. My thoughts on the subject:

Hardware security

Of course, Apple could use the first iteration just to unlock the phone and down the road turn on additional security features such as using your iPhone as a key to unlock your computer (if your iPhone is close enough to the computer, and you have it unlocked, you won’t have to type in the password on your desktop).

Apple could create an API so apps could require fingerprint verification before use. Instead of (or in addition to) typing in your username and password on your mobile banking app, the app would ask iOS for a fingerprint verification. Scan your fingerprint, the OS ID’s you, and it tells the app, “Yeah, that’s him (or her).” Your biometric information never leaves the phone and is never given to a third party.

Eventually, your phone could become a key to making payments online. If you’re trying to purchase something on Amazon through Safari, it will ask for you to scan your fingerprint on your phone (probably through a low powered Bluetooth connection). Once you verify, it allows the transaction to go through.

This makes your phone more important than ever: it becomes your wallet/key to every digital thing you do. Fingerprint security is good, but if you’re prone to leaving your phone in cabs there are some software features in iOS 7 that should give you (some) peace of mind.

Software security

In iOS 7 you can remotely lock your phone and require your iCloud login credentials to re-activate it. Without said credentials, you can’t disable Find My iPhone and the phone is essentially bricked and therefore useless to would-be thieves. A very nice form of theft deterrent.

The history of S

With the iPhone 3GS the S stood for speed. With the 4S it stood for Siri. With the 5S, I think it’s going to stand for security. It might not do much at first, but this is going to be Apple dipping its toe into the water of mobile and online payments. When it does a cannonball into the market with the iPhone 6, $700 per share is going to look like a bargain.

P.S. Gold? Ugh. I hope not.

The next Call of Duty (a proposal)

call-of-duty-ghosts

How long until Call of Duty drops the single player version all together and has an online-only multiplayer subscription model? Modern Warfare 3 only took me about five hours to complete in single player mode on Normal difficulty and I’m hardly a good gamer. So why even bother with the single-player version?

Within the next two releases (after Ghosts) I’m guessing you’ll be able to download whatever you need over Xbox Live then, through an additional (say, $9.99/mo) subscription, all you do is play online multiplayer. Additional maps, perks, weapons, etc. are available to those who earn points by playing a lot or fork over additional bucks.

That’s $120/year/player instead of $59 (+ additional maps some people buy). Not to mention they get to keep all that money instead of going through retail partners. Sure, Microsoft may need a cut, but they were getting that anyway.

Infinity Ward could push out releases whenever they want/need and, if they do it right, could even merge platforms so Xbox One, PS4, and PC players can all play together, ala Steam.

Plus, I’m still waiting to see true third-screens support: let one (or more) players on a team have a satellite view of the entire map, target and control strikes, pass along location information, etc. all from an iPad.

I’ll keep wishing.