How To Create Secure And Easy To Remember Passwords

For my Cybersecurity class, I presented an extra credit lesson on how to create secure and easy to remember passwords that would help people with vision loss (inclusive of low vision/blind) create strong passwords and avoid reusing the same easy-to-guess password everywhere. Here is a copy of the presentation in blog post form that talks about password safety and coming up with passwords that can easily be remembered while still being difficult to crack.

Why using the same password is a bad idea

Many users are tempted to use the same password for everything, even though they know it is a bad idea. However, there are several dangers associated with using the same password for everything or not changing passwords after a data leak/data breach, including:

If a person can guess the password to an email account, they can go in and change all other passwords associated with that email
Websites can be compromised and have passwords leaked, and it will make it easier for hackers to find the passwords to common accounts, especially since many breaches show emails/usernames and passwords together. If someone uses the same username/password combination on multiple accounts, all of these accounts could be compromised.
For a user that creates a password that contains a word in the dictionary, a password with 6-8 characters can be guessed by a password cracking program in about thirty minutes.
By adding characters such as letters, numbers, and symbols, the time to guess a password increases to be several hours, days, weeks, months, or even years

Another way that I help to keep my email safe is by using an email alias to sign up for accounts, also known as plus addressing or subaddressing. Plus addressing creates a unique receive-only email address that can be used to filter emails to a specific folder or serve as a labeling tool for identifying emails on a specific subject/from a specific sender— this is helpful for minimizing spam emails and phishing attempts. To use plus addressing, add a + sign and descriptor after the account name and before the @ symbol in the email address. For subaddressing or creating custom aliases, I recommend checking with your email provider for further instructions.

Plus addressing in action

If I wanted to register to use websites for my assistive technology classes (which use the course prefix EDAT) with my university email, I could create a plus address by writing “myusername+edat@myuniversity.edu” without the quotation marks. The emails can be filtered to a data science folder or appear automatically my inbox. However, plus addressing cannot be used to compose a new email, so outgoing mail would be sent from “myusername@myuniversity.edu.”

Creating a base password

One of my favorite tips for how to create secure and easy-to-remember passwords is to use a base password that changes for each website, adding characters, symbols, numbers, and other things to make it secure and unique. To demonstrate what this looks like, I will use the base password “frenchfries“- another popular choice I’ve used for coming up with base passwords include song lyrics because someone can write the song name in a password book without having to write out the actual password or use different lines from the same song.

Capitalization

Adding capital/uppercase letters, especially at different intervals, makes passwords more difficult to guess. “frenchfries” can be upgraded to “FrenchFries” or “FrenchFrieS“, which is more difficult to guess while being easy to type.

Replace letters with numbers

Replacing letters with similar looking numbers within a word can help with security, especially if there are alternating numbers and letters. Using the “frenchfries” password, users can replace the vowels with corresponding similar looking numbers, so the password would be “fr3nchfr13s” instead.

Symbols

Adding symbols can help make passwords more secure too. For users that use modified keyboards, pick easy to reach symbols such as periods, dollar signs, exclamation points, or similar. Our base password can be improved by adding just one symbol, but I usually add a few more and combine it with uppercase letters and numbers too. Some examples are “?frenchfries“, “frenchfrie$“, or “french.fries”.

Add an extra word or letters

Remember how a program could guess a short password in 30 minutes? Add on a few extra letters or words, maybe even creating a sentence for a password. Examples could be “largeorderfrenchfries” or “ilikefrenchfries“.

When I use passwords that form a sentence, I typically use camel case or pascal case, capitalizing different words in the sentence. So the passwords would actually look more like “LargeOrderFrenchFries” or “iLikeFrenchFries”.

Add the website name

Here’s a cool password trick I learned to make passwords longer. Add the website name to the end of the base password so the password is easy to remember, yet different for each website. Again, add symbols, numbers, and uppercase letters to make it even more secure. If I was logging into Twitter, my password could be “frenchfriestwitter” or “frenchfries.Twitter“, modified with uppercase letters and numbers.

A note on password management software

There are many great password management and generator software, such as LastPass. However, if you frequently use accounts on devices that are not your own, such as in a computer lab, I would caution against having this software generate passwords, though having it store passwords is fine. It’s also worth noting that some websites may not support using password management tools- my university and bank are two examples of websites that do not support this.

Add two factor authentication/multi-factor authentication

Instead of just relying on a password to log in to an account, it’s helpful to add another option for authentication like a temporary access code or fingerprint identification. One strategy to have in place is two-factor authentication (2FA) or multi-factor authentication (MFA), which requires users to enter a verification code or complete other steps before signing into an account, such as selecting a link in their email to sign in. I have this turned on for all of my accounts, which has been helpful for providing additional account security.

Summary of how to create secure and easy to remember passwords

It’s important to use different passwords on websites and avoid using the same password, so that if there is a password leak, not all accounts are compromised
A password with 6-8 characters can be guessed by a password cracking software in about 30 minutes
One way to create secure and unique passwords is to have a base password and have a different version of that for each website
Add capital letters to the base password, or replace letters with numbers
Add an extra word or letters to the base password
Add the website name to the beginning or end of the password
Avoid having password management software generate passwords, as this can be difficult to use when accessing websites from other devices, such as in a computer lab
Use two-factor authentication and multi-factor authentication tools alongside passwords to make accounts even more secure.