How To Pick a Secure Password

January 8th, 2009
Published on
January 8th, 2009

As we build websites and use the web in our usual day-to-day activities, we are often plagued with having to create user accounts for anything and everything. This can create a real challenge when we attempt to memorize all of the many passwords we’ve established. Imagine how users feel when we ask them to create a user account on a site. Realistically, if we were to ask them if they have trouble remembering their logins/passwords, many of them would laugh and think, “No, I can remember my passwords easily, because I use the same one for everything.

This article will show you ways to pick effective, easy to remember passwords.

Truly, this frightens me. I’ve seen many a friend become a victim of phishing sites, or website that purports to be an authentic login page for a website you use, with the intention of stealing your username and password in order to access bank accounts and steal your identity. These come in many forms, and if you happen to be in the category of people that use a single password for everything, imagine having to go back and change them all.

Personally, I don’t use the same password twice for anything. I have a unique password for every website where I have a login. In this article, I’ll provide some tips that will help readers maintain a much more secure online lifestyle, and may even be beneficial in setting up password rules for sites designed to allow a secure login. Here’s a quick breakdown of the tips we’ll review:

  • Choose memorable yet effective passwords
  • Protect yourself from phishing
  • Keep track of all your passwords

Choose memorable yet effective passwords

To get us started, let’s take a look at the process of selecting a password. I know that a lot of people use the same password for their online banking that they use for Facebook or their email. In addition, it’s often something really simple like the current family cat’s name. Let’s take a look at why this might not be such a great idea. If a criminal was going to start guessing at passwords, they often start with the most obvious: birthdays, family members’ names, friends’ names, pets’ names.

For starters, this makes guessing your password incredibly simple for a would-be criminal. Why not pick something very personal that no one else knows and then use that on all your websites? Simply put, this creates a single point of failure. If this one password is compromised, so is your entire life.

When creating passwords, I use mnemonics with a twist. According to Webster, a mnemonic is something that assists or is intended to assist memory. So here’s a quick breakdown of how I choose my passwords. When I get to a website for which I need a good password, I ask myself these 5 questions:

  1. When thinking of the website, what is the first word (over 6 letters long) that comes to mind?
  2. Is it really the most memorable word for me when I think about this website?
  3. Capitalize the first letter of the word
  4. Swap out some of the letters for numbers (I’ll provide more detail on this below)
  5. If you’re required to include some type of punctuation, use an exclamation mark or a period.

When I create a password, I usually insert a few numbers just to add to the randomness. Here’s a list of some common replacements for letters that can be solved with numbers and add a significant amount of complexity to your passwords.

A = 4
B = 3 or 8
E = 3
G = 6 or 9
I = 1
L = 7
O = 0
S = 5

Some people have other substitutions that they prefer to use, or they may only switch out certain letters every time. Even just adding a particular set of numbers at the end of a password will make it harder to crack, without making it more difficult for you personally to remember.

Here’s my example:

If I wanted to create an account on, I might follow this process:

  • First word I think of:  rainforest
  • Capitalize the first letter: Rainforest
  • Replace a few of the letters with numbers: R41nf0r35t

That’s it! I have a much more secure password.

Clearly, this is a password that demonstrates the use and shouldn’t actually be used for anything.

Protect yourself from phishing

It’s critically important to pay close attention to the links that you click. Almost daily I see a spam message come from someone I know either from their email, or via a social networking site. They’ve fallen victim to a phishing site. Phishing sites mislead you into entering your username and password for a certain site, so that they can then access other secure sites such as bank accounts or credit card accounts. This happens to users across the whole internet, because so many people tend to use the same password for multiple.

When someone enters information into a Phishing site, the people behind it can then use computers to access lots of other sites that they think the victim might do business with. They then make attempts to log in as the victim. In addition, they post messages and bulletins that appear to be coming from the victim, with links to videos or freebies that might entice friends or family members to enter their personal details. It happens entirely too often.

Recently, all of the most popular web browsers have begun to include phishing filters that alert users when they are visiting a known or suspected phishing site. In addition, using a tool like 1Password will help prevent you from entering your password on a site with the wrong web address, because the tool verifies the address to determine which site’s password is needed. If the domain name doesn’t match an entry, no passwords are available for you to choose.

There are a lot of ways to protect yourself from hackers and thieves:

  • Don’t click on links that seem out of character for the friends that may have sent them. It might not actually be them that sent it.
  • Remember that phishing emails are emails that ask you to click a link that takes you to a website purporting to be from your bank or other site, but ask you to verify information by logging in or providing other verifying details. If you get emails like this, check out your bank’s website by typing that address into the browser, or ask your banker.

    Keep track of all passwords

    A password is no use if you lose it, but even the most secure password is negated if it’s written down on an easy-to-find notepad. Of course, traditional online “hackers” can’t see a post-it note on a desk, but there are other identity thieves around in the physical world, and here are a few tips and tricks to make sure they won’t see your passwords.

    If you are going to jot them down somewhere, take advantage of a secure method. Utilize a tool that keeps them encrypted. There are a few different ways of storing them on your computer in a way that is more protected. If you use Firefox to browse the internet, you can have it remember your passwords for different websites as you access each site. This is a great tool, but it’s important that you enable the Master Password for Firefox. Otherwise, someone could get onto your computer and then just open your browser and go shopping! In addition, if you don’t use a Master Password, all of your various passwords are unencrypted and can easily be perused by anyone.

    I prefer to use a tool called 1Password from a company called Agile Web Solutions. It is a tool that has a desktop version as well as an iPhone version, and all my passwords are stored under Triple Data Encryption Standard (TDES) that requires a special password to unlock. Obviously I have a very special password for this tool that is completely unrelated to any other password I use elsewhere.

    Protect your Users

    If you’re designing a site that requires a log in, share this information with users. It’s critical that they choose a password that is unique for each site. Encourage users to choose passwords using the steps shown here that will keep them protected no matter where they create user accounts. Explain to them the importance of choosing different passwords for different accounts, and help them come up with ways for remembering their own passwords that won’t leave them less secure.

    The goal is to create an online experience that people can enjoy and find productive – without fear of identity theft! Choosing better passwords isn’t difficult, but it’s also not intuitive. So educate yourself, and educate others. Knowledge is power!