As we move to cloud-based services, passwords are becoming a serious problem:

  • A password must be complex
  • A password must be easy for you to use
  • The password has to be different on every account
  • You can’t use the same password for two or more accounts
  • A password must never be written in your computer (hackers will scan your computer for password files) or on your desk (people may look through your desk)
  • A password can’t be in a hacker’s list of 30 million passwords
  • And a password system has to work for many accounts (I have more than 20  accounts)

There are password vaults, which are a service that manages all of your passwords. But that relies on one password. If someone gets your password, they have access to everything. Worst yet, a vault itself can be hacked. Google has been hacked so nothing is secure. It’s certain the hackers are trying very hard to hack the vaults.

After much discussion with friends in Silicon Valley, I came up with the following two-part password method. It has two parts: a secret password and a public password.

  1. I use a base password, which is an acronym of a phrase. I never write this down anymore, not digital nor paper. I keep it only in my head. A sample phrase: “six red foxes dance at ten pm” becomes “6rfda10p“. Don’t use proverbs or quotations; hackers have lists of these. Use at least eight characters with a mix of letters and numbers. You can capitalize the nouns (“6rFda10p“). It’s easier to remember a phrase that describes a visual action (such as six dancing foxes).
  2. I use that base password for all of my accounts. Every account password starts with that phrase.
  3. I then add two non-alphabetical characters (a number and a symbol) for each account. For example, Google = 6%, Facebook = #3, and so on.
  4. I combine these, so my password for Google is 6rFda10p6% and Facebook is 6rFda10p#3 (You can put the second part at the beginning, middle, or end of your secret phrase.)
  5. I write down a list of those two characters, which I keep on my desk and in my wallet. People can see the second part, but they can’t do anything with it.
  6. This lets me easily look up my passwords.
  7. This also lets me create dozens of passwords 1!, 1@, 1#, etc.

Q. How many passwords can this method generate?

A. Let’s assume a password with eight characters. Each character can use 26 lower case characters, 26 upper case characters, ten single-digit numbers (zero to nine), and 14 special characters (!, @, #, etc.) That’s 76 possible symbols for each character. Calculate 76 to the eighth. Yep, it’s a mighty big number. Of course, no calculator can do that. So you’ll have to do it in your head (remember to carry the one.) It’s 1.113 quadrillion, or 1,113 trillion (a thousand trillion).

Tip: Hackers have lists of 30 million passwords (search for “lists of passwords“). Don’t use names of cats or dogs, Star Trek characters, girlfriends, or girlfriends’ body parts. Don’t use the US military’s nuclear missile launch password (it’s “000000”. Yes, six zeros. Yes, that’s really true.) (The US military changed it. It’s now eight zeros. Really secure.)

Tip: If you use unsecure Wifi at coffeeshops, the mall, or airport, it’s very easy for kids and hackers to get your data, incl. your ID and passwords. They can see everything you do; they can send email from your account; they can change your password. If you must use an unsecure Wifi connection, be sure to use HTTPS (S for secure), not plain HTTP.