A method for making passwords that you won’t hate to use.
TLDR – Here’s my pleasant password generator.
It randomly generates x passwords consisting of a 3-digit number, followed by an adjective, then a noun, separated by hyphens. I use a list of adjectives and nouns which I pulled from the SimpleWordLists Github repository.
Passwords such as these are probably fine for your throw-away accounts, but not for any financial or bank account logins.
If you want to understand why, keep reading.
Passwords are a neccessary evil
I’m old enough to remember a time when you didn’t need to login to do literally anything useful with your computer. When I was young my family had an IBM PC clone that ran DOS. That computer had no login prompts, and was not connected to any online services. I won’t go so far as to say that I yearn to use those old machines again, but I have definitely come to appreciate the simplicity of them.
Obviously modern computing (and modern life) is very different. We are currently in the 4th decade of the internet age. Pretty much everything that could have otherwise been accomplished by printed paper has now come to require an online account. And obviously each and every online account requires login credentials, with remembering the password being the most annoying part.
How do I remember all my passwords?
For the most part, I don’t. I use a password manager. Every stored password is a very long and random sequence of letters, numbers, and special characters. That makes them very secure, and practically impossible for an attacker to simply guess. This also makes them impossible for me to remember, and that is why I keep them saved in the manager. I only have to remember one password, the one that opens the manager. It’s very long and annoying to type, but it’s a worthy trade-off to keep all my other passwords safe and secure.
I know from experience that maintaining a password manager is not tenable for many people. As an IT technician I’ve worked with customers who genuinely do not have the technical skill to do this. And yet they (just like everyone) are required to keep track of many different passwords for their various accounts. Some of my customers used a hand-written notebook (which is good), and others merely re-used the same few passwords for everything (which is extremely insecure).
And my thinking on this has changed over time as well. I’m now less regimented than I used to be. I don’t see every account and every password as needing the same degree of protection. Financial account passwords must be as secure as possible, but others not so much. The login password for my home computer isn’t there to keep the secret agents out of my personal files, it’s there to keep nosy passersby from looking at my work.
The reason I’m writing this post is because I’d like to share my middle-ground approach to making passwords. Easy to remember, easy to type, and not completely insecure.
A way to create passwords that are pleasant to use.
Making a Pleasant Password
The idea is straightforward. Pick a number. Then an adjective. Then a noun. Put them together with a hyphen (or other special character). Like so:
496-bouncy-hamsterThis password is complex enough to pass most password validation rules, yet only requires you to remember two words, one number, and the hyphens. In essence this is now a form of mnemonic.
This password is secure against simple guessing, which is good. It is 18 characters long, with 37 possible options for each (a-z + 0-9 + hyphen). Given no additional information, the number of passwords an attacker would need to guess is 37 to the power of 18, or 16,890,053,810,563,300,749,953,435,929. If you were wondering, the short scale name for that number is
Sixteen octillion, eight hundred ninety septillion, fifty-three sextillion, eight hundred ten quintillion, five hundred sixty-three quadrillion, three hundred trillion, seven hundred forty-nine billion, nine hundred fifty-three million, four hundred thirty-five thousand, nine hundred twenty-nine.
Unfortunately attackers are rarely that naive. That password is insecure for the same reason its so easy to use: it follows a simple pattern, and uses real English words. My widget above chooses randomly from a list of x adjectives, and x nouns. If someone were to actually try to break into your account, they would likely start by guessing passwords with a common structure first. Guessing passwords that contain whole words is a near-universal tactic.
x adjectives x x nouns x 1 digits is only x different passwords. That may seem like a lot but for a modern computer it would be completely trivial to guess each and every one.
When should you use this approach?
A good analogy to consider is the cheap lock you put on your locker at the gym. It’s not fancy. It’s not very well made. The mechanism is easy to pick, and the shackle is thin enough to cut. And yet it is good enough for its intended purpose. You are not storing your life savings in that locker. If someone tried to break your lock it would be very obvious (people would notice if someone walked in with bolt cutters). That little lock is more-or-less sufficient to ensure that no one will go rummaging through your personal items.
I use this approach when I need a password for something I consider low risk. Deciding what is or isn’t low-risk is very much a matter of personal discretion, but what I will say is that you should probably not be using this method while trying to secure your bank account. It is better suited for the local user account on your home computer. The throw-away online video game account. For those purposes this method is quite effective.
Do you have your own method for making easy to use passwords? If so, let me know!
Or not… Better to keep that a secret. 😉
If you have comments, you’re still free to send an email to mail@lzon.ca or just DM me on one of my social accounts. Links are all on the homepage.