October 2023 This text has been edited to clarify a few things and to fix something that was wrong.
Presented here is a simple technique for passwords that are both strong and easy to remember. Seriously.
This is the simple technique for passwords that are both strong and easy to remember—that is easy to remember.
Think in terms of tokens. Start with short character sequences of a particular format, and make your passwords from a number of these tokens. Each token will be different, short and memorable. Concatenate several tokens together and you have your strong, unique, remember-able password.
For my examples I'll use four disparate tokens. These are guidelines. People should make up their own token system, but this system is as good as any and better than most.
First token is a non-word word, which is a sequence of letters that is pronounceable like word but is not a word [NWW]. Second token is a number [NUM]. Third is punctuation [PUN].
From those you make a password root. Once chosen, there will be a forth token of your choosing which will be used to make a different password for each account you want a password for.
Here is a notation for the tokens:
[NWW] [NUM] [PUN]
Here are some example tokens (with the token category obvious):
Foobey Bletch 411 187 ! ?
(The fourth token comes later.)
To make this work you would make up tokens that are unique to you. The non-words from any milieu in your brain, numbers from your surroundings or from any set of related numbers (or random), and your favourite punctuation character. (Some of you might like to use hexadecimal or octal numbers.)
Once you have some tokens you need to order them any way you like. The result will be a strong and easily remembered unique sequence of characters that can not be guessed or cracked by any algorithm (before we all die and turn to dust anyway).
Just two examples will demonstrate:
Just pick the quantity and order you like that you can remember. Those examples show a minimum number of tokens for anyone to come up with something fairly strong. Larger brain capacity? Then use more tokens. But those minimums really are sufficient. (And not yet complete.)
Here are a couple of these types of passwords:
Pretty Good Passwords (as this technique can be called). The result should be "pronounceable" as well (i.e., "Foobey Nine Bletch Dollar").
Now for the last step.
Once you have your password root, one more token is needed, one to use for each account, and unique to you. Perhaps, one or two capital letters, related in some way to the account, prepended or appended:
And there you have it. An easily remembered, strong, non-guessable, non-crackable password.
One last thing. One can use the password root (
Foobey9Bletch for example) by itself for all accounts that do not have a website login, such as FTP accounts or mail accounts (that are not Yahoo, Gmail, etc.). Those being the same is pretty safe as such accounts do not have published or public interfaces.
But surely, Yahoo and Google track their mail website submit forms for automated attacks, right? Surely. (They'd be negligent if not; they ain't Wordpress...)
The Other Shit
The following is the previous introduction to this page:
Safe and secure Internet use requires due diligence, careful configuration and attention to detail of the programs you use to connect to it.
But that is putting "Security" on you, the User. And that is totally wrong. What I should have written was:
A Safe and secure Internet requires due diligence, careful configuration and attention to detail for and of ALL the programs used to connect to it.
And of all the programs used to connect to the Internet a website's server code is the sole break point.
A "strong password" is important, sure, but a "weak password" ain't the only way "yer shit's gonna get hacked"...
"Data breaches and identity theft are on the rise, and the cause is often compromised passwords."
According to Security Professionsals, the reason why data breaches and identity thefts occur is because of "weak passwords". And the consequences are dire they assure us! You'll lose money, your reputation and even your job... The entire economy suffers!
But if "weak passwords" were truly the cause of such suffering, why is your debit card "password" just a 4 digit PIN?
Because an ATM will lock the account after a few failures.
When reading about password security, on, um, the Internet, everyone means HTML Forms. (While there are other network services that use "credentials" for device interpoperability, mostly websites are the subject.)
And Now A Word From Our Experts
"The most obvious advantage [to a strong password] is that cybercriminals cannot easily hack your online accounts."
"Identity theft and online fraud on the rise, [a strong password is] a benefit you wouldn’t want to miss out on."
"[C]ybercriminals can use passwords to start disinformation campaigns against companies, use people’s payment information for purchases, and spy on users through WiFi-connected security cameras."
There is more, of course. Looking closer there are always these words behind their fear mongering: "hack","data breach", "bad actor", "cybercriminal," ...
It's your password, dude!
There is a most favored website for testing password strength. ("How secure is my password?") It will for example say that if you use a password of
password that it can be "instantly cracked". Looking closer at there algorithmn you will see that for the password
password1234 it will take three years!
If you read about their algorithmn, (they love to explain it!) there's this:
"MD5 hashed passwords..."
There in lies the lie.
But, their shit also is dependent on your password hash being stolen first. If you do not know what an MD5 hash is, you will beleive their shit, but it's a false narrative.
Who the fuck am I to say that? Well, how about from this "fucker":
"Warning It is not recommended to use this function [MD5] to secure passwords, due to the fast nature of this hashing algorithm."
(I will let you figure out who says that. More than one.)
This "someone steals the database" thing is the other half to their FUD. That means that it was the Website that stored your password hash that was "hacked" in the first place!
There is an industry behind this FUD, and is the pivot upon which that all these fears are based: "after stolen credentials".
- PIN: Personal Identification Number number.
- ATM: Automatic Teller Machine machine.
- That latter password is in a dictionary, of course, but this ain't about that yet.
- FUD: Fear, Uncertainty and Doubt as an advertising campaign.