Our friends over at Gizmodo have arbitrarily decided that February 1st is going to be "Change Your Password Day." In blog solidarity and celebration of this made up (but very constructive) holiday, we're going to show you how to turn your terrible password (admit it, it's terrible) into a great and secure password in just 3 steps.
First, let's talk about the reason "Change Your Password Day" exists. Most people have terrible passwords; passwords that are easy to guess and ridiculously quick for smart bots to hack. And most people use that same terrible password for all of their accounts, which can turn a small security breech into a big one.
But that's not even the worst part. The real issue is most of "these people" (that's you, dear reader) know their passwords are awful, and just decide not to change them. Maybe it's because secure passwords are harder for you to remember, or that you might struggle to stay organized with a different password on each site.
But there's hope! With three small changes, you can turn your bad password into a few really good ones. It's like password rehab.
You just need to start with your terrible password. We're going to use "princess," one of the most popular passwords worldwide.
1. Switch letters to numbers and symbols. Adding numbers or symbols is the easiest way to beef up the security of your password. But be aware that adding "1" to the end isn't going to cut it. It's always better to use numbers in the middle of your password than at the end. If you need some help, use this Leet Speak (L337 $P34|<) converter, which does all the work for you.
BEFORE: princess
AFTER: pr1n(3$$
2. Add the site's info. Remember how it's best to use different login information for each site you use? That doesn't mean you need to commit 8972435 different passwords to memory. Just add a memorable site-specific cue to the beginning or end of your new base password. Keep style consistent; use the same sentance case for each.
BEFORE: pr1n(3$$
AFTER: pr1n(3$$aT (for Apartment Therapy), pr1n(3$$fB (for Facebook), pr1n(3$$dOrA (for Pandora)
3. Add an expiration date. Don't you hate how some sites require you to rest your password every month? It's annoying, sure, but it's also great for your online security. If you need to change your password every month or quarter or year, include a cue in your password, like an expiration date.
BEFORE: pr1n(3$$
AFTER: pr1n(3$$02/12 (for February's password), pr1n(3$$03/12 (for March's password)
Wasn't that easy? Each of the "after" passwords is (rough calculation) a bajillion times more secure than "princess1" and not hard to remember. Try it at home with your own passwords, then tell us your new and improved password in the comments!
(Totally kidding, guys. Please don't do that.)
(Images: Tess Wilson, Mike Tyson)
Ellen's Thirties Style Small Space
Juan's Garage Turned Modern Guest House
Good Food to Share 
The Big Book of Small, Cool Spaces 
Apartment Therapy Presents 
The Eight-Step Home Cure 
Commercial Flour Sa...
10 Picnic-Ready Salads to Eat Outside
Recipe: Thai Ginger Chicken Stir-Fry
it's "constructive" ;)
Just using three ordinary words in series is far more secure and far easier to recall than a jumble of letter, numbers and symbols. See here: http://www.baekdal.com/insights/password-security-usability
Ewww... clean that grody keyboard while you're at it!
ok -- not to be paranoid, but I tried the site to LeetSpeak and it made up a password for me with my birthdate in it -- how did it do that when I didn't use that info? Have I just given my password to a bad site? jeez --
I work in IT, and wanted to point out that common translations of letters to numbers/symbols is probably the most basic trick in the book and therefore provides not much additional security. Believe me, hacking tools take those into account. Many administrators recommend using digits and numbers but it's really a common fallacy to assume it provides much better security. It does not.
A much better method is to go for a long password. If you compose it of a random combination of words, to the hacking tools it's as good as random and increases the computational complexity to the point where the hacker will probably just move on to the next potential victim, but to you, it's a funny phrase you can easily remember e.g. cat10toestickle1noseatishoo
For the actual calculations for complexity and a great explanation, refer to http://xkcd.com/936/
Using a different password for each site is a great idea though =)
I was prompted by this to document a variation on my own method, which I believe is considerably more secure and just as easy to remember and use:
http://mrsean2k.wordpress.com/2012/01/30/secure-your-passwords-on-a-post-it/
Self-correction to previous comment -
1) Using digits and numbers does not provide better security if used the way suggested in the article (l33tspeak). Think about it, if you can convert something to l33tspeak using a widely available script, don't you think hacking tools will easily be able to do the same? If it's truly random, then yes.
2) Yes, having a password for each site is a great idea, but please *don't* do it the way suggested in this article. It is too obvious. fB for Facebook? aT for Apartment Therapy? A good password hacking tool would bash that to pieces.
Apologies to the poster, but this is a badly researched article about technology on a site that does not deal with technology, so please guys, just go to the Gizmodo link in the article if you want to educate yourself about secure passwords. All the same I would have not pointed it out of politeness, save for the fact that people are likely to act on the bad advice provided.
As mentioned, just use the longest string of pseudo random words you can. If not that, you something like keepass. The fact is almost noone is going to remember a large number of passwords of any real length without them either being human readable, or using a storage system. If you don't want to use something like keepass then having 15 or so words you use in random combinations with a good length will be very secure, and easy to read.
pr1n(3$$aT
is a much worse password than
unclebabytrucksitenumbtickle
despite only using alphas, because length trumps diversity.
GTK about length, which is why sites that limit the length of passwords bug me.
I find it helps a bit to have a system to make up word combinations that make no sense, but that jiggles your memory for you.
For instance, one system might be to say all my passwords will have a mammal, a vegetable, and an adverb in it. Then connect the words in some way to the site, such as having the same first letter.
