Xkcd’s “password strength”

Security Through Promiscuity

How to up your password strength while having a great time

I’ve always thought of myself as someone who’s pretty good at coming up with secure passwords. For one thing, I have a great memory, which makes retaining long strings of seemingly random letters, numbers, and symbols relatively easy. For another, the long recommended strategy of turning words into w0rd5 has always made sense to me. For years I’d take a memorable word or phrase — a nickname, say, or a song lyric — and alter it slightly to render it impervious to a search for dictionary words. If I was listening to The Cure a lot, my password might be l0v3c4tz, for instance. (Not that it ever was, mind you.)

I was pretty sure I was doing everything right.

And then I stumbled upon an XKCD comic titled “Password Strength,” and my mind was blown. In six short panels, Randall Munroe completely obliterated the strategy I deemed so smart by pointing out that my “clever” passwords were relatively easy for a computer to crack. Rather than making a convoluted — but short — password full of a random string of letters and numbers, I’d be better off making one password that was easy to remember — but really, really long.

Randall offers the classic example of “correct horse battery staple,” four random words that create a lengthy (and thus challenging to crack) passphrase, while giving the user a novel mental image that makes said passphrase easy to remember. I liked the concept, but I wasn’t quite into the idea of horses or batteries or staples. I wanted something that was just as random, but somewhat more personal. I figured if I could come up with something that was a part of a pattern that only I could decipher, I’d have the best password of all. To anyone else, it’d be meaningless and confusing; to me, it would make perfect sense.

It didn’t take long to figure out something that fit the bill. As it happened, my personal life contained something that was incredibly random, totally unpredictable, and known only to me: the people that I was sleeping with. As a freewheeling libertine, I was bed hopping with some regularity, frequently switching up partners as new paramours entered the mix and old ones faded away. With my rock solid memory, I knew all their names and the order in which they’d been introduced to me; I could recite them in order like some kind of avant-garde poem. Creating a password based on their names was the perfect solution to my problem.

Whenever I needed a new password, I’d think back four partners and make a list of their names. Instead of “correct horse battery staple,” I’d have something more like JackJulesJeanetteRoger (not an actual password of mine). Every time I slept with someone new, my password would seamlessly update — I didn’t have to wrack my brain for an easy to remember, yet incredibly random, word; it had already come to (and, ahem, for) me, easily.

Of course, not all login systems will let you get away with a password made up solely of letters; many require you to use numbers as well. But here, I had a solution, too: rather than muck up my partners’ names by turn Jack into J4ck, I just tacked an easy to remember — but, again, seemingly random — number onto the end of my list of names. I’ll let you figure out the source of that number yourself.

For services that required a character? There, I picked something random, thought it was often an exclamation point. What can I say? Strong, secure passwords get me excited.