How to create secure passwords with JavaScript

And most importantly, remember them!

Online security is a issue that gets discussed more and more on different platforms.
Ever since the infamous iCloud leaks in 2014 protecting your online data has become a bigger and bigger concern.

How do we do that is the stupid question, with a good password is the obvious answer.

The problem with passwords

The common requirements for a stronger online security are quite simple, let’s try to list them:

  • You should ideally have a different password for every website/app.
  • Passwords should be complex, not easy to guess.
  • They should be long.
  • You should not write down your passwords.
  • You should employ Two Factor Authentication (2FA)

Let’s exclude the 2FA provided by services and you should always use it no matter how boring it may seem.

A lot of people still have really basic passwords and most of the time it’s just one password repeated everywhere, remembering them is hard, so why try to come up with multiple complex ones if you are going to forget them 5 minutes after writing them?

A good solution is to use a vault to store all your passwords, you have your tool, a master password that protects a vault with all your passwords.. That is online, protected by just another password.

So since I’m dumb as a rock when it comes to memory and I don’t trust online tools that much, even less offline ones as if I lose my wallet or stuff like that I would lose all my secure passwords too.

There are no more solutions you dummy.

Don’t remember and don’t write down anything

The idea is to not memorise any passwords.
I’m not going to remember more than two or three at best and I need far more than that so let’s just not do that in the first place.
“How can you use a password if you don’t store it and don’t remember it”

The key here is not to remember the passwords, but a shared method for creating your passwords that is useless for everyone but you, let’s try to see how easy this can be.

Let’s create a list of 10 words, they don’t have to be difficult or abstruse, you can pick a song or whatever.

  • never
  • gonna
  • give
  • you
  • up
  • never
  • gonna
  • let
  • you
  • down

Now let’s create a password for our GitHub account.

GitHub starts with g, open up your browser console and check the UTF-16 value.

'g'.charCodeAt() // 103

Counting like a programmer, at position #1, #0 and #3 we find

  • gonna
  • never
  • you

And voilà our new password: gonnaneveryou.

It’s still too easy, let’s raise the complexity, last letter of GitHub is b:

'b'.charCodeAt() // 98

And now we have gonnaneveryou98, we can improve a bit more without too much effort, let’s uppercase the words corresponding to an even number, in this case #0 is the only even one so we end up with gonnaNEVERyou98.

Let’s add some special characters, pick the symbol for your favourite currency and paste it to separate the words like this gonna€NEVER€you€98.

Do you need to remember this password? No.

We just have to use JavaScript to get the UTF-16 value for a letter (we don’t have to remember the value either!) and then follow a personal pattern to mutate the password until we reach the desired effect.

The only exposed data (if you decide to write it down) would be a dumb song or something like that, in time you should memorise it too, but there is close to no risk in keeping it there.

Other words that can be used are grocery items or whatever you happen to already have memorised, the transmutations on the values can be personalised too, in time I continued to add complexity to my passwords and I don’t have anything written down anymore.

To get even a small chance at guessing one password you would have to already have collected a huge amount of passwords created with the same method, in practice if your passwords are not stored, that’s literally impossible.

The only thing you are required to remember is the method (and it can be something as easy as the example above or something more complex, but even a simple one can create really awesome passwords).

The method is always the same, yet every password will be unique and equally hard to crack.