Helping people with computers... one answer at a time.

Lost passwords are the single most common topic on Ask Leo! and on many other technical support and assistance sites. I'll look at why that might be and what you can do to protect yourself.

In the nine years that I've been answering questions here at Ask Leo!, the single most common topic that I encounter is that of lost or forgotten passwords.

It's been the number one topic since day one.

In the early years, questions relating to lost Hotmail passwords were so overwhelmingly frequent that it became an inside joke among my friends – I was the guy to see about Hotmail passwords.

In the years since, the spectrum has broadened to include whatever system is popular; most recently, it's been Facebook .

Why are so many passwords forgotten? And what lessons can we take away to improve our own security, both online and off?

This isn't about hacked accounts

I've seen the instances of hacked account skyrocket in the past couple of years. Hackers are taking to breaking into email accounts and then using those accounts to send spam to the contacts listed in that account. Not only is a legitimate account more likely to bypass spam filters, but contacts are more likely to open email that came from the account of someone they know.

Hackers will often change the password on the account.

What that means is that when the rightful account holder later tries to login, he cannot. It manifests as a bad password (because it is), and password recovery techniques are the first step to regaining access to the account.

I have several articles covering that scenario already and I'd point you at Email Hacked? 7 Things You Need to do NOW for the steps that you should take if you find yourself in that situation.

That's not what I'm discussing here. This is much more mundane, and yet probably still more common.

People forget their own passwords.

What's my password?

Taking it seriously

When I hear the backstory to a forgotten password scenario, there are a couple of frequently reoccurring characteristics:

  • The individual is a relatively new or inexperienced computer user.

  • They're in a hurry.

In my experience, new users have an underappreciated sense of just how picky computers are about your entering the exactly correct password, and perhaps in an effort to make their password secure, they've chosen something obscure and coincidentally difficult to remember exactly. They don't realize just how easy it is to forget the exact password that they've chosen.

Newer users are often not online as often as you or I might be, and thus, often aren't even asked for their password more than every day or every week or so. If you're required to enter it correctly every day, it's more quickly committed to memory than if days or weeks go by before you need it again.

More troubling are the folks who are in a hurry. For various reasons, they want an account and they want it now. As a result, having to set up a password is more of an annoyance than anything else. Certainly no extra time is spent setting up a good password, much less committing it to memory. (More often than not, these are the accounts with passwords like "1234567." They are also more likely to be hacked.)

The common thread is simple: taking security – particularly your password – seriously from the begining is critical.

Unless, of course, permanently losing access to your account isn't something that you'd consider serious.

"I know of people who've not had to enter their password to login for years."

Your browser remembers so you can forget

Even if you take password security seriously, various conveniences can make it frighteningly easy to forget your password.

I know of people who've not had to enter their password to login for years.

They've allowed the site to "remember" them – forever – or they've allowed their browser to remember their password for them.

The bottom line is that they enter their password exactly once, maybe twice, and then let the browser remember from then on.

Weeks, months, or even years later when for some reason or another they need to login elsewhere, they have no idea what their password is. They've set up their life so that they've simply never had to type it in after setting it up to begin with.

The sad news about most browser password stores is that they're often only lightly secured themselves and are accessible not only to individuals with access to your machine, but to malware as well.

I avoid them.

Passwords one through one hundred

The classic "rules" for password are frustrating in that they seem to be crafted specifically to make passwords impossible to remember:

  • Passwords should be at least 12 characters long1.

  • Use a mixture of character case and type (letters, numbers, special characters).

  • Don't use words or names.

  • Don't use the same password on more than one site.

Yikes! If you're only allowed to use passwords like "P5S0Dk@!i2Yd", "#zJCahT0kAA3" and "4Jy%zsX6H9!^", and you're not allowed to re-use them, then it's no wonder we can't remember them all! Even when choosing something slightly less secure than those rules, the best of us would fail miserably without help of some sort.

Technique 1: The algorithm

One approach to generating memorable (or "remember-able") passwords is to use an algorithm or a set of rules to create all your passwords. For example:

  • Begin with a memorable quote (or phrase or song lyric or ...)

  • Use the first (or last or second or ...) character from each word in that quote

  • Add into the middle (or beginning or end or ...) the first and last characters of the domain that you're setting a password for.

So, let's say I use the first 10 words of The Gettysburg Address:

Four score and seven years ago, our fathers brought forth

Now, I'll use the first letter of each word:

Fsasyaofbf

Let's say I'm setting up a new Hotmail account, so I might use the first and last letters of the domain (hotmail.com) and I'll insert them into the middle:

Fsasyhlaofbf

Given that you always remember your own algorithm or password generating rules and always remember the phase or song lyric or quote you start with, then regenerating almost any password you created using those rules is a snap.

Technique 2: The pass phrase

Longer passwords are better. In fact, the longer the password, the more acceptable it is to break some of the other "rules" associated with passwords.

