Fix Your Terrible, Insecure Passwords in One Minute With This Foolproof Technique

Innovation, the Internet, gadgets, and more.
June 7 2012 5:27 PM

Fix Your Terrible, Insecure Passwords in One Minute

A new, improved foolproof technique.

(Continued from Page 1)

Note, too, that it’s OK for you to keep similar passwords at similar sites. On sites where a password thief can’t do much damage—say, publications like Gawker and the New York Times—you can repeat the same password. You’ll want to keep your social networking accounts slightly more secure, but the passwords don’t have to be extremely different; after all, if a bad guy gets into your Facebook account, he’s not going to be able to do much more additional damage if he gets into your Twitter profile, too. So varying them slightly—as I did above—is perfectly OK, as long as you remember to change them after you hear about a breach like the one at LinkedIn.

You’ll want to reserve the most distinct passwords for sites where breaches would cause you a lot of trouble—your financial institutions and your webmail accounts, which hold the keys to the rest of your online life. (If a bad guy gets into your email, he can use the password reset feature to get into lots of other accounts, too.)

The new, even better way to fix your terrible passwords (which sadly doesn’t work everywhere): Start with the same method as above—choose a short, memorable phrase. And that’s it. Instead of turning the phrase into a one-word password, just use the whole phrase as your password. For instance, Mitt loves when Barack makes waffles. That’s a memorable phrase. It’s also an extremely strong password just by itself—stronger, even, than a password made up of that phrase’s initial letters. Instead of shortening the phrase, just type the whole thing in as your password. That’s easier than typing a jumble of symbols and uppercase and lowercase letters, and it’s easier to remember, too.


I didn’t come up with the idea of using a short phrase as a password. The credit should go to Thomas Baekdal, who runs the online magazine Baekdal, and who wrote about this method way back in 2007. Baekdal points out that if a crook were using a “brute force” attack to find your password—that is, a program that repeatedly tries to guess your password by using every potential combination of characters—the attacker would need about 219 years to guess a six-character password like J4fS<2. That’s not bad, but a short phrase of common words is even stronger. For instance, the phrase this is fun is 10 times stronger than J4fS<2—it would take a brute force attack 2,537 years to guess that phrase. And, obviously, this is fun is much easier to remember. The online comic strip XKCD repeated Baekdal’s point in a wonderful strip last year. The caption: “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.”

I tried this method at several of the sites I frequent most. It works at Gmail, LinkedIn, Twitter, and Facebook, among others, and I encourage you to use short phrases as passwords there. But it doesn’t work at my bank, nor is it allowable at the many other sites that impose a maximum length on passwords and/or don’t allow spaces in passwords. Both of these requirements are pretty stupid. Limiting the number of characters in a password only makes them less secure, and a ban on spaces forces you to use special characters, which are harder to remember. I’m hoping that eventually, all sites come around to dropping their arcane password rules in favor of a much simpler password dictate: Pick a short, unique phrase.

But that could take a while. In the meantime, either use a password manager or the first or second of my suggested methods, depending on the site. Whatever you do, just do it—your passwords are a mess, and you should really, really fix them now.



More Than Scottish Pride

Scotland’s referendum isn’t about nationalism. It’s about a system that failed, and a new generation looking to take a chance on itself. 

What Charles Barkley Gets Wrong About Corporal Punishment and Black Culture

Why Greenland’s “Dark Snow” Should Worry You

If You’re Outraged by the NFL, Follow This Satirical Blowhard on Twitter

The Best Way to Organize Your Fridge


The GOP’s Focus on Fake Problems

Why candidates like Scott Walker are building campaigns on drug tests for the poor and voter ID laws.

Sports Nut

Giving Up on Goodell

How the NFL lost the trust of its most loyal reporters.

Is It Worth Paying Full Price for the iPhone 6 to Keep Your Unlimited Data Plan? We Crunch the Numbers.

Farewell! Emily Bazelon on What She Will Miss About Slate.

  News & Politics
Sept. 16 2014 7:03 PM Kansas Secretary of State Loses Battle to Protect Senator From Tough Race
Sept. 16 2014 4:16 PM The iPhone 6 Marks a Fresh Chance for Wireless Carriers to Kill Your Unlimited Data
The Eye
Sept. 16 2014 12:20 PM These Outdoor Cat Shelters Have More Style Than the Average Home
  Double X
The XX Factor
Sept. 15 2014 3:31 PM My Year As an Abortion Doula
  Slate Plus
Slate Plus Video
Sept. 16 2014 2:06 PM A Farewell From Emily Bazelon The former senior editor talks about her very first Slate pitch and says goodbye to the magazine.
Brow Beat
Sept. 16 2014 8:43 PM This 17-Minute Tribute to David Fincher Is the Perfect Preparation for Gone Girl
Future Tense
Sept. 16 2014 6:40 PM This iPhone 6 Feature Will Change Weather Forecasting
  Health & Science
Sept. 16 2014 4:09 PM It’s All Connected What links creativity, conspiracy theories, and delusions? A phenomenon called apophenia.
Sports Nut
Sept. 15 2014 9:05 PM Giving Up on Goodell How the NFL lost the trust of its most loyal reporters.