WHETHER WE LIKE THEM OR not, passwords have become a part of our everyday lives. We need them to unlock our cell phones and computers, access cash from ATMs, and stream movies from Netflix.
The average American is going to have somewhere between ten to twenty mission-critical accounts at various points in his or her life, whether they’re email, banking websites, social media, or credit cards. You need a unique strong password for every one of them. When I make this comment during my presentations, most people in the audience give me a look that says, That’s too hard. If you think that’s difficult, just wait until I tell you what a good password is.
Before we get into how to set up a secure, strong password, let’s discuss what a bad password would be. My son Aidan was born in 2002 and his brother Quinn came along in 2005. Do you think I’ve ever used the passwords “Aidan2002” and “Quinn2005”? I have. They were easy to remember and at least I was using two passwords instead of one.
Then I came up with a third password that nobody could possibly ever guess; it included my initials, my wife’s initials, and the date of our anniversary. As someone who used three passwords for everything, I’m guessing I was probably doing better than 95 percent of the U.S. population—but it still wasn’t nearly enough to prevent cybercriminals from hacking my accounts.
Think about your passwords for a second. How many passwords do you use for multiple platforms? I’m guessing they’re all probably the same (or a slight variation of each other), and I bet they’re related to significant things in your life, such as your children, birthdays, anniversaries, pets, or hometown. I hate to tell you this, but those are absolutely terrible passwords, and I was as guilty as anyone of using them.
In my opinion, a strong password is typically at least twelve characters in length and must contain an upper- and lowercase letter, numbers, and at least one special character. If you want a really great password, make it fifteen characters. And, to make it even more unique, a password shouldn’t contain any words that you can find in a dictionary.
Now, many members of the techie community might argue that twelve characters isn’t enough and that strong passwords should be fifteen, twenty, or even twenty-five characters long because of threats like brute-force attacks (trial-and-error tools used by criminals that use automated software to generate a massive of number of consecutive guesses) and dictionary attacks (an automated attack that uses—you guessed it—every word in the dictionary).
There is quite a bit of debate about password length and password complexity, but I’m only trying to come up with something stronger than “Aidan2002” and “Quinn2005.”
Normally, when I tell people they need ten to twenty unique strong passwords that are at least twelve characters in length, they’ll say something like, “This guy is crazy. I can’t do that. I’m not even going to try. There’s no way I’m going to remember every one of them.” Then, in my best Tony Robbins or Joel Osteen voice, I’ll explain to them that it’s only going to take me five minutes to teach them a system that will change their passwords and help remember them. I’ve even taught my system at retirement homes, and each of the lovely men and women was able to do it. It’s not that hard.
First, let’s define our objective. We have identified our mission-critical accounts, and now we need to devise separate passwords for each one. Each password needs to be twelve characters in length, contain upper- and lowercase letters, and should also have numbers and at least one special character. We’re also not going to use words that are included in the dictionary. It might sound difficult, but I’m positive you’ll be surprised how easy it really is.
The first thing you have to do is decide your favorite numbers and special characters, and don’t share them with anyone—not even your husband or wife, children, roommates, or best friends. Let’s call this the top-secret combination. For example, let’s say my top-secret combo is %7. Now come up with your top-secret combo and store it in your brain because you’re going to use this combination in each of your passwords.
Next, you’re going to come up with something to replace the traditional passwords, which might be your children’s names, pets’ names, high school mascot, or favorite vacation spot. It’s too easy for cybercriminals to find those things on social media and other places online. Instead, you should think of a simple passphrase that’s easy to remember.
Let’s start the process by figuring out how the passphrase is related to the specific accounts. For instance, the passphrase for my Amazon account might be, “I hate to shop at Amazon very much.” If that offends you, then use my wife’s passphrase: “I love to shop at Amazon very much.” I use this example in the majority of my presentations, and each time I usually have the room laughing. If I were a stand-up comic, it would be my go-to line.
Now it’s time to create a strong password using the sentence we just came up with. We are going to start by putting the top-secret combo in front, and then we are going to reverse the order of the characters when we put them at the end. So, it’s going to start out as:
Next, we’re going to put the first letter of our phrase into the password field. Remember that our phrase for Amazon is, “I love to shop at Amazon very much.” I prefer passphrases that use the letter “I” because I can substitute the number “1” (one) for “I.”
