In my previous blog post, I discussed the updated password guidelines issued by the National Institute for Standards and Technology (NIST). The new guidelines focus on password length rather than complexity, encouraging the use of passphrases consisting of random words strung together that are difficult for computers to guess but are easy for humans to remember.
Password researcher Lorrie Cranor created a fabric that artistically displays the most common passwords, as exposed by data breaches. Photo Credit: Lorrie Faith Cranor
In this post, we’ll discuss how to actually do that, based on the guidelines in this NIST blog post. Equally important, we’ll discuss how to create different passphrases across different websites/apps that you can actually remember.
The first step in creating a good passphrase is to leverage your powers of association.
While humans aren’t necessarily very good at memorizing, they are very good at remembering by association. It’s very easy to remember lyrics to your favorite song, for instance, because you associate the words with a melody. (Thank you, Schoolhouse Rock, for helping me memorize the Preamble to the Constitution!) You wouldn’t necessarily want to use popular song lyrics as your passphrase, because those word combinations are known to other people, but the same principle applies. Don’t use words that other people can easily associate with you, however, such as your children’s names, your mother’s maiden name, or pet names.
The second step is to make the associations unique to you.
A passphrase can consist of any string of random words, as long as they are meaningful to you. For instance, if I create a list of the grocery stores near my house in a clockwise circle, I come up with HarrisTeeterTraderJoesWholeFoodsSafeway. That’s a passphrase that’s unique to me and easy for me to remember, but not easy for someone else (or a computer) to guess. And at 39 characters, it is nice and long (and has some capital letters thrown in for good measure.) Shoot for a minimum password length of 25 characters when possible (see the exception below).
The third step is to create a picture in your mind.
Make your passphrase a picture in your mind and it will be easy to remember. Other ideas:
- Line up 4 random objects on your coffee table and take a mental “picture” of your passphrase: flowers + TV remote + glasses + iphone
- Identify several landmarks you see every day on your way to or from work. Imagine yourself seeing them en route: church + stop sign + football field + fire station
- Write a list of your favorite dishes at a local restaurant. Picture them sitting on the table: pepperoni pizza + garlic bread + antipasto salad
- Your favorite Star Wars characters: darth vader + chewbacca + jabba the hutt
It probably goes without saying, but don’t use the exact passphrases listed above, now that they’ve been posted on the Internet, but you get the idea!
So now you have come up with your perfect passphrase, but you are stymied by recommendation that you not reuse your passphrase across websites. One option is to use a password manager, which will encrypt and store your passwords and even auto-generate new passwords for you when you sign up for different websites. But if you don’t want to go down that route (or even if you do), the key to creating unique passphrases across websites that are to easy to remember is decide upon your “core password” and then establish a system or nomenclature (unique to you) that allows you to tweak the core password across websites.
Let’s demonstrate how this works.
Suppose you want to create a password for Reuters.com. Decide upon a naming convention that you will use across websites to tweak your core passphrase and use it consistently across websites. For instance, you might decide to use the first 3 letters of a website domain and add them to your password. So, if your core password is yellowdogredconvertible, you might tweak it for the Reuters website to be yellowdogREUredconvertible. For Instagram, yellowdogINSredconvertible. The exact system you use doesn’t matter – you could just as easily use the first and last characters of a website domain name and append them to the end of the password with an exclamation point, making it yellowdogredconvertibleRS! Or yellowdogredconvertibleIM! Or add them at the beginning and include a number. What matters is that you are consistent in your system, so that any time you go to a new website you can rely on your system to remember your password.
The only caveat is that you may occasionally come across websites that fly in the face of best practice and impose a maximum password length, such as 16 characters, and/or don’t allow special characters (I’m looking at you, Verizon and the Wall Street Journal). You’ll want to create a shortened passphrase and naming convention for those sites. These websites should at least allow you to use at least a mix of capital/lowercase letters and numbers, so remember that when creating your shortened passphrase. But according to the new NIST guidelines, longer is always better (up to 64 characters), so take that into consideration unless a maximum password length is specifically imposted.
Finally, have some fun with this process! Taking a few minutes to decide upon a passphrase and establish a consistent naming convention across websites doesn’t have to be a drag. Invest a few minutes today, and enjoy the peace of mind that comes from knowing your private information is more secure than it was yesterday.
Susan M. Bearden is an education technology consultant for the Future of Privacy Forum and the Chief Innovation Officer for the Consortium for School Networking. She was previously the Senior Education Pioneers Fellow at the U.S. Department of Education’s Office of Educational Technology in 2015-2016, and the Director of Information Technology at Holy Trinity Episcopal Academy in Melbourne, Florida.
Header Image: “Hacker Hacking Password With Magnifying Glass and Binary” by Mike Corbett is licensed under CC BY 2.0. For more images like this, visit https://bitsfrombytes.com/.
