How To Pick Passwords That Protect Your Online Experience

With the recent upsets with Twitter Phishing Scams, it should be abundantly clear why a good password is essential for both you and your users.

This article will show you ways to pick effective, easy to remember passwords.This article will show you ways to pick effective, easy to remember passwords.

As we build websites and use the web in our usual day-to-day activities, we are often plagued with having to create user accounts for anything and everything.

This can create a real challenge when we attempt to memorize all of the many passwords we’ve established. Imagine how your users feel as you ask them to create a user account on your site. Realistically, if we were to ask them if they have trouble remembering their logins/passwords, many of them would laugh and think, “No, I can remember my passwords easily, because I use the same one for everything.

Truly, this frightens me. I’ve seen many a friend become a victim of phishing sites (website that purports to be an authentic login page for a website you use, with the intention of stealing your username and password). These come in many forms, and if you happen to be in the category of people that use a single password for everything, imagine having to go back and change them all.

Personally, I don’t use the same password twice for anything. I have a unique password for every website where I have a login. In this article, I’ll give you some tips that will help you maintain a much more secure online lifestyle, and perhaps these are tips you can share with your users. Here’s a quick breakdown of what I’ll be discussing:

  • Choosing memorable yet effective passwords
  • Keeping track of all your passwords
  • Protecting yourself from phishing

Choosing memorable yet effective passwords

To get us started, let’s take a look at the process of selecting a password. I know that a lot of people use the same password for their online banking that they use for Facebook or their email. In addition, it’s often something really simple like the current family cat’s name. Let’s take a look at why this might not be such a great idea. If a criminal was going to start guessing at passwords, they often start with the most obvious: birthdays, family members’ names, friends’ names, pets’ names.

For starters, this makes guessing your password incredibly simple for a would-be criminal. Why not pick something very personal that no one else knows and then use that on all your websites? Simply put, this creates a single point of failure. If this one password is compromised, so is your entire life.

When creating passwords, I use mnemonics with a twist. According to Webster, a mnemonic is something that assists or is intended to assist memory. So here’s a quick breakdown of how I choose my passwords. When I get to a website for which I need a good password, I do the following:

1. When thinking of the website, what is the first word (over 6 letters long) that comes to mind?
2. Is it really the most memorable word for me when I think about this website?
3. Capitalize the first letter of the word
4. Swap out some of the letters for numbers (I’ll provide more detail on this below)
5. If you’re required to include some type of punctuation, use an exclamation mark or a period.

Swapping out letters for numbers

When I create a password, I usually insert a few numbers just to add to the randomness. Here’s a list of some common replacements for letters that can be solved with numbers and add a significant amount of complexity to your passwords.

A = 4
B = 3 or 8
E = 3
G = 6 or 9
I = 1
L = 7
O = 0
S = 5

You may have others that you use, or you may only switch out certain letters every time. You may even just place a particular set of numbers at the end of the keyword that you pick. Whatever method you employ, including numbers in your passwords will always make them harder to crack.

Here’s my example:

If I wanted to create an account on, I might follow this process:

  1. First word I think of:  rainforest
  2. Capitalize the first letter: Rainforest
  3. Replace a few of the letters with numbers: R41nf0r35t
  4. That’s it. I have a much more secure password.

Clearly, this is a password that demonstrates the use and shouldn’t actually be used for anything.

Keeping track of all your passwords

Now that you’ve seen how easy it can be to create more secure passwords for the various websites out there, it’s important that you use this technique. Now that you have a lot of different passwords, we certainly wouldn’t want you to negate your new found added security by writing all your passwords down on a notepad.

It’s also important that you not store them somewhere where someone could too easily get to them. If you are going to jot them down somewhere, you should take advantage of a secure method. Utilize a tool that keeps them encrypted. There are a few different ways of storing them on your computer in a way that is more protected. If you use Firefox to browse the internet, you can have it remember your passwords for different websites as you access each site. This is a great tool, but it’s important that you enable the Master Password for Firefox. Otherwise, someone could get onto your computer and then just open your browser and go shopping! In addition, if you don’t use a Master Password, all of your various passwords are unencrypted and can easily be perused by anyone.

I prefer to use a tool called 1Password from a company called Agile Web Solutions. It is a tool that has a desktop version as well as an iPhone version, and all my passwords are stored under Triple Data Encryption Standard (TDES) that requires a special password to unlock. Obviously I have a very special password for this tool that is completely unrelated to any other password I use elsewhere.

Protecting yourself from phishing

It’s critically important that you pay close attention to the links that you click. Almost daily I see a spam message come from someone I know either from their email, or via a social networking site. They’ve fallen victim to a phishing site. This is a site or page that pretends to be a login page for a site you are more familiar with, but in fact it is there to mislead you into entering your username and password so that they can exploit your accounts. This has happened across the entire spectrum of websites because they know that people tend to use the same password for other sites.

Once you enter bogus information, they then use computers to access lots of other sites that they think you might do business with. They then make attempts to login as you. In addition, they post messages and bulletins that appear to be coming from you, with links to videos or freebies, but in order to gain access, your friends have to enter their username and password. Now they’ve been compromised as well. It happens entirely too often.

More recently, all of the most popular web browsers have included phishing filters that alert you when you are visiting a known or suspected phishing site. In addition, using a tool like 1Password will help prevent you from entering your password on a site with the wrong web address because the tool verifies the address to determine which site’s password is needed. If the domain name doesn’t match an entry, no passwords are available for you to choose.

There are a lot of ways to protect yourself from hackers and thieves out there. Be sure to not click on links that seem out of character for the friends that may have sent them. It might not actually be them that sent it. In addition, remember that phishing emails are emails that ask you to click a link that takes you to a website purporting to be from your bank or other site, but is asking you to verify your information by logging in and inputting other verifying details. If you get emails like this, check out your bank’s website by typing that address into the browser, or ask your banker.

