How to Choose & Remember Strong Passwords

We are encouraged to use strong passwords to avoid our online accounts being hacked.  We are also told that it is best not to use the same password for different online accounts.  If your Sony account got hacked, then it is bad enough if the same password give them access to your Amazon account … but it is worse if it lets them into your online bank account.

Whilst, as an IT consultant, I regularly have 30+ passwords in my head (OK I admit, I’m a bit weird like that LOL), the truth is that most people struggle to remember more than one.  In this post I hope to give you a few ideas about how to have different, strong passwords for each account and still know which one you used.

What is a Strong Password?

A strong password is one that is difficult for anyone to guess (even someone who knows you well).  It should involve the following:

  • At least 8 characters in total.
  • At least 1 uppercase character.
  • At least 1 lowercase character.
  • At least 1 number.
  • At least one symbol, e.g. @, #, _, $, (, ), *.

But you should avoid the following:

  • Single words from the dictionary such as catnip, but 2 random words combined are better, e.g. catpickle (N.B. I am not recommending pickling cats).
  • Any reference to your date of birth, wedding anniversary or those belonging to your family.
  • Names of relatives or pets.
  • Anything else that would be obvious from your social media posts (Twitter, Facebook, etc.)

How to Choose a Strong Password?

First choose a base word.  This could be something random such as the catpickle example about – but that’s a bit difficult to remember.  Try to find something that is meaningful to you but won’t be too obvious to anyone else:

  • A dog lover could use Great Dane … unless it is the breed of your own dog, as that would be too easily guessed.
  • A Star Wars fan could choose Jek Porkins … but not Han Solo (too obvious).
  • A gardener could choose leatherjacket … memorable if they’re damaging your lawn.
  • If you met your wife by the Trevi Fountain, you could use that … unless you have announced that to the world on Facebook.

Next adjust it so that it becomes more secure.  Here are some suggestions on how to adjust it:

  • Substitute vowels with numbers:
    • a becomes 4
    • e becomes 3
    • i becomes 1
    • o becomes 0
  • Or substitute letters with symbols:
    • becomes @
    • o becomes *
    • s becomes $
  • Remove spaces or replace them with underscores (_).
  • Add symbols such as #, *, $ or numbers to the start or end of your base word.

Here are some examples of how to convert a base word using the 4 samples above:

  • Example 1: Replace vowels with numbers and add a hash (#) at the end – this may look unfamiliar at first but it’s amazing how quickly you get used to it:
    • Great Dane becomes Gr34tD4n3#.
    • Jek Porkins becomes J3kP0rk1ns#.
    • Leatherjacket becomes L34th3rJ4ck3t#.
    • Trevi Fountain becomes Tr3v1F0unt41n#.
  • Example 2: Add an underscore between words & add a number at the end.  Hint: choose a meaningful number but not your birthday or anniversary.  How about the year you won a trophy at school or got a promotion at work, e.g. (19)92:
    • Great Dane becomes Great_Dane92.
    • Jek Porkins becomes Jek_Porkins92 .
    • Leatherjacket becomes Leather_Jacket92 .
    • Trevi Fountain becomes Trevi_Fountain92.

There are plenty of variations of the above adjustments. The main thing is to choose a pattern that you will remember and use it consistently.

How To Have a Different Strong Password for Each Website

Add part of the company or website name into the password.  Using the Great Dane examples above, here is how to adjust Gr34tD4n3# or Great_Dane92 to a different password for each site.

Pattern A: Add the first 3 letters of the company/website name to the end of the password:

  • For Amazon use Gr34tD4n3#ama or Great_Dane92ama.
  • For Facebook use Gr34tD4n3#fac or Great_Dane92fac.
  • For Sony use Gr34tD4n3#son or Great_Dane92son.

Pattern B: Add the first 2 letters of the company/website name to the start of the password in brackets :

  • For Amazon use (am)Gr34tD4n3# or (am)Great_Dane92.
  • For Facebook use (fa)Gr34tD4n3# or (fa)Great_Dane92.
  • For Sony use (so)Gr34tD4n3#s or (so)Great_Dane92.

The main thing is to be consistent with the pattern you choose, otherwise you will never remember your password.  Don’t use pattern A for some passwords and pattern B for others – you will struggle to recall which one you used for which site.

For online banking it is best to use a separate base word you have not used on any other site.

Using an Aide Mémoire

It is a good idea to write down a hint to help you remember what pattern you used for your password.  This is best done on paper and stored somewhere safe:

  • You could remind yourself that you used Great Dane with the initials GD, or Leatherjacket with LJ, or Trevi Fountain with Proposal.
  • Trophy or promotion could remind you that you used 92 as the number.
  • Vowels could remind you that you swapped vowels for numbers.

Get Safe Online has published some helpful advice on passwords.