Sep 23, '04 10:07:00AM • Contributed by: JKT
- It will be relatively long (the more characters the better)
- It will be relatively random (it should look like gobbledygook and it shouldn't contain sequences of letters that can be found in a dictionary or list of names -- in any language!)
- It will contain both alphanumerics (letters and numbers) and non-alphanumerics
- Most importantly of all: It should be memorable!
[robg adds: Although this isn't specifically an OS X hint, good password security is quite important, so I felt it was worth the space. We ran a very basic hint on this subject back in 2001; the following is a good update to it.]
How can the first three characteristics be tallied with the fourth? Surely, it is too hard to remember something that encapsulates all or even some of those first three without it breaking the fourth ... and this is how we end up with people using "password" as their password. Personally, I find the "I can never remember a long password because it is too hard, so I have to keep it as my pet's / dad's / mother's / etc name" attitude a tremendous cop-out. Everyone can remember what is a seemingly complex password, so long as they use a method that will allow them to do it.
Imagine the following scenario -- you've just received a new PowerBook G4 from your workplace, and you need a password for your Mac OS X FileVault login. It is a given that this password has to be as secure as you can make it, as your new machine can easily be stolen, and it is going to have sensitive information on it such as trade secrets and your workplace's banking details. So how do you generate a difficult to crack, yet easy to remember password? Try one of the following two techniques:
- Tell yourself a story.
"This is my brand spanking new PowerBook G4 - aren't I lucky!"
To generate a password from that, simply take the first letter of each word (it could have been the second, third, fourth letter ... or it could have been the last) and type it out, along with the punctuation you have in the statement:
Almost instantly, you have a pretty good password that only you are going to know... and in this particular case, it even contains some capitalisation and some non-alphanumerics. Obviously, this requires you to be able to remember the story. Since not everyone can do that, so there are variations on a theme for this technique, such as using the lyrics of your favourite song(s), poems, quotes, etc. as the basis for the password(s). Perhaps what you remember best is a smell or taste, the ingredients to your favourite meal, whatever. There is something that you as an individual can remember and remember easily. Even if it is your pet's / dad's / mother's / etc. name, you can still generate a complex yet memorable password from them, so long as you use all their names at once and introduce some randomness into the process -- such as only using the last two letters from each in a combination that ends up looking like goobledygook.
- Use your keyboard.
If the first technique is a non-starter for you, try using your ability to remember a spatial layout. In this instance, it is your keyboard that you will choose as your canvas (and in my case, this is a British QWERTY keyboard). This method has the advantage of generating passwords that you don't even have to remember ... all you need to be able to do is remember how you typed them.
Pick a couple of letters to form the base of your password, and then type a pattern about them. E.g. using the d and k keys as the base, I can type the following:
... simply by starting at the key to the top left of each of the base keys in the hexagon of letters that surrounds them (e in the case of the d key, and i in the case of the k key). Hey presto, an instant "random" password that takes very little to remember. Self evidently, this technique has a huge potential for variation. I could have typed in an anti-clockwise direction around one of the base keys and clockwise around the other, or started at a different letter in the hexagon, added a third / fourth / fifth base key, held shift down for one of the hexagons, etc., etc.
Using a different keyboard method altogether, I could have picked the first, fifth and seventh alphanumeric key on each row of the keyboard to get:
And so on, and so on -- practically, there is no limit to the combinations of keypresses you can make based on a spatial awareness of your keyboard. You can use these combos to generate secure passwords that are easy to remember.
Proviso: Obviously, this technique relies on all keyboards being equal. If you need to have a "portable" password (one you can type anywhere on any machine), be aware it will fail if you have to use a radically different keyboard (e.g. a DVORAK keyboard or a keyboard designed for another language). That is, unless you are also able to remember the exact characters of the password, but in that case, you probably wouldn't be using this technique anyway!
Once you have a basic password generated by the above techniques, you can improve it further by introducing some elements of randomness:
- Include some additional punctuation -- e.g. for the last example above, hold down shift and type the first, fifth and seventh number key, and add that to the beginning and/or end of the base to get:
- Capitialise some of the letters (e.g. the most frequently occurring letter, the start and/or end letter of the hexagon, the fifth letter in the row, etc).
- If you are only using the password on a Mac, you have the added advantage of being able to use the option key to increase the number of non-alphanumerics, so when typing hold it down for some or all of the characters. For instance, 157qtuagjzbm can become:
This will hugely increase the difficulty of cracking your password. This tip alone will even improve your pathetic six-letter word, turning it from easily cracked password into something that is moderately OK. However, be aware that this will limit you to using this password on Macs only. Also, it will only work on Macs that have the exact same keyboard as your own. Be careful with this technique, if you do use it.
- Avoid having words or names within your password by altering a letter to something memorable. E.g. timbsnPBG4-ail! has the name tim in it, so change that to t!m to give t!mbsnPBG4-ail! instead.
- Stick some numbers in there -- your age, your mother's age, the year, the date the last time your favourite team actually won something ... anything so long as it is something you can remember.
Obviously, if you are using Mac OS X, you can use Keychain Utility, in /Applications -> Utilities, to create notes for all your passwords that will display them once you've entered your master Keychain password -- an added bit of memory for you for those occasions when your brain simply won't work!