A Guide to Secure and Easy to Remember Passwords

Note: the following advice is applicable for a general context where someone only casually cares about their security. If you have more cause to care about security than the average person (ie, you deal with confidential information or you're a journalist in an authoritarian country or the Mossad are after you), you will need to be more rigorous. I am posting this because some of my friends wonder how I keep my passwords.

Some things to keep in mind for passwords:
1. Long passwords are good (7 characters minimum, 10-15 is decent) because computers can guess short passwords.
2. Using different types of characters in your password (lowercase, uppercase, numbers, symbols) is good because most people don't use these, so it's harder for a computer to guess a password with special characters.
3. Common passwords (ie, using "password" in the password) are bad because computers will guess these very quickly.
4. Something that other people could guess would be bad because a human could guess these easily (ie, using something related to your personal life or something that could be found out about you online. Sarah Palin famously got her account "hacked" because her security questions were all things that could be found on her Wikipedia page).
5. Using the same password in a bunch of different places is bad because then one website with bad security could compromise the security of ALL of your passwords.
6. Something that you can remember is good because if you write it down, physically or on your computer, someone could get access to it (though this is unlikely unless someone has it in for you).

The way that I choose my passwords to satisfy those requirements is as follows:
1. Choose one part that will be the same in all of your passwords. This part might have a lot of special characters and stuff since you only need to remember it once. For instance, 9Tables%. The point of this part is to make your passwords long, have lots of different characters, not be common, and not be guessable.
2. Have one part that will be different for each website. This should be easy to remember. It's okay if it's predictable -- this part is just so that your passwords for different websites will be different.

Then, my password for gmail might be gmail9Tables%.

What will this do?

  • It helps you remember your own passwords
  • It ensures that your password will be long, have special characters, and not just have common words. This means that it will be hard for a computer to guess your password.
  • It ensures that your password isn't easily guessable by a human because they aren't just common things related to you.
  • All of your passwords are different, so if one of your passwords is compromised, a machine won't be able to guess your other passwords.
  • However, if one of your passwords is compromised and a human is actively trying to guess your other passwords, that human would probably be able to guess your other passwords (because they're fairly obviously modular). I don't worry about this because anyone who really has it in for me can find my passwords (ie, using a video camera while I type my password in). I haven't found a way to solve this problem in a way that keeps your passwords memorable to you (aside from using a tool like a password manager in your computer.

In other words, the strategy that I outlined above is not completely secure, but it's better than using the same password for every website, and I don't know any human that remembers a strong, unique password for every website.

Using software to manage all of your passwords is more secure because it can create a very long very random password for every site, but it is also a little risky (ie, if that software fails, then you lose all of your passwords) and a little annoying (it's harder to login to websites on a different computer).

However, a strong password is only one part of the equation
Avoid Phishing: Most of the time, people get "hacked" socially, not by computers. "Phishing" refers to tricking someone to give away their personal information, such as a password or a social security number. A reputable website will never ask you for your password over email or over the phone. You should never enter your password except in a login site for the actual website.

Only enter your password in https sites (not http sites), and don't enter your password on funky URLs: You can tell what website you're at by looking at the URL bar (the thing at the top of your web browser). Make sure that your URL is for the actual website. There are three parts of a URL. As an example, let's look at https://login.facebook.com/samking as a URL. The three parts are:
1. The protocol is the thing before the ://. In this case, the protocol is https. In a secure website, you should never type your password in unless it's https. The "s" stands for "secure," and if a website doesn't have the "s" (ie, it's just "http"), that means that no matter how secure your password is, someone else can just eavesdrop on your internet traffic as if you had typed your password in on their computer.
2. The website's server is everything after the :// and up to the next /. In this case, the server is login.facebook.com (not an actual facebook website). The thing to keep in mind is that the thing to the right "owns" everything to the left. In this example, facebook.com owns login.facebook.com, so that's okay. If, however, the website was something like facebook.com.evil.ly, then the website evil.ly owns the website facebook.com.evil.ly, which means that someone who isn't facebook.com can see all of your data. A lot of phishing attacks will have a funky server like facebook.com.usefacebooknow.com, so don't enter your password on funky websites.
3. The stuff after the server (/samking) is the particular page on the website. A server owns all of the pages on its website, so don't worry too much about this.

Don't use other people's computers: if you use someone else's computer or a public computer, they could have software that eavesdrops on your keystrokes (a keylogger), either intentionally (they're malicious) or unintentionally (they have a virus), so if you're extremely security conscious, you would only login on your own computer.

You should also make sure to scan for viruses on your own computer with software like AVG antivirus.

Use two factor authentication if you care: If you really want to be secure, you can use two factor authentication for some services like gmail. The way this works is that if you sign in to gmail on a new computer, it will either text you a code to type in or you can use an app on a smartphone. This way, even if a hacker gets access to your password, they still won't be able to login because they don't physically have your phone, so they can't enter the extra code. Two factor is kind of annoying, but I personally find it to be worthwhile since I have so much of my data on my Google account.