Create complex passwords you know & hackers won’t

Fraud & Security / August 4, 2015

I don’t know about you but it’s gotten to the point that I wonder how in the world someone else can hack my password when I have trouble remembering it myself.

When a scare like the Heartbleed Bug happens websites respond by increasing password complexity requirements, making it even more difficult to remember which password goes where – and which one is the one that has the capital letter, and the special character, or the set of numbers. How many of you have paper notes in your desks, wallets, notebooks, wherever, to keep your passwords “safe”?

PC Magazine recently published a list of the worst passwords of 2013. You can read the full article here but here’s the short list:

123456, password, 12345678, qwerty, abc123, adobe123, 111111, 1234567

Anything look familiar? The list was skewed a little bit because of the Adobe breach (and those who used adobe123 as their password) but the simplicity of the passwords above make them easy to steal. The reason that people use simple passwords is pretty obvious – because they’re easy to remember, and I think all of us realize we should be using more complex passwords. At the end of the day, we’re still left with the same problem: How to remember multiple passwords across multiple platforms without having to resort to writing them all down.

So about six months ago, I tried to figure out what might be a better solution for me to create complex passwords. I didn’t want to use the same password at each site, because if one is compromised, they all are compromised. How could I devise a method to meet all the weird complexity requirements, make it something not easily guessed, but would work across all platforms, yet STILL be unique at each website? Here’s what I’ve come up with, and honestly it works pretty well.

First what you need is a number, two, three or four digits, that means something to you but wouldn’t be trackable back to you. It shouldn’t be your address, birthday, or zip code – nothing current, and really nothing in your past since in this digital age almost every address you’ve ever lived at as an adult is searchable online. Some ideas are your grandparent’s street address, your basketball jersey number, your PO box in college, the last four of your phone number when you were in grade school or even the model year of your first car. For this blog, I am going to use the example of a football jersey number, 54.

Then you need to decide what characters you’ll replace in your new passwords. If I’d headlined this post with H0w 3@$y i$ 1t t0 gue$$ y0ur p@$$w0rd? would you have known what I meant? H0w 3@$y i$ 1t t0 gue$$ y0ur p@$$w0rd? means How easy is it to guess your password?

Here’s how that works:

  • a=@ The “at” sign on your keyboard, above the number 2.
  • i=! The letter i, regardless of capitalization is an exclamation mark above the number 1.
  • o=0 The letter o is a zero
  • e=3 The letter e is a number 3
  • s=$ The letter s is a dollar sign

Now you need to figure out how you want to create your passwords using the web address for the website. I usually use what’s between the www and the .com or .net as long as it’s not too long. For Facebook.com I use facebook. Wellsfargo.com – wells. Merrilllynch.com – merrill.

Once you’ve decided how you’re going to abbreviate your website, you’re ready to start putting the passwords together. You need the number you chose, the character replacement, and the website abbreviation.

Here’s how it works using this system and adding the number I chose, 54, listed above. I added the number to the end, but you can add to the beginning if you want.

  • My Facebook.com password becomes F@ceb00k54
  • Wellsfargo.com becomes W3ll$54
  • Merrilllynch.com becomes M3rrill54

Here’s why this works so well: The passwords have complexity requirements – a capital letter, a number, and a special character. The passwords are unique at each site – so if your Facebook password gets compromised, no data bot is going to figure out your Wells Fargo password. Best of all, once you come up with your own personal naming convention, you never have to write anything down. It’s in your head and you can pretty much remember every password you need to remember because it’s all right in front of you.

This may seem a little “techie” at first, but I promise you once you figure out the basics, you’ll have it down pat. Print out the character replacements if you need to – no one is going to know what they’re for, and give it a try. Would love your feedback – is it working for you?

Anne