With all the (well-deserved) hubub about the Heartbleed SSL security flaw which impacts 2/3 of the Internet, I thought I would share my method of generating safe, memorable, unique passwords.
There are only four steps. Don’t over-think them. This process should take less than five minutes.
How to create safe, memorable, unique passwords
Step 1. Pick a number. Any number. (Except that one.)
The year your favorite state entered into the union, numbers that spell out something funny on a phone keypad, your ideal outdoor temperature, whatever. Just make sure it isn’t easily associated with you. No phone numbers, addresses, SSN, birthdays, etc.
I’ll use the year Oregon was founded: 1859
Step 2. Pick a phrase
It could be a famous quote, song lyrics, or something funny your family always says. I’ll stick with the patriotic theme and go with “One nation under God.” Now, shorten/abbreviate the phrase:
I’ll go with the first one since it includes a number: 1nuG
Step 3. Identify the service
Pick a phrase that includes the name/type of service this version of the password will be used for. Then shorten it:
I heart [service] = I heart Facebook = IhF
[Service] is the best = Facebook is the best= Fitb
I always use [service] = I always use Chase Bank = IauCB
I’ll go with the first example: IhF
Step 4. Pick something that can rotate
It can be anything that’s sequential and easy for you to remember: colors of the rainbow, ages of your kids, cities along a specific route, etc. This is so you can easily create a new password when you need to without going through the whole process again.
Sticking with my Oregon theme, I’ll do cities down the 101 highway.
Put it together
Taking my results from Steps 1-4 and adding a symbol between them, my new Facebook password would be:
Using the same methodology, I can then use a similar (but not identical) password for my other accounts, too. Here’s an example of what my Twitter password could look like:
Whenever you need to create a new password (every six months, a Heartbleed-type security bug, etc.) you can just swap out the rotatable element. The next time I need to reset my password, my new Twitter password could become:
There you have it. A very long (21-character) password that uses symbols, numbers, and letters (upper- and lower-case), is unique for each of your accounts, and is easily updatable. It’s pretty easy to remember, too. By the time you go through and update all your passwords for your different services you’ll have it down pat.
Bonus: if anyone nefarious ever looks at it, it’ll seem like complete gibberish.
Adapt as needed
Take the process and make it your own: change the order of the steps, do a shorter version (some sites limit the number of characters in your password), or pick entirely new steps. Tweak what you need to make it work for you.
Need a hint?
Instead of jotting down the actual password on a sticky note next to your computer (NOT SAFE) you can write down the mental process you used to generate the password.
THIS: Oregon, patriot, service, road trip.
NOT THIS: 1859.1nuG.IhF.Astoria
That should do it. Like it? Find a flaw in the method? Let me know in the comments.
Mac user? Here’s a simpler way.
Apple will generate and securely store unique passwords for all the sites you go to online using iCloud Keychain. All you have to do is remember a single master password. It syncs from your desktop to all your iDevices so…yeah. Not a bad option if you use Safari and don’t want to be bothered with tracking a bunch of passwords.
Through a series of fortuitous events, yesterday I was introduced to LastPass. After listening to an hour-long podcast about it, I’m convinced it’s super secure and a good place for my passwords. I changed nearly all my passwords yesterday with the LastPass password generator which creates and stores crazy-long/complicated/awesome passwords and stores them in a vault that only you have the key to.
How secure is it? Why would you trust LastPass with your passwords? Because even they don’t have your password. Everything is hashed (encrypted) multiple times using 256-bit SHA security on your machine, then it’s sent to their servers. That means if one of their employees is compromised by a secret, still-in-existence underground arm of the KGB, or if some teenager in China manages to get to your information on their servers, they won’t see your username and password. They’ll see something like this:
I may to a follow-up post on it later. Either way, you should check it out and give it some consideration.
Image courtesy of Pixel Fantasy.