Now That You’re Protected, Protect Your Users

Share this information with your users. It’s critical that they choose a password that is unique for each site. Encourage your users to choose passwords using the steps shown here that will keep them protected no matter where they create user accounts. Explain to them the importance of choosing different passwords for different accounts, and help them come up with ways for remembering their own passwords that won’t leave them less secure.

Ultimately, my goal here is to help you protect your clients, and to reduce the chances of you or them having an identity stolen. It’s no fun when it happens, but by giving them these tips, they’ll choose better passwords… and if you happen to spawn the latest and greatest social networking site out there, you’ll know that your users are armed with good password management tips!

About the Author

Brian Rayner

I'm a partner development manager for a technology company near San Francisco, but in a previous life I was an interactive designer at a prominent design firm. I lived and breathed usability. Now I use my experience in usability for beta testing and product development of my products, as well as those of other people.

Related Articles


  • Lee Munroe Reply

    Nice writeup Brian, very clear and concise. I make use of ‘mnemonics with a twist’ myself, but could probably do with pointing a few family members & clients to this article.

  • Raymond Selda Reply

    Very nice article Brian! I will definitely try this method and thank you for suggesting 1Password. I will promote your article on my blog. Thank you.

  • David Leggett Reply

    Great post Brian! Thanks so much for guest posting at the booth :) Couldn’t have been better timed with the recent phishing scams over at Twitter.

  • r4z0r Reply

    l33t speak!!!! w3lc0me 1994!!!

  • Brian Rayner Reply

    Thanks for the great feedback! I hope that these tips help people avoid having to use “password generators” that result in passwords that no one can remember and thus write down on a pad of paper next to their computer… or they jot them in other non-secure locations. Lately I’ve been getting more and more junk email and IMs from people who have been victims of phishing, and it’s a bit annoying. Spread the word! And if you know of a great Password Management tool for Windows or Linux, please share! Not everyone is using a Mac, although it might help avoid those password stealing viruses and spyware!

  • Matthew Kammerer Reply

    @Brian Rayner: I just started using 1password yesterday and am in love with it so far! It’s a great application and the iPhone app to sync with is also a great add on. Thanks for your guest post!

  • Kris Hunt Reply

    Sorry, but this is just dumb advice. Any formulaic process for coming up with a password is a formulaic process for guessing the password. And unless I’m mistaken, using 1Password means never being able to log into any web site unless you’re on your home computer.

  • David Leggett Reply

    @Kris Hunt: As someone who obviously has an opinion on this subject, would you like to share any tips for more secure passwords? Sorry you didn’t find any of this advice useful.

    As for 1Password, it lets you take your information everywhere with a iPhone/Palm app. Of course that will only work for a select crowd.

  • Matthew Kammerer Reply

    @Kris Hunt: With the 1password iPhone app you are able to sync your passwords to your iPhone then enter two forms of security before seeing all passwords.

  • kovshenin Reply

    Correct. But I prefer using just four – a Windows Live ID, OpenID, a Google Account and a Yahoo account. That’s why I always forget my Facebook, Twitter and others LOL :)

  • Oliver Kirschner Reply

    Sorry, but swapping letters for numbers of a word that is in a dictionary just isn’t secure enough.
    I would take the advise of security guru Bruce Schneier. He has a very interestng article on picking secure passwords:
    I also found the guide at ncsu usefull:
    So I would advise using the first letters of a sentence as a Password and then changing letters for numbers and special characters. Then store it in 1Password (or Keepass / KeePassX)

  • Brian Rayner Reply

    I definitely agree that adding special characters is critical to having a much more secure password, however (and maybe I should have addressed this in the article) lately I’ve been running across new sites that won’t accept special characters in passwords… which is the main reason I didn’t include it in my steps. I apologize for leaving that detail out.

  • Thad Reply

    I also use symbols wherever they are allowed

  • Rob Reply

    A good trick is to use sentences, for example, Mary Had A Little Lamb It’s Fleece Was White As Snow… now just type the first letter of each word…mhallifwwas and their’s your password.

    I also prefer to use LEVELS of passwords. Specific accounts like PayPal or online banking are LEVEL 1 and I give them each a unique, very complicated letters and numbers password, but one that I can easily remember. I change these ever few months.

    LEVEL 2 passwords are things like my email account. All my LEVEL 2 accounts use this one password. Again, it is fairly complicated but not too bad.

    LEVEL 3 are all the stupid websites that want me to log in. This is a DIFFERENT password than my email and quite frankly it’s not that great a password and I almost never change it. If you get into my “joe’s tobacco emporium” account (or whatever) then I don’t really give a crap. If I need to reset the password then usually it will email the password to me, if not then I don’t care about losing the account anyway!

  • Rob Reply

    @Rob: Oops.. can’t spell there’s, not their’s.

  • Brian Reply

    Great article.

    But once you have gone to all that trouble how about saving the hard to crack password in a “picture password manager”

    Check out

    never have to remember a password again and gain access to them via a picture that is meaningful to you alone :-)

  • Loren Baxter Reply

    Password usability is an understudied problem, thank you for writing a great method of handling the barrage of passwords we deal with!

    In a hundred years, I wonder if we will be using passwords any more?

    I’ve written an article in the past that you might be interested in – it’s a mental method of remembering unique, strong passwords for every site without the aid of extra tools. Unfortunately it’s not really something that can be passed on to the user (more of a personal method).

  • Quit Stalking Me Reply

    This post was excellent. I would like to link it to a small post that I created. Please visit my new website/resource for preventing online cyberstalking and cyber crimes.

Leave a Comment on This Article