Three Steps to Creating Strong Passwords


“I never forget my passwords.” “My passwords are unique to each of my logins.” “My passwords are virtually impossible to hack.” By the end of this column, you will be able to say these things with confidence.

Passwords are the keys to your information. If you lose your key, you are locked out. If someone acquires your key, they have access to your information. Sometimes it is convenient to have a single key to all your locks, but if someone obtains a copy of your key, they have access to all your information. That’s why it is important to have unique keys to each of your locks. If one is “lost,” the other doors are safe.

Current studies indicate 55 percent of users use the same passwords for most all sites they visit and 26 percent of all users use common passwords such as birthdays, names, or familiar places. This makes things easy for thieves and once they have your password, they essentially are you, at least digitally.

So, you need a password that is unique to each website, impossible to guess, and easy to remember. It’s not as tough as it sounds. Here’s how to build your own password from three elements.

1. A unique, reusable pass phrase

To begin, think of a “pass phrase,” something unique to you that is easy to remember, such as “Because you’re mine, I walk the line.” We will use this pass phrase as part of our scheme for all passwords and it will be the only thing you need to memorize. A pass phrase contains the elements of a normal password (letters, numbers, special characters) but when “decrypted/deciphered” is much larger than the password key itself. In “Because you’re mine, I walk the line,” you could grab the first letter of each word from that line (as underlined) and make something like: B4m!wtl. You could practically say it while you type it, and it wouldn’t make sense to the person beside you.

This becomes your root element and should be committed to memory, so make the phrase something meaningful to you. You will find that it is not difficult to remember after a few uses.

2. An element unique to each login

The second element of our pass phrase contains an element from the site you are logging in to. Once a method is chosen, you should remain consistent about it from site to site. You might pull the letters from the URL, or from the title, or from a phrase in your head that symbolizes the site to you.

In this example, we will pull the last three letters from the host name in the URL. When logging in to Gmail, our element would be “ail.” To make it less conspicuous, you may want to shuffle those letters. However you do it, be consistent from site to site. For our example, we will reverse the letters, making our second element “lia”

Our password for Gmail now becomes:


3. Something unique to you

Your final element should be something unique to you. You might choose to add a string that is meaningful to you, such as a date or set of symbols. You may choose to add a revision number for passwords that must be periodically changed. For this example we will add an age, “29 years old,” making our final password


The estimated crack time for this password by a desktop PC is approximately 157 billion years!

So for YouTube, our password would become:


Using our example for Yahoo, our password would become:


You may string the elements together in whatever combination makes the most sense to you. You may choose to use the root element last, or in the middle. The example above is by no means exhaustive.

Create different schemes for passwords that you share with your family or friends. Create different schemes for work, recreation, or critical passwords. The key is to find something unique to you.

Find a pattern that fits you and you will never forget it.

Mark Warren and Joe Anderson work in LBMC Security & Risk Services, a member of The LBMC Family of Companies, service provider for information security.

Comments (4)
has anyone considered retinal scan or fingerprinting?
Posted by aet1000 | Tuesday, April 29 2014 at 12:59PM ET
Not all web providers allow such complicated passwords.
Posted by aet1000 | Tuesday, April 29 2014 at 12:58PM ET
If passwords are not encrypted during transmission, it makes no difference how secure you might think they are, they are as open as this schema. To prevent casual snooping and sniffing, you can superencipher the data inside an encrypted pathway, such as the ubiquitous but still quite weak Virtual Privacy Network, and then encrypt within very sensitive data and passwords and it'll still only take NSA a couple nanoseconds longer to break.
Posted by EnrolledAgent | Tuesday, April 29 2014 at 12:30PM ET
One caveat to using a password system like this: although it may take computers 157 billion years to crack your password, it would not take a human that long to figure it out if your system isn't sufficiently complex enough. Computers are dumb and horrible at pattern recognition. Say for example just two websites store your passwords as plain text - they're low security, low value targets - if a hacker gained access to these two passwords, they may very well be able to recognize a pattern just by looking at them side by side (hackers have most certainly heard of this sort of password system). Now that the hacker is aware you use a system, they can access high value targets like banking.

The best password is one you can't remember. There are a few different internet based (and some that are not internet based)password managers out there (each have their strengths and weakness) that can generate random passwords for you. The benefits to a password manager is that they are accessible anywhere and they will auto log you into your websites once you are signed into the password manager service.
Posted by DFisher | Monday, April 28 2014 at 3:07PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Register now for FREE site access and more