I’ll be honest, I’ve been wrestling with logins and passwords since I got my first network account at Microsoft in 1988. Back then, you really could get away with a password like ‘Spot123′ because nobody was really trying that hard to get into your account anyway. Unfortunately those days are long-gone and the sheer number of accounts and passwords we need to track has expanded exponentially. I’m a software consultant, which means I’m also responsible for selecting secure passwords for my clients’ assets, and having my admin credentials with a client hacked is a one-way ticket to former-consultant status.
There’s a lot of advice out there about maintaining secure passwords. Enabling two-factor authentication anywhere that you can is a given. Not sharing passwords between resources is also a must-do. So, all we need to do is create up to a few dozen unique, memorable, and hard-to-crack passwords and remember them. Right.
A lot of people go the password-manager route, but as far as I’m concerned that’s just putting all of my most valuable information in a well-known location for the potential bad guy to find. Your password cache is only as secure as your master password and the environment around your password file. To be truly secure (until there’s cheap real-time FMRI technology, anyway) the only safe place to keep data is in your own mind.
So I’ve tried many different schemes for constructing and remembering secure passwords for all of the accounts I’m responsible for. And until I came up with the word-chain method, my efforts were… mediocre at best. I’d generally protect my most important accounts (email, banking, etc.) with unique secure passwords, and everything else would get one of a stable of three or four “throw away” passwords. Yes, I reused passwords. Don’t judge, I was weak.
Another issue was the structure of the passwords I’d use. At one time, the popular wisdom was that short passwords with a mix of letters, numbers, and symbols was the secure way to go. And this was true, up to a point. It turns out that humans are terrible at remembering arbitrary strings of characters but computers are great at guessing them. Who knew. So enter the era of the pass-phrase. String some words together and you end up with BobIsACoolDude-type passwords. These can be pretty secure, but remembering a few dozen unique, unpredictable sequences of words is a tall order. Or is it? Enter the word-chain method.
Let’s say that I was just asked to create a password for my cool-new ice cream shop account. I start with my anchor: ice cream. Then, I do a free-association of the last word of my anchor, and come up with cream cheese. Then cheese doodle, doodle bug, bug life, life buoy, etc.
So now, I have this stream of words:
ice cream cheese doodle bug life bouy
Now that I have my word list, all I have to do is decide how I want to choose a subset of those words for my password. For example, I might start with the first word after my anchor and then skip every other word:
ice cream cheese doodle bug life bouy
Put them together, and salt them with a number and symbol at the end (if required), and we have a pretty hard-to-guess password:
So when it comes time to remember this password, just start with your anchor, and you’ll find that it’s actually pretty easy to remember the steps you took the first time. And every time you do that it actually gets easier to remember until eventually you might not even need to do the full association.
That’s it! Hopefully this will let you come up with some great, secure, and most of all secret passwords. And yes, I’m now well aware that I don’t know how to spell bouy (buoy). But get this: as long as you consistently misspell the word, it really doesn’t matter and actually makes your password that much harder to guess. Enjoy!