Advice On Building A Better Password

We're always hearing that we need stronger passwords, but many people don't know how to craft a better, stronger password or they simply don't take the time to come up with some crazy complex string that they have no chance of remembering.

I was just talking with someone who gave me some great advice.Marc Boroditsky, president and CEO of New York-based PassLogix, was talking with me recently about passwords and the trouble that weak ones can cause on a network or a personal computer. If you use a password that's easy to figure out (CFOs need to stop thinking they're clever using 'moneyman'), hackers will blow right by the weak defense. And if you use the same password for everything from your corporate login to your online dating site to your bank account, one solved password gives a hacker access to every online aspect of your life.

OK. OK. I know most of us know this, but it hasn't stopped us from using one lame password after another -- or using the same lame password over and over, year after year. It's simply a hassle to come up with strong passwords (a mix of letters, numbers, and even upper and lower case). And it's no picnic to have to remember them all, especially since Boroditsky told me that one-third of all users have 15 or more passwords. And the average user has 10 passwords just for their job.

Boroditsky gave me some good advice -- the structure he uses for his own passwords.

First come up with two to three letters for the name of the application, followed by a two to three letter acronym, followed by two to three numbers, which could be the year, a special date, or a special number.

It sounded a little confusing to me at first, but it's really pretty simple.

Boroditsky explained that he's a baseball fan so his acronym would be based on "go Yankees," so that it would be "gy." And say a special anniversary is Sept. 13, so his numbers would be "913." That means his password for an SAP application would be sapgy913. If it's a password for a Wells Fargo bank account, the password would be wfgy913.

Only the letters for the name of the application change. He noted that he might keep the acronym and date the same for three months, six months ... it just depends on what he's comfortable with.

This kind of password doesn't include any names, nicknames, or anything else easy for hackers to guess.

"There's no way you're going to guess that randomly," said Boroditsky. "It's personalized. And it's a little bit of a system to get back to the password when I need it. You could switch the sequence but always do it the same way so you can recall it when needed."

What about you? Have a fool-proof way of coming up with a strong password? If you do, let us know how you do it.