Fix your terrible, insecure passwords in five minutes.

Innovation, the Internet, gadgets, and more.
July 24 2009 7:05 AM

Fix Your Terrible, Insecure Passwords in Five Minutes

A foolproof technique to secure your computer, e-mail, and bank account.

(Continued from Page 1)

Start with an original but memorable phrase. For this exercise, let's use these two sentences: I like to eat bagels at the airport and My first Cadillac was a real lemon so I bought a Toyota. The phrase can have something to do with your life or it can be a random collection of words—just make sure it's something you can remember. That's the key: Because a mnemonic is easy to remember, you don't have to write it down anywhere. (If you can't remember it without writing it down, it's not a good mnemonic.) This reduces the chance that someone will guess it if he gets into your computer or your e-mail. What's more, a relatively simple mnemonic can be turned into a fanatically difficult password.

Which brings us to Step 2: Turn your phrase into an acronym. Be sure to use some numbers and symbols and capital letters, too. I like to eat bagels at the airport becomes Ilteb@ta, and My first Cadillac was a real lemon so I bought a Toyota is M1stCwarlsIbaT.

Advertisement

That's it—you're done. These mnemonic passwords are hard to forget, but they contain no guessable English words. You can even create pass phrases for specific sites that are coded with a hint about their purpose. A sentence like It's 20 degrees in February, so I use Gmail lets you set a new Gmail password every month and still never forget it: i90diSsIuG for September, i30diMsIuG for March, etc. (These aren't realistic temperatures; they're the month-number multiplied by 10.)

How many different such passwords do you need? Four or five at most. You don't have to keep unique passwords for every single site you visit—Thompson says it's perfectly OK to repeat passwords on sites that don't need to be kept very secure. For instance, I can use the same password for my accounts at the New York Times, the New Republic, The New Yorker, and other online magazines, because it won't hurt me too much if someone breaks into those. (My mnemonic is, I like to read snooty publications quite often.) You should probably use different passwords for each your social networking accounts—someone can do real damage by breaking into your Facebook or Twitter, so you want to keep them distinct—but you can still come up with a single systematic mnemonic to protect them: Twitter is my second favorite social networking site, MySpace is my third favorite social networking site, etc. Reserve your strongest, most distinct passwords for the few very important services that, if cracked, could do the most damage—your bank account, your computer, and most of all your e-mail, which often contains the keys to everything else in your life.

To be sure, this is more of a hassle than what you're doing now—but what you're doing now is going to come back to bite you. These days, we're all dishing personal information all the time; you may think that your password is totally unguessable, but your Facebook makes clear that you're a huge U2 fan and you graduated from college in 2000. Achtung2000, eh? Just go ahead and make some new passwords right now. Trust me, you'll feel better.

Farhad Manjoo is a technology columnist for the New York Times and the author of True Enough.

  Slate Plus
Working
Dec. 18 2014 4:49 PM Slate’s Working Podcast: Episode 17 Transcript Read what David Plotz asked a middle school principal about his workday.