How to create secure passwords you can actually remember

I hate having to select passwords. It’s always tedious to think up something that

  1. is secure enough and
  2. can actually be remembered.

For most web sites, I have already switched over to 1Password, which also allow me to quickly generate random passwords on the fly directly on the fly in the web browser. It syncs with my iPhone too, so even the nastiest 30-character random passwords are with me all the time.

Another simple way of “creating” a relatively secure password is using the first letters of a well know phrase, e.g. the chorus of your favorite song. That way “Every breath you take and every move you make” becomes the relatively secure password “ebytaemym”. Easy. I have been using that method for really important passwords for a long time now, with the added twist of including equations from physics that I know by heart. But I realize that this might be too geeky for most :).

Finally, I just recently realized that there is another dead simple way of creating very long random passwords: hashes. That should be obvious to anyone with a little programming experience, but I have to admit that I didn’t even think about that until recently. (Caveat: Windows users need to get some software for that).

On Mac or Linux, just open a terminal window and type in

echo “hellworld” | md5

This will create the following hash: d73b04b0e696b0945283defa3eee4538, which makes in itself a nice password. And more importantly: it’s dead easy for me to remember the word I am using to create the hash. Any word or phrase you put will create a unique hash that you can nicely use as a password. The important thing to remember is that each word creates a unique hash. So it doesn’t matter on what system I create the hash, the hash function will always create the same hash value.

Some important tips for that method:

  • Be aware that the command is typically saved in the shell history, so think about where you type that in!
  • Be aware of line endings in the phrase. Depending on your system the (hidden) line ending is different and thus creates a (very!) different hash. To suppress the line ending in the hash, use the “-n” option: echo -n “helloworld” | md5.
  • I realize that MD5 is no longer considered to be secure but I don’t think that this matters here. And either way, the same of course also works using SHA-1 or SHA-256, which would create an even longer hash.
  • There are a couple of iPhone apps creating hashes. I am sure there are similar ones for Android.
  • Obviously, don’t use my example above as a password :)

I tend to use this method now whenever I need to create passwords on the command line, e.g. sever passwords. It also works great for creating safe WiFi passwords.