Three Random Words: An Easy Way to Create Strong Passwords
The problem: Choosing a strong password seems like a lot of work
Passwords are important. They help protect your personal or company data and equipment, your email, your privacy, and more. Passwords that are short, simple, and easy to guess are considered “weak” because they put you at risk from malicious hackers and their software. Choosing “strong” passwords (i.e., ones that are longer, more complex, and unpredictable) is one important part of having good security.
Making an unpredictable password includes:
- Not using common passwords, like “password1,” “123456,” etc.,
- not using substitutions, like “pa$$w0rd1” which hackers already know,
- not using the same password over and over,
- not using obvious minor variations, like replacing “Jimbob23” with “Jimbob24,”
- and not using any personal information, like your birthday, street address, children’s names, etc., since there is already an enormous amount of information about you on the internet.
However, it can be exhausting to come up with yet another strong password every time you’re forced to pick a new one.
Choosing a strong password: The current guidelines
Here’s the very good standard advice about how to choose a strong password:
- Always create a unique password that you’re not using for any other account,
- with at least 8 characters; some websites might require your password to be longer,
- and at least one uppercase letter, one lowercase, one digit, and one piece of punctuation (sometimes called a “special character”),
- and be sure to put it on your password chart (whether paper or electronic) right away since you will never remember it.
Read on for my advice on a simple approach that accomplishes all of this and more.
An easy method for creating new strong passwords
I learned this simple technique called “three random words” from my very knowledgeable computer colleague Adam Frost (http://www.ComputerCareAndLearning.com) who adapted it from recommendations published by the National Cyber Security Centre (NCSC) in London.
Here’s an example of a strong password created with this method: Stapler*4289Pasta*Black
Follow these steps to construct a new password like that, either when a system or company prompts you for a new password, or when you’ve decided to change it for your own reasons:
-
Three random words: Let’s say that you’re choosing a new password for your amazon.com account. Begin by coming up with three words that are not related to amazon or shopping and are not related to each other. If nothing comes to mind, look around your desk or the room, look out the window, think about what you had for lunch, or what you’ll be doing tomorrow. For example, you might pick stapler, pasta, and black, so for the moment the new password is: staplerpastablack
-
Punctuation: Separate the words with asterisks: stapler*pasta*black
-
Capitalize each word: Stapler*Pasta*Black
-
2-4 digits: Come up with numbers that have no meaning to you or amazon, and avoid “1” or “12” or “123,” etc. Since many people put the numbers on the end, put them in the middle or at the beginning instead: Stapler*4289Pasta*Black
-
Don’t use any spaces.
- You’re doing great, but you’re not done yet. Enter this proposed password into the system’s “type your new password here” prompt to find out whether it’s acceptable. If it gets rejected, adjust the password as directed and try again. Common problems can include using incompatible punctuation, prohibited words (like your name or the company’s name), re-using a previous password, etc.
- When the system accepts it, add it to your password chart immediately. For a chart that you maintain with your Windows or Macintosh computer, type it carefully (or use Copy and Paste). For a paper chart, write in pencil (because it will probably change over time), underline (or double-underline) each capitalized letter, and be careful to distinguish zeros from letter-O’s, fives from letter-S’s, etc.
- Going forward, choose different sets of words and numbers for each future password. Don’t reuse them!
There you go! In no time at all and with minimal thought and effort, you’ve just created a new password that is:
- Very strong,
- 23 characters long, far longer than the minimum recommended length,
- Unique,
- Unpredictable,
- Devoid of any personal information,
- Easy to type,
- Easy to write on a piece of paper,
- and easy to read over the phone to someone else if necessary and appropriate, e.g., to someone that you know and trust who also needs access to the given account, which could include a family member, bookkeeper, consultant, etc.
Variations
You could just as easily have chosen:
- Different punctuation: Stapler#4289Pasta$Black or Stapler@4289Pasta.Black
- Different capitalization: STAPLER*4289pasta*black or stapler*4289Pasta*Black or stApler*4289pasTa*blacK
- Different digit placement: Stapler*42Pasta89*Black or 42Stapler*89Pasta*Black
But for now it’s probably a good idea to keep it simple as you get accustomed to this technique.
Where to go from here
Have fun with this method -- Use it to make creating new passwords an entertaining challenge!
|