Be your own enigma machine

You've been there. The heartbleed bug—or one of your favorite retailers—has breached data and now you've got to change passwords forEVERYTHING, both business and personal.

Hopefully you've changed that password by now, right? Probably to something related to a hybrid of your favorite person's birthday and your pet's name? For shame! This kind of tidbit is likely being mined straight from your keystrokes—or worse—because you always use the same kind of password, and the bots are crunching at the bit to get at it.

They are counting on you to not be so smart and get lazy about your password. Your best friend in account security: spend 5 minutes every 9-12 months creating a random password that you can actually remember.

Because we can all create a password, but creating one that's both long, memorable, and random is an art.

Here is a recipe to keep the hackers out of your business prototypes, life savings, and your identity.

  • Beware the at sign.

    One of the first mistakes of password-making is having a short (8 characters or less) password with special characters inserted in place of letters. Yep, people are on to that one: @ sign for A, the exclamation point for I, the zero for O. It's encouraged to do this in a longer password, but not in a 1-2 word Instead, rely on length and complexity to keep the hackers at bay.

  • Be Random.Randomization equals protection. Forget your spouse, Mom's, pet's, kid's birthday. It's easy to find in the hackosphere. Instead, get your favorite book and flip to a random page, say page 89. Write down the page number someplace no one can get it: snap it with your phone, write it on a sticky-note and put it someplace no one else goes like a safe or hidden in another book.

  • Pick a date. Choose a memorable date that's not in any public record: no birthdays, no anniversaries. Think historical events, a hero's birthday, the day you met the love of your life. Now, return to your book: on that page, break out your date. If that date is February 10th 1970 (2/10/ 1 9 70): count out the second, tenth, first, and ninth words on the page of your book. You can do the year too if your other words are too small or have too few characters.

    It will look something like this: dogsweetforestedpillow.

    Why? Because a book and a special date are things that are personal and almost impossible to guess.

  • Digitize it. Splice the 4-digit year plus a special character or two in between the words.

    This becomes your Root Password: d0gsw33tforestedpillow1970.

    Or, 19d0gsw33tforestedpillow70.

    Strength of this password:

    • Length: 26 characters
    • Character Combinations: 36
    • Calculations Per Second: 4 billion
    • Possible Combinations: 29 duodecillion (1039)
    • Cracking time: 1 desktop computer, 230 sextillion (1021) years

    Why? If something like the heartbleed bug recurs, you can change the book and keep the page number that bases your code, or change the page number in the same book: the permutation is fixed and easy to remember if you leave a trail for finding it later.

  • Add the site data. Now that you've done the complicated part, keep the rest of your password simple. You can use the same password on multiple sites as long as you change one element for each site that you visit. The simplest way to do this is to choose something like the first three letters of the website your account is at. For instance, if you have an account at Netflix, you can add the letters NET at the beginning of your password, followed by the string of words, numbers, and characters on step 2. Try the letters AMA for your account at Amazon, or BAN for your banking passwords. You can also do the first and last letters of the site name, or something similar.

    Example password for NETd0gsw33tforestedpillow1970

    Strength of this password:

    • Length: 29 characters
    • Character Combinations: 36
    • Calculations Per Second: 4 billion
    • Possible Combinations: 1 quattuordecillion (1045)
    • Cracking time: 1 desktop computer, 10 octilllion (1027) years.

    Why? Because even if someone gets one of your passwords, they don't have all of them—just one permutation. If disaster strikes, change your root, and start again: only 3 of your 29 characters will recur.

More tips:

  • Don't be afraid to record your root password somewhere safe. We were trained that someone could find our password if we wrote it down, but it's far more likely you'll get hacked. At your office and home, write down reminders of the words—in the form of something like synonyms.

    A reminder for the password above might look like this: beaglesugartreesbolster1970.

  • Record your root word on a sticky-note, password-lock your phone and take a photo. Or put the sticky note with the synonym-reminder in the cover of your favorite book. Email yourself the reminder (NOT the password itself).
  • Change the root password at least yearly. If it's done right, even if someone manages to steal or guess one of your passwords, they don't have all of them and you have the time to generate a new password and deploy it before your code gets cracked for all of the sites with whom you have accounts. The beauty of a complex semi-random system is that it's hard to guess, hard to crack, and you really only need that one password.
  • Never, never give out your password. It sounds obvious, but just read the headlines…
  • Use credit cards that offer a virtual account number for online purchases, both business and home.
  • Don't ever give out your password to test it online, and avoid password-reminder programs. Almost all of these can be hacked, and then where are you? The only vault is in your head. If you're following steps 1-4, your password is very, very secure—no need to check.

Go forth, be brilliant, and be inscrutable.

More about