How to remember passwords (and which ones you should)

At the risk of repeating myself (see What you dont know about passwords might hurt you), the best way to ensure that you never forget your passwords is to offload the task of remembering to a password manager such as 1Password (; $40). For most passwords, most people, and most of the time, thats the only trick youll need. However, no matter what tools you use, youll have to memorize at least a few passwords. Because those are among your most important, you dont want to trade security for memorability. Here a few tips that can help you make sure your brain doesnt betray you.

Determine which passwords you must memorize

I have no idea what 99 percent of my passwords are. Honestly, none whatsoever. Theyre long strings of random computer-generated characters, and Ive never even glanced at most of them. When I need to use them, I let my password manager fill them in for me or, if that wont work for some reason, I copy and paste them. After all, its no harder for an app to enter a 14-character random password than for me to type in the word baseball, so I figure I have nothing to lose by going the crazy-secure route.

However, one password Ive memorized cold is the password that unlocks all the other passwords stored in my password manager. Thats a pretty important one. Ive also memorized my OS X user account password, because I enter it many times a dayand since I use OS Xs FileVault, I need that password to start up my Mac before I have access to any automated tools. Since Im frequently prompted to enter the passwords for my iCloud, Gmail, and Dropbox accounts (often in situations where it would be awkward to copy and paste), Ive memorized those too.

Depending on your habits and needs, your list might be different from mine, but most people can get by with no more than half a dozen passwords committed to memory. Considering that you may have many hundreds of passwords overall, memorizing five or six is a pretty minor task.

Choose a path to high entropy

Once you know which passwords you need to memorize, your next job is to choose passwords that are strong enough to defeat automated hacking attempts yet memorable enough that you can produce them instantlyand, for bonus points, they should be convenient to type.

Undoubtedly you know the basic drill by now. All things being equal, longer passwords are better than shorter ones; random passwords are better than those that follow a pattern; and the best passwords combine upper- and lowercase letters, numbers, and special symbols such as punctuation. It turns out, though, that you dont necessarily need all those qualities in a password to make it securefor example, a long but simple password can be just as secure as a short but complex one. This is provable through a concept called entropy, which refers to a mathematical approximation of how difficult, on average, any given password is to guess.

Depending on how you do the calculation, the passwords "7H#e2U&dY4" (ten random characters) and "blanketsensory" (14 nonrandom characters) are approximately equal in strength, but the latter is much easier to remember and type. Even though it contains only lowercase letters and blanket and sensory are both ordinary English words, the passwords entropy is high enough that a concerted brute-force attack would take days or weeks to crack it. The moral of the story (as brilliantly illustrated in this XKCD comic) is that when you have to memorize a password, a longer phrase composed of random words or syllables will make your life easier than a shorter string of entirely random individual characters.

If your memory is excellent and having to type the fewest possible characters is your biggest consideration, then go with a shorter random passwordbut remember that whereas short used to mean 8 or 9 characters, nowadays 12 or 14 are safer. Nevertheless, since most people can type long words faster than short bursts of random characters, you might find a 25-character phrase more convenient in daily use than a 12-character string of nonsense.

Let a computer pick your passwords

Ive sometimes advised people to use mnemonic cues to remember passwords. For example, taking a sentence such as I once drank three cups of coffee before realizing it was decaf and using just the first letter of each word, with a capital and a number thrown in, creates Iod3cocbriwda reasonably strong password. But because humans have a tendency to unconsciously introduce patterns into passwords produced through these means (which can increase the ease of guessing a password), I prefer to let a computer create a selection of random (but memorable) passwords, and then choose one that sounds good. You have numerous ways to do this.

If you open Keychain Access on your Mac (in /Applications/Utilities), choose File > New Password Item, and then click the key icon next to the Password field, youll see a Password Assistant window. In this window, choose Memorable from the Type pop-up menu and select a password length. The utility will produce a password consisting of a combination of words, numbers, and symbols (such as nineteenth8590.middlingly or baiting325@certifications. Dont like the first suggestion that appears? Click the pop-up menu to see more, or choose More Suggestions from that menu to get another list.

1Passwords password generator also has a mode that creates a series of pronounceable syllables (not necessarily English words), with or without intervening digits or hyphenssuch as "liegnicroci", "lieg7ni2croc5i", or "lieg-ni-croc-i". To generate them in the 1Password app, choose File > New Item > New Password, click Pronounceable, and select the separator and length you prefer. Click the Refresh button to see another password choice. (The directions are similar when you're using 1Passwords browser extensions, although the layout and options are slightly different.)

Have a backup plan (or two)

If, despite choosing memorable or pronounceable options for your top few passwords, youre afraid you might forget them, writing them down on paper is not a terrible ideaas long as you keep that paper in a safe place. Obviously, a sticky note on your computer is not very safe, but your wallet might be an excellent location (and is precisely the recommendation of security expert Bruce Schneier). If youre especially paranoid, you might obfuscate them in some way, such as swapping the first and last charactersbut of course, if you forget how you altered them, youve done yourself a disservice.

Finally, consider giving a copy of that paper to your spouse or a trusted friend, or putting it in a safe deposit box. If something were to happen to you, and your family or business associates urgently needed access to your data, the security of having your passwords stored only in your head would work against you. Just be sure that whoever holds your passwords keeps them as safe as you do yourself.

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuesApplesecuritypasswordsOS Xbusiness

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joe Kissell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place