How to choose a Secure Password in the Real World

Versione italiana

You can find a lot of advices about how to choose your passwords, around the internet. But most of them seem to me bad advices.

First, let’s define what we want. We want to have:

  • Secure passwords;
  • Passwords that we can remember.

The most common advice you will find is: «Always use mixed-case letters AND numbers AND underscores in your passwords». Not a bad advice, but this just improves a bit your passwords. If they are insecure, they will be insecure even if you add numbers. Example: Ab12 is too short. ilikemarypoppins is much more secure. blacksabbathisthebestheavymetalbandintheworld is even better. And I’m sure that you will never forget it.

Then, we can apply the other advice. BlackSabbath_isthebestheavymetalbandintheworld01 is more secure. It’s also impossible to guess for a human.

But we have a problem: humans are hardly able to remember more than 1 password of this kind. And the other advice we find everywhere is: «Use a separate password for each service you are subscribed to». Which is an important advice… really! A lot of small sites collect users password, a lot of social network apps try to guess them. But human memory is not perfect. And you need to remember all of your passwords. How can we do it?

Keep only one base password. And use the name of the service to modify your base password. You have to decide your rule. You can’t use mine – this wouldn’t be secure for me and for you. But it’s easy. Some possible rules:

  • Add the first two letters at the beginning of your password, and the last letter at the end.
  • Add the first letter at the beginning of your password, and the two last letters at the end.
  • Add the last letter at the beginning of your password, and the last one at the end.

For example, let’s apply the first fule:

  • Base password: BlackSabbath_isthebestheavymetalbandintheworld01
  • Service name: Facebook
  • Specific password: faBlackSabbath_isthebestheavymetalbandintheworld01k

Too difficult? Ok, you can drop the ’01’ part. And even the underscore. All the geeks that will try to explain you how unsafe your password is, have a password that is much less secure than yours.


See this strip by XKCD!


Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s