So for facebook, the password might be ferretfavabeansfast
It's not the *safest* system in the world, since if someone got their hands on multiple accounts/passwords they would eventually figure it out, but the likelihood is reaaaally small and in the meantime you are safer than using just leetspeak, which as pointed out, is already in most password tools. And it's much easier to remember than a completely random string.
@irry
i was going to paste the same xkcd. great way to teach why it works, and to create a mnemonic device about the random string of words.
i need to revise my password, although it is decent. i was making an account for a site the other day and it has to have the letters, caps, numbers, symbols and be longer then normal. so it made me revise MY normal password i use...which means i need a new normal. And no, i am not going to be making a new password for each site.
On that thought too. if you were going to use that naming system it isn't going to help you remember them much if you don't have a proper system of doing so. to use "fb" for facebook, and "at" for apartment therapy, but then to say use "dora" for pandora, that no longer follows your own system you made, and really will not help you. easy fix, don't make your passwords with the site names in it. Most will even restrict from using anything remotely close to their name or initials.
XKCD for the win!
And we hate sites that require us to reset our passwords, not rest them.
My brother uses phrases from obscure poetry he likes. I love this idea, though I'd maybe add some random characters and caps along the way.
I just use 1password, though. Every password generated is strong, unique and impossible to remember. I just have to make sure nothing happens to the program.
One day all pc devices will be equipped with either finger print or facial recognition technology, and all this password craziness will be obsolete.
Like Dulcibella, I also use 1Password. I've switched over 90% of my password to much more secure, and longer, ones. It's nice to have 20 digit, random passwords for services that have my banking information (ie. PayPal, Amazon, Ebay, etc.).
Also, it's backed up every hour over Dropbox, both for redundancy and for syncing with the iOS app.
@Irry, you bet me to it! That XKCD comic was the first thing I thought of when I read this.
I have weak passwords and strong passwords, depending on the need. I don't need to iron clad my AT password for example, (what is a hacker going to do, steal design ideas), but I do need strong passwords for financial situations.
I understand it is recommended to have a 12 digit password with upper and lower case letters and numbers. I found a chart on the web that said there are 7 levels of password breaking. In level 1, it will take over 100 years to bread a password as described above. It will take a level 7 password breaker about three hours and change to break the same password.
I don't know if we can ever be really safe. How many passwords breakers at level 7 do you suppose China has?
I have a fairly weak password that I've used for things for years, as well as a matching log in ID... I don't use it on anything that I need to stay secure that I may hardly ever use, but I'm not going to create a million passwords for every website, blog, news site, etc that I might want to log in and leave a comment on.
I know I am splitting hairs.
Its characters (letters), digits (numbers), and symbols (!@#$).
Or alpha for letters.
Random combination of several simple words has been shown to be more secure, as well as easier to remember. At least, that's what I've been reading.
i'm not a techie so when i first read this article, it was truly helpful for me since my work pc requires me to change my password monthly and it's getting to be really hard coming up with (1) something unique (2) that meets the password stregth requirement (3) that i'll remember and (4) can type easily everytime the computer automatically locks up.
so thank you!
Thank you for the reminder!
Although my issue usually is the number of passwords I have to remember: home PC, email inboxes, online banking, work PC, work finance system, various secured spreadsheets, work stationery website, work toners ordering website, not to mention the various travel companies we use. Must be between 15-20 passwords; employers don't give us admin folks enough credit. ;)
i know IT people will be up in arms about this but... all my online accounts have one password.
i have lost permanent access to three email accounts, bebo-myspace-twitter accounts (hence FB) and two internet banking re-sets because i had different passwords each time. it is only changed when my online banking account requires me to update it. then the rest of my online accounts are gradually updated.
I learned somewhere (Lifehacker, maybe?) the trick to pick an easy to remember password, and then move my hands one set of keys to the right (or left, your choice) before typing.
Example:
milliondollarsmile = ,o;;opmfp;;std,o;r
Pretty hard to guess that. Tack a number on the end if it's required (the date tip in this article would work).
My biggest peeve about passwords is sites that won't let you use symbols.
I learned somewhere (Lifehacker, maybe?) the trick to pick an easy to remember password, and then move my hands one set of keys to the right (or left, your choice) before typing.
God, I did that for an important password, and then had to get my husband to access the account with me on the phone to him. Without a keyboard in front of me, I was completely unable to tell him what the password was. Fail.
I use car models and associate the brand with different sites. So lets for arguments sake say I'm associating Ford with AT. My password might be something like 2001.8RScf84 which means...
The association is with an RS200
Which has a base model with a 1.8L engine
Made by ford
it's a coupe
and the year it was first manufactured was 1984
Thirteen characters is usually a reasonable quantity for a password. So if you're good with word association and have something you're a bit geeky about this can be a fun way of saving your passwords in your head!
As a cyberpunk lover, I really hate seeing "leet speak" in the same sentence as "princess as a password". What is the world coming to?
PS: Then again, Bruce Sterling said once that if it is on Wired's cover today, it'll be on teenage girls' t-shirts in fifteen years.
I just don't use vowels so Wisteria Lane 290 becomes Wstr Ln 290 (or using the author's example: prncss1) that way it has upper and lower case letters and numbers which should make for a pretty safe password.
@qfiffle
I've had to do that. Just tell them the word, but one key to the right. Using my previous example, tell them, "My password is milliondollarsmile, all one word, all lowercase. But type each key to the right. So, instead of M, type the key next to it. Repeat for all of the letters."
Kind of a long explanation, but it works.