Generating Easy To Remember Yet Secure Passwords

I had some Twitter conversations about passwords lately, and long and boring discussions with my friends and co-workers. It turns out that no matter how many security articles and books are published about passwords, people tend to follow a very, very insecure method of picking them up and memorizing them. In this post I’ll try to demonstrate a brand new theory (or maybe not so new) of creating and memorizing secure passwords.

There are so many websites out there in the web asking you to provide a password. Some of them follow security conventions, others don’t. If you’re subscribed to at least 30 or 40 resources, social networks and desktop applications, there’s literally no way you could remember all those passwords unless (or the top 5 mistakes while choosing a new password):

  • You’re using a dictionary word
  • You’re using the same password over and over
  • You’re using a sequence of characters (12345, qwerty, abcdef, abc123, etc.)
  • You’re using your own name, your dog’s name or your girlfriend’s name
  • You’re using a password that matches your login

There are many articles out there that help you pick a strong password, but as I said, there’s literally no way of memorizing them all, unless you’re some genius of course. This is why people tend to use good passwords and store them in special applications called password managers, designed to store your passwords like 1Password, Keepass, Lastpass, Google Docs, a text file on your computer, or a sheet of paper on your desk ;)

There are several problems with this approach: you’re storing all your passwords in one place, your passwords are not portable, your passwords are written down! My number one rule is never write down your password, never! No notepads, no software and especially no sheet on your desk — that’s the worst thing you could do.

So how do you keep all those 30, 40 or maybe a hundred passwords in your mind? The simple answer is — you don’t.

The Password Theory

Right. What I’ll be trying to teach you here is how to create a password theory of your own. One that lives in your brain, and one that only you know. Then that theory will become the only thing you have to memorize, and it will create strong, secure and uncrackable passwords.

This may sound a little difficult, but relax. Remembering 40 different passwords is way more difficult than remembering and applying one theory.

I’ll show you how to create a very simple theory in this post, but you shouldn’t use it (obviously) — create your own and stick to it. Besides, a theory created by yourself will be much easier to memorize. So let’s begin, and our brand new theory will be called K3. Try guessing where the name came from.

Example: The K3 Theory

I’ll first give you the theory itself, then explain the details of what each step does and finally give you implementation examples with Twitter and Facebook and Last.fm:

  1. Lowercase the name of the service and remove any symbols
  2. Grab the first two letters and uppercase the second one
  3. Attach a lowercase k and the number of symbols in the service name to the left of the result
  4. Attach an uppercase J and the number of symbols divided by two (with no remainder) to the end
  5. Grab the last two letters of the service name, increase the second one by one and uppercase it, split them with the number 3 in the middle, attach to the end of the result
  6. Add 3, 6, 9, 12 to the end if the password length is too small

Suppose we’re creating a password for MyService, during the first step we’re left with myservice, second step gives us mY and the third step is quite straightforward too: k9mY (there are 9 symbols in the name MyService). During step four you’re grabbing a J together with a 4 (9 divided by 2 will be 4.5, strip the remainder), so you’re now left with k9mYJ4. At step five you’re taking “ce” and increasing the second letter by one, so “e” becomes “f”, then uppercase, so you’ve got “cF” split them with the number 3 — “c3F” and attach to the result: k9mYJ4c3F.

The last step is optional, depending on whether the service you’re subscribing to asks you for a minimum of 7, 8, 10 or maybe 15 symbols in your password. So for instance, if we’re asked for a minimum of 10 symbols, our final password is k9mYJ4c3F3, if we’re asked for 15 — k9mYJ4c3F3691215 (see the sequence of 3, 6, 9, 12, 15).

Let’s assume our original length is fine, our final password is k9mYJ4c3F which gives you an 84% strength on The Password Meter which is quite good. It contains lowercase and uppercase letters, numbers, and is 9 characters long.

After finalizing a theory, you’ll start noticing that some points might be combined, others could be moved around, for instance, it might be easier to start with step number 3 and then continuing with 1 and 2. You’ll get used to it in a couple of months and once you will, believe me — you’ll be the the true password monkey ;)

Practice: Twitter, Facebook & Last.fm

Hope the whole theory made sense to you. To make sure it did, here are three passwords generated for Twitter, Facebook and Last.fm in random order. Try guessing which one belongs to which service: k6lAJ3f3N, k8fAJ4o3L and k7tWJ3e3S — all of them rank 83-84% on the password meter.

For more practice try generating passwords for Delicious, Yahoo, Google, Quora and some service of your own. Try playing around with the password length too and check your results on the meter.

Ideas for Your Own Theory

If you made it until here, great! If not, go ahead and keep using your “qwerty” passwords ;) Anyways, below is a list of my thoughts that can be used in your password theories, but please do keep it simple until you become the guru:

  • Try incrementing a character by two in some spots, i.e. A becomes C, X becomes Z, and Z becomes B
  • Add a few symbols of your choice if the service allows you to
  • Add some extra math, Fibonacci perhaps?
  • Increment the whole word by two at the end, i.e. ABC123 becomes CDE345
  • Spice it up with some non-ASCII characters if the service allows you to (e.g. ©)
  • When incrementing use the ASCII table instead of the alphabet, e.g. uppercase X + 4 becomes a backslash (for gurus only)

Once you create your theory you’ll need time to practice it out, and yes, you can do this on paper, but make sure nobody’s watching, and eat them up once you’re done calculating.

Also, some of you might think that these types of passwords are not that safe, and that passwords should contain some random characters and numbers, but hey, at least this is something memorable and it’s certainly better than dictionary words, same passwords everywhere and “12345” ;)

That’s it! Share your thoughts in the comments, but don’t disclose your theories ;)

About the author

Konstantin Kovshenin

WordPress Core Contributor, ex-Automattician, public speaker and consultant, enjoying life in Moscow. I blog about tech, WordPress and DevOps.

6 comments

  • For many years I've been using multiple memorable cryptographic hash functions depending on the level of security I need and how lazy I'm feeling. I'd point out that if an attacker can obtain a number of your passwords created using the same memorable hash function, it makes it easier for them to reveal your function.

    Remembering your password for services with multiple domains that use single sign-on can also be a pain in the arse when you forget which one your password applies to.

    Like the Seinfeld episode where Kramer builds levels into his apartment, security involves levels decentralizing any one point of failure.

    The fact that passwords themselves are a central point of failure, and that we should not use them at all, falls mostly on deaf ears.

    • In order to say we shouldn't use them at all, you have to suggest a viable real-world alternative. It's not that it's falling on deaf ears, it's that you're not saying anything worth listening to

    • Right, the word is memorable, not memorizable, sorry that's my silly Russian ;) haha. Also, if your theory is strong enough, an attacker could obtain 50 out of 51 of your passwords and never, never guess the 51st ;) Try MD5

      As for multiple domains with single sign on. Don't know, maybe I'm not registered to enough websites out there, but I've never seen something that might be confusing. Even OpenID has one provider, no matter how many websites you're using it on, and when you get to enter your OpenID password, you get to enter it at your provider's website, not the client who requested your ID.

      Anyways, thanks for your comments. Good thought about getting rid of passwords, but I don't think that's realistic at this stage.

      Cheers!