Now, we’ll use our verb in the passphrase, which in this case is the letter “l” for love.
The word “to” is also one of my favorites, because it can be substituted with the number “2” (two).
The next word in the passphrase is shop, so we use the letter “s.”
Using the word “at” is another one of my favorites because you can use the symbol “@” as a substitute.
As we finish up our password, we place the first letters of the rest of the words in our passphrase, which in this case are “a” for Amazon, “v” for very, and “m” for much. So, the password for my Amazon account would be:
Now, you might be asking yourself: what about the capital letter? To make it easy, it’s going to be the first letter of the first word or last word in the passphrase. Since we substituted the number 1 for I, let’s go with the last word in this example:
If you look closely at this password, the first thing that probably comes to mind is, How in the world does this guy expect me to remember such a long and ugly-looking password? Remember, I don’t need you to remember the password. I only need you to remember your special symbol, number combination, and the passphrase, “I love to shop at Amazon very much.” You will come up with your own passphrases; this is only an example.
We should come up with a couple of other passwords just to make sure you understand the concept. I want you to come up with something that’s completely original. The phrase should be at least eight words long; that plus your special symbol and number at the beginning and end of your password will get you to twelve characters. If you really want to be safe, make your phrase eleven words long, which will give you a fifteen-character password. You’ll probably find yourself using filler words, which is fine. Don’t be afraid to play around and be creative. Come up with phrases such as:
I can never ever remember my Gmail password = %71cnermgP7%
I love my First Trust Bank very much = %71lmftbvM7%
See how these passwords, like the Amazon example, are directly tied to a specific site? In this case, Gmail and First Trust Bank respectively. But you can also use this system to come up with generic passwords for anything else. Here are a few other phrases and the corresponding passwords:
I recently made a presentation to a group of church administrators. One of the audience members approached me afterward and wanted some ideas about creating passphrases for her QuickBooks, payroll, banking, and email accounts. I rattled off the following passphrases:
“I enjoy QuickBooks more than the ledger book.” “Paying our employees puts food on their kitchen table.” “We love to bank at our favorite bank.”
I challenge you to change every one of your passwords, and it shouldn’t require more than twenty minutes to change the passwords for your ten to twenty mission-critical accounts. After you’ve changed your passwords, you might be wondering how you’re going to remember them.
In the beginning, you need to do what you’ve been told not to do: write them down. Not your passwords, but your passphrases. Don’t do what my CPA wife did. She changed all our passwords and put them on a Microsoft Excel spreadsheet (without a password protecting the file) and then saved the file to the home screen of her computer. In the South, they’d say, “Bless her heart.
” In New York, though, we say, “What the [expletive]?” What should my wife have done? She should have used the same format, but instead of writing down the passwords, she should have only saved the written passphrases without her secret combination of a special character and number.
If a cybercriminal somehow found our list of passphrases, the only thing he would have figured out is that I have deep-rooted issues, such as really loving some things and absolutely hating others.
Here’s another important note: I would find a safe place to store the passphrases. Don’t store them on a computer as my wife did. I have them written down on a yellow sticky note in one of my least favorite books in my bookcase. The day will undoubtedly come when I forget my Amazon password; when that happens, I’ll find the book with a yellow sticky note that says, “I hate to shop at Amazon very much.”
That’s all I’ll need to jog my memory. Find somewhere similar, whether it’s inside a book or CD case, behind a picture frame or clock on the wall, or even inside a shoebox in the closet. However—and this is important—you must never keep your top-secret combination near your passphrases. You have to keep that secret inside your head, where no one else can find it.
Isn’t that easy to remember? It’s not a crazy, overly nerdy approach, but I’m betting it’s better than what you’re doing, and it’s not nearly as difficult as it might have sounded in the beginning. Is this system for building passwords foolproof? No, but it’s going to be much more difficult for a bad guy to figure out your passwords. Is this scientific? No. But is it better than “Aidan2002” or “Quinn2005”? Yes, it is.