How to remember passwords (and which ones you should)
By Joe Kissell Macworld
Determine which passwords you must memorize
I have no idea what 99 percent of my passwords are. Honestly, none whatsoever. They’re long strings of random computer-generated characters, and I’ve never even glanced at most of them. When I need to use them, I let my password manager fill them in for me or, if that won’t work for some reason, I copy and paste them. After all, it’s no harder for an app to enter a 14-character random password than for me to type in the word baseball, so I figure I have nothing to lose by going the crazy-secure route.
However, one password I’ve memorized cold is the password that unlocks all the other passwords stored in my password manager. That’s a pretty important one. I’ve also memorized my OS X user account password, because I enter it many times a day—and since I use OS X’s FileVault, I need that password to start up my Mac before I have access to any automated tools. Since I’m frequently prompted to enter the passwords for my iCloud, Gmail, and Dropbox accounts (often in situations where it would be awkward to copy and paste), I’ve memorized those too.
Depending on your habits and needs, your list might be different from mine, but most people can get by with no more than half a dozen passwords committed to memory. Considering that you may have many hundreds of passwords overall, memorizing five or six is a pretty minor task.
Choose a path to high entropy
Once you know which passwords you need to memorize, your next job is to choose passwords that are strong enough to defeat automated hacking attempts yet memorable enough that you can produce them instantly—and, for bonus points, they should be convenient to type.
Undoubtedly you know the basic drill by now. All things being equal, longer passwords are better than shorter ones; random passwords are better than those that follow a pattern; and the best passwords combine upper- and lowercase letters, numbers, and special symbols such as punctuation. It turns out, though, that you don’t necessarily need all those qualities in a password to make it secure—for example, a long but simple password can be just as secure as a short but complex one. This is provable through a concept called entropy, which refers to a mathematical approximation of how difficult, on average, any given password is to guess.
Depending on how you do the calculation, the passwords “7H#e2U&dY4” (ten random characters) and “blanketsensory” (14 nonrandom characters) are approximately equal in strength, but the latter is much easier to remember and type. Even though it contains only lowercase letters and blanket and sensory are both ordinary English words, the password’s entropy is high enough that a concerted brute-force attack would take days or weeks to crack it. The moral of the story (as brilliantly illustrated in this XKCD comic) is that when you have to memorize a password, a longer phrase composed of random words or syllables will make your life easier than a shorter string of entirely random individual characters.
If your memory is excellent and having to type the fewest possible characters is your biggest consideration, then go with a shorter random password—but remember that whereas “short” used to mean 8 or 9 characters, nowadays 12 or 14 are safer. Nevertheless, since most people can type long words faster than short bursts of random characters, you might find a 25-character phrase more convenient in daily use than a 12-character string of nonsense.
Let a computer pick your passwords
I’ve sometimes advised people to use mnemonic cues to remember passwords. For example, taking a sentence such as “I once drank three cups of coffee before realizing it was decaf” and using just the first letter of each word, with a capital and a number thrown in, creates “Iod3cocbriwd”—a reasonably strong password. But because humans have a tendency to unconsciously introduce patterns into passwords produced through these means (which can increase the ease of guessing a password), I prefer to let a computer create a selection of random (but memorable) passwords, and then choose one that sounds good. You have numerous ways to do this.
If you open Keychain Access on your Mac (in /Applications/Utilities), choose File > New Password Item, and then click the key icon next to the Password field, you’ll see a Password Assistant window. In this window, choose Memorable from the Type pop-up menu and select a password length. The utility will produce a password consisting of a combination of words, numbers, and symbols (such as “nineteenth8590.middlingly” or “baiting325@certifications”. Don’t like the first suggestion that appears? Click the pop-up menu to see more, or choose More Suggestions from that menu to get another list.
1Password’s password generator also has a mode that creates a series of pronounceable syllables (not necessarily English words), with or without intervening digits or hyphens—such as “liegnicroci”, “lieg7ni2croc5i”, or “lieg-ni-croc-i”. To generate them in the 1Password app, choose File > New Item > New Password, click Pronounceable, and select the separator and length you prefer. Click the Refresh button to see another password choice. (The directions are similar when you’re using 1Password’s browser extensions, although the layout and options are slightly different.)
Have a backup plan (or two)
If, despite choosing memorable or pronounceable options for your top few passwords, you’re afraid you might forget them, writing them down on paper is not a terrible idea—as long as you keep that paper in a safe place. Obviously, a sticky note on your computer is not very safe, but your wallet might be an excellent location (and is precisely the recommendation of security expert Bruce Schneier). If you’re especially paranoid, you might obfuscate them in some way, such as swapping the first and last characters—but of course, if you forget how you altered them, you’ve done yourself a disservice.
Finally, consider giving a copy of that paper to your spouse or a trusted friend, or putting it in a safe deposit box. If something were to happen to you, and your family or business associates urgently needed access to your data, the “security” of having your passwords stored only in your head would work against you. Just be sure that whoever holds your passwords keeps them as safe as you do yourself.