Enter the pass phrase – a sequence of words (yes, dictionary words) that you can remember that is significantly longer than your old eight- or 12-character password.

For example, the passphrase "correct horse battery staple" would be considered a better password2 than, for example, "P5S0Dk@!i2Yd" by virtue of it being significantly longer – 28 characters as compared to 12.

A passphrase doesn't have to be "weird" or nonsensical – although I suppose it helps – a good, lengthy passphrase can be anything that you would easily remember.

No problems making it unique to each site, either. Modifying your passphrase in a site-specific way, for example "correct horse battery hotmail," works great.

The frustrating downside to passphrases is that they don't work everywhere. Many sites, for inexplicable reasons in today's world, limit the length of passwords to something silly like 16 characters. (Or worse, only pay attention to the first N characters.) Often, they don't accept spaces. These limitations often prevent us from using secure passphrases for some logins, requiring us to fall back to more traditional and often less secure techniques.

Technique 3: Admit you need help

I don't know my online banking password.

It's not that I forgot it; I never bothered to even try to remember it. And it's quite secure and obscure.

So how do I get in?

I admitted defeat when it comes to my memory long ago.3 I use a password storage tool: Lastpass.

The concept here is simple: remembering a single, strong password to unlock the vault, the tool contains a database of all my other logins and passwords and works within my web browser to enter them automatically as needed, or on demand.

Lastpass remembers so I don't have to.

Tools like Lastpass are significantly more secure than allowing your browser to just remember your passwords for you. Lastpass was built for security from the ground up. Without your master password, your vault is inaccessible and Lastpass can be configured to require you to supply your master password every time; after your computer's been idle for certain amount of time or after your browser's been closed and re-opened. (Lastpass specifically also supports two-factor authentication for additional security, particularly useful if you travel.)

Take it seriously from the start

The real bottom line to not becoming "one of those people" is to take your account security and password seriously from the moment you open your account.

  • Select a technique that you know will allow you to remember or regenerate it as needed.

  • Choose a strong password – the longer the better.

  • Make sure to properly set up (and remember and keep current) additional account security options such as mobile numbers, secret questions, alternate email addresses and more.

  • If you want to use technology to remember things for you, opt for a tool like LastPass specifically designed for this job.

Above all, take your time and do it right from the start.

Trust me, a little extra time and thought now will help avoid a lot of pain in the future.

1 The old rule of eight that many of us "grew up" with is no longer secure. Passwords these days should be 12 characters or longer.

2 OK, this specific example is an incredibly poor passphrase as it's been used frequently as an example of a very good passphase. So don't use it. Use your own set of words to make a passphrase.

3 My wife would agree to the defeat, but not to my ability to consistently admit it.

Article C5645 - August 1, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

19 Comments
fran kaye
August 3, 2012 8:26 AM

I have a foolproof way to remember passwords.
Most people have moved several times and what I do is put together parts of two different addresses and it works and you can remember your password very easily.

kevin
August 3, 2012 8:50 AM

Good article Leo..but will anyone listen..In my part of the world, I think not. Statistically not all that many people are hacked, so all in my opinion feel safe enough to ignore what I would call inevitable in the long term. Am I being too severe in your opinion ??

Steve Bukosky
August 3, 2012 9:32 AM

A problem that I have is I regularly visit well over 50 password protected sites. Many require not only monthly changes, but often require special characters and so forth. So, starting with a set of rules quickly diverges to the point that I now use Roboform and the mobile version so all of my computers AND a thumbdrive are synchronized. Otherwise all of these passwords would be unmanageable.

Andrew
August 3, 2012 9:50 AM

I have used keePass for several years - is this as good as last pass?

Natalie
August 3, 2012 10:17 AM

Make up a sentence about the website. Then take the first letter of each word to make the password. Add in at least one capital, one number, and one symbol. I've just made one as an example: Piags8bIwIcecaip* My sentence is Pandora is a great site 8 but I wish I could eliminate certain albums it presents* On a piece of paper I write out the password and the sentence and any questions I answered in signing up, such as email address, birth year, and the country I live in. I put this into a file in a locked cabinet in the room where my one and only computer always stays. It works.

Glenn Meyer
August 3, 2012 10:27 AM

My problem is that I work on three different operating systems, just at my office, am required to use 14 different accounts for various reasons, and each of those accounts has a different set of password rules. On top of that, each password expires at a different rate, some never, some every four weeks, some every six weeks, and so on. Since some of the passwords are for turnkey applications, others are for system logins, and still others are for web-based apps, it is guaranteed that there is no one safe online place I can store them all. Worse yet, some of the accounts I have to use only once or twice a year. So circumstances (that is to say, my job) have forced me to keep them all on paper, thereby soundly defeating most of the goals of those annoying password rules. This situation will not improve until large organizations develop a unified approach to computer