When you sign up for an account on any website, you’re probably prompted for a password. The password you use is probably going to be the same password that is used for every one of your other accounts (which is bad).

Using a password manager is good, but the randomly generated passwords are random strings that impossible to memorize. Well, here’s how to create strong and memorable passwords.

What makes a password good?

There are a few things that make a password good that will be important for us.

Length

A long password is a good password. Let’s assume we only use the 26 lowercase letters in the password. An 8 character password will take ~5 seconds to brute force (guessing every single combination until it works) while a 12 character password will take ~3 weeks to brute force. (You can check how secure a string of characters is here, but don’t type in your real password). The simple addition of 4 characters will increase the number of possibilities by:

$$26^4 = 456,976$$

456,976 times. Keep in mind, this is only using the 26 lowercase letters. Password typically have a few requirements: have at least one uppercase and lowercase character, at least one number, and at least one special character. Using uppercase letters, numbers, and special characters will give 94 possibilities per character. Let’s use 12 of these characters instead of 8:

$$94^4 = 78,075,896$$

That’s an even bigger number (going from 5 seconds to 12.38 years).

Memorizability

A memorable password is a good password. Password managers like to recommend passwords like sOcEwoU1zdHRTFVP and fB2fXKcVytTE3HwT, which will be extremely difficult to remember and type. Unless you come up with a weird mnemonic that you happen to remember, this will lead to a lot of password resets. A solution is to make the random string shorter, but that makes it a lot easier to brute force into.

Passwords are easy to guess and hard to remember when they should be hard to guess and easy to remember.

Me, and probably (definitely) a lot of people before me too

So, what we want is a long password that is easy to remember. How can we get this?

The glorious solution

I’m calling this the Picture-Word System (or xkcd method): find a crazy picture and make words from that picture. Use the words to make a strong password. The bottom row of this xkcd below goes through the process:

xkcd 936

Since we probably need uppercase characters, numbers, and special characters, those can be substituted for letters or added onto the ends of the words.

Examples (with pictures)

Please don’t use any of these passwords below as your actual password. I am not responsible if your account credentials and data gets stolen and suddenly a person from Mongolia who happens to stumble upon this post breaks into your bank account and transfers a large sum of money to a Nigerian prince that ends up starting a space program and launches 600 of the country’s finest cows into a trajectory headed towards Jupiter’s 5th largest moon- okay that’s probably enough. Here are some examples:

BoxFish5%Beer

pic1

This will take 93 trillion years to crack.

NapkinUnderMamm0th! (substituting 0 for the letter o is nice since they’re right next to each other on a QWERTY keyboard)

pic2

This will take 500 quadrillion years to crack.

Did7ReallyEat9?

pic3

This will take 36 quintillion years to crack.

Pictures

To find inspiration, take a look around. There’s probably something weird or non-obvious that can work. This blog post was inspired by my shower curtain design, so literally anything can work. If there’s really nothing, try looking for stock images online. The subreddit r/wtfstockphotos also has a bunch of crazy photos.

(If you’re interested, the Nigerian state offered cows for guns, and Jupiter’s 5th largest moon is Himalia with a mean radius of 85 km.)