The surprisingly easy to remember password that you can use for EVERYTHING (probably) is:
Wait, what? That doesnt look easy to remember at all! Well, read on. This tricky looking password is actually very simple to remember. But you can generate another by refreshing this page if you like.
Your password system - How to use and remember this password:
It is based on the 6 letter word herons that we randomly generated , written twice, to ensure we end up with a long enough password. The current year number and one punctuation character are inserted at a
random position within the 2 words. You will also add one or more letter yourself, see below.
To remember the full password, you only need to remember:
The 6 letter word herons and that you type it twice with a capital letter the second time: heronsHerons
the current year 20 and the & character are inserted after character 3. (Or you can put it wherever you want, but dont put it at the start or end.
You will always use the same position, so you'll remember it ok)
Finally, I encourage you to use the password with at least one character inserted based on the system you are logging into.
So for facebook, you should add the letter F her20&onsHeronsf. For Microsoft, add M her20&onsHeronsm. You could add this anwhere, but you should use the same position always so you can easily remember it.
Want to choose your own starting word?
Make it 5 characters at least!
Why the password was made this way
In order to be secure and convenient, there are a surprising number of rules we need to satisfy. Many security rules make passwords hard to remember or type, so we use a system to help.
We want to have an easy to remember but secure password that we can use in lots of places without needing to write it anywhere.
We want our password system to work on as many sites as possible, and some systems will insist on CAPS, a number, and a special character. So we include all to be safe.
We want to use a real word so we can remember it, but...
We dont want to rely on only a dictionary word because that is unsafe practice. So we split it with our special characters.
We want more than 13 characters because all 12 character and shorter passwords are already possibly cracked, no matter how complex they are.
The SHA1 hash for 'uf76*W68e' is 88ac6b263b60b018cfccba98619e407b35eac6df and it will already be in the hacker's hash dictionary (see below) so they won't even have to crack it.
We need to satisfy systems that insist on periodic password changes, so we include the year number so that we can remember the number, and increment it each year.
We include a character from the system we are logging into because that means we are not using the same password for all our services.
Frequently asked questions
Why should a password be easy to remember?
If you have to write it down, someone might see it. You head is the safest place.
Why should we use CAPS, special characters, numbers?
Well, to be honest, if your password is long enough, these things arent really adding anything to your security.
But, since some systems will insist due to out of date security notions, we have no choice but to include them in our system.
Otherwise, we might find places where we cannot use our password system. Thats why we can just use the year number - it isnt adding to our security, it only exists to satisfy this requirement.
The common password hashes for all dictionary words have already been calculated so converting their hashes back to dictionary words are really easy.
It isn't such an issue when you use words as part of a strong password, but on their own, or in combination with silly ideas like L33T speak or a simple number added, they are insecure.
We can use a dictionary word in this password system, because we will not be using in an insecure way.
Why are 12 character or shorter passwords unsafe?
Because the hashes for all combinations of characters up to 12 could already be calculated and stored for easy cracking if your password were caught up in a leak. Hashes are explained below.
But i though we arent allowed to use the same password for multiple services?
That is true, which is why you should add that one character difference - the first letter (2 if you want) of the service should be added into your password.
The reason is so that if the muppets who made the system don't protect your password properly, only one (or maybe, some, in the case of multiple services with similar names) of your passwords are leaked.
Why should i change my password periodically?
Well, in truth your should not have to. The periodic change only helps reprotect you in the unlikely event your password (or weak password's hash) was somehow leaked.
If you use a proper password though, there almost no chance of hackers learning your password even if the hash was leaked.
What is a password hash?
Your password isn't always known only to you, it is possible that the owners of the system you are logging into know it as well. Do you trust them?
They should NOT know it, but you are not in control of how they make their system. What they should do is store your password using one-way encryption, converting your password to a hash, which is call hashing.
The hash of the word 'password' for example is:
5f4dcc3b5aa765d61d8327deb882cf99 (using the md5 method) or
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 (using the SHA1 method)
Because no matter how many times I try to hash the word 'password' with a certain cipher, I will always get this same answer, I can save only the hash in my database instead of the password.
When someone logs in, I can hash their password, compare the hash with the database, if it matches, then I know you typed the correct password, but I did not need to have your password recorded anywhere in my system.
I can increase security more by salting the passwords. You can google that one :)
What is a password dictionary?
Hackers keep a file of pre-calculated possible passwords and their hashes. If a database leaks your password's hash, and the hash is already in their dictionary, they can lookup your password. A small example might look like:
If your password hash leaks, and is in this list, a bad actor can easily reveal your password by comparing it with the pre-calculated hash dictionary.
It is generally accepted that every combination of up to 12 characters is already calculated.
Dictionary words and commonly used passwords are also already calculated, including with numbers at the end, and with characters replaced with similar looking symbols, too.
If they have a particular account that they are interested in, they will check the hash against the dictionary first - if your password is less than 12 characters, it's broken right away, without any hard work.