Thread: How to make a strong easily remembered password.

Originally Posted by nefariousbob

The modern security threat is in the form of database compromise - where hackers may obtain some or all of the password hashes from a web service's user database. When a password hash is obtained, the hacker simply needs to look it up in another database, known as a rainbow table. Rainbow tables hold pairs of passwords with the hashes that they compute to. Available rainbow tables reduce hash cracking to a matter of seconds, hours, or days where brute force cracking may take years, decades, or longer. Long story short, passwords of any complexity (ASCII) should be longer than 9 characters, alphanumeric passwords should be at least 11 characters, and alpha-only passwords need be at least 13 characters.



(snip)

(P.S. Not all websites are responsible enough to store passwords as hashes, making a database compromise instantly catastrophic to their users. If the website you visit seems questionable from a security standpoint, be sure to use a UNIQUE password for your account.)

These are both really good reasons to use a different password on every site. One way to do this is to come up with an "algorithm" that combines a strong password element you can remember with some information about the site. For example (and this is a weak one, don't actually use it!), you could use "myp4ss!" plus the first two letters of the site name, so amazon.com would have the password "myp4ss!am" and facebook.com would have the password "myp4ss!fa".

One worry unique to this strategy is the possibility that a hacker will obtain two of your passwords and figure out your "algorithm", allowing them access to the rest of your sites. For this reason, I recommend two thing: (1) using very non-obvious site information and (2) not using your "algorithm" on sites where the consequences of your account be hacked are severe (e.g. bank sites, sites that hold credit card info, etc).

For simplicity I use Lastpass for the majority of my passwords. But for the few that require that little bit extra protection (or peak my paranoia a little further) I use a method I saw on Lifehacker just over a year ago based on old-fashioned Tabula Rectas. Rather than rehash it here's a link to the article for those who might be interested.

Is it a pain in the arse? A little, that's why I don't use it for everything, but it is very secure.