Up Your Password Game for the Security Apocalypse

Illustration: Diane Murray

Want a secure system without dealing with a third-party password manager? Give this self-generated password method a go!

“Password123.” “ilovecats.” “matthew92.” There are a lot of bad passwords out there. There are a lot of good ones, too; maybe you use one!

But with data breaches like Heartbleed, and more recently, Cloudbleed, it’s not just a question of whether someone will figure out your password — it’s a question of when.

If, like most folks, you use the internet for banking, private sharing, and storing sensitive information, you owe it to yourself to review your approach to password security. If you use a weak password, you’re open to hackers doing targeted password-breaking. If you have a decent password but use it for all online services, a single data breach could give a hacker the key to wreaking havoc on your online accounts.

This is where most people recommend password sites like LastPass. These systems create different, extremely random, and secure passwords for each of your online accounts, allowing you quick access to everything with a single login.

These services are great! But using them means you don’t know your own passwords; if you’re on a new or borrowed device, it’ll be a pain to log in and grab something you need.

For some, the inconveniences of password managers are worth the rewards, but for others it just doesn’t feel practical. What’s the alternative, though? There’s no way you could remember a bunch of fantastic passwords on your own… is there?

Fear not! Hands-on password security is entirely possible. Here’s how you can set up a super-secure system all your own.

First, find a short phrase, expression, song lyric, or name that’s significant to you. For this exercise, we’ll go with a line from the Red Hot Chili Peppers’ “Can’t Stop”:

addicted to the shindig

Now, find a rule-based (that is, memorable) way to pare down the letters and obscure the words. For longer expressions, you might remove all but the first letters of each word. For this one, though, removing the vowels will be enough:

ddctdtthshndg

This first step has made it so that your password is difficult for others to remember, and ensured it’s not subject to a dictionary-based cracker. You’ve also got a fairly long string of characters, which will foil someone using a random-combination cracker.

Finally, you’ve protected yourself against folks in your life, too. Unlike random-phrase passwords (note the differences between the bad password example and this article’s suggestion), it’s hard to figure out from watching you type — and, if you one day need to tell them your password verbally, this is something they’re significantly less likely to be able to memorize.

Great job!

Of course, we can and should improve on that. As you’ve probably been told before by an overly-nosy website, “your password must contain at least one numeral, one capital letter, and one special character.”

Ugh.

No worries, though — you can absolutely come up with a memorable way to modify what you have already; in the example, we’ll use a “2” to denote repeated letters, capitalize the first letter of each word, and drop in a tilde (because tildes are awesome).

d2ctdT2Shndg~

Nice! If you’re making an account a hacker couldn’t get anything useful out of (a free flash game site, for example), you can probably stick with this. Although it looks like a pain right now, using it over and over will make it second nature to your fingers. So: easy to input, hard to hack, and no big deal if it does get compromised.

For any paid service, account with sensitive information, or social media profile you want to avoid getting taken over, though, it makes sense to up the ante. We want to have variety across services so that if (more like when) your base password gets out there, there’s another level of security in place.

You may be tempted to add the name of the service you’re logging into to the end of the password, but that’s a bad call. It’s entirely too easy to guess. Unfortunately, it makes remembering your unique passwords really difficult.

Or does it?

Cue the password notebook that gets such a bad rap. Only, we’re giving it a spin that cuts out the dangerous part.

First, figure out where your notebook (or notebooks) will be. Evernote, Google Docs, and iOS Notes are all good options — the goal is to find whatever will be easiest for you to access. For extra security, pick an extremely hard-to-guess and hard-to-crack addition to your password for this service. Make it meaningful to you, and absolutely unguessable to hackers, partners, friends, and family.

Now, start going through the services that need this extra level of security.

Ask yourself what kind of security question only you could answer — no “mother’s maiden name” here! Be sure to pick answers that are longish, non-dictionary words (phrases, strange nicknames, and so on). This will ensure that if someone has your base password and knows your system, they can’t just run a quick dictionary crack.

For example, let’s look at your bank login. Why did you choose that bank? Maybe someone in your life recommended it to you. You remember their old AIM handle from a zillion years ago, so add that to your base password.

d2ctdT2Shndg~xx_angel_xx

Then, head over to your password notebook and make a note like this:

ABC Bank
 Username: [username]
 Who recommended the bank to me (old handle)

Now, even if someone knows your base password, they’d still need to sneak into your password notebook and figure out something that’s really only in your head, not searchable, and extremely difficult to crack. Just be sure it’s not something you’ll forget yourself!


That covers the details of this approach, but don’t let that be the end of your security measures! As some useful next steps, try out two-factor authentication, and enable notifications of logins from new devices in all services that allow them. Both of these will keep your data extra-safe, and, as a bonus, let you know if someone has worked out one of your passwords and tried to log in as you.

If all of this piques your interest, I highly recommend HACK*BLOSSOM’s resources.

Happy internetting!


Like this article and want to see more? You can check out my work at dmurring.com, or follow me on Twitter for resources and discourse of all kinds!

You can also support me by becoming a patron at Patreon, or just by leaving a little tip. The resources I produce are always free, so your financial contributions are extremely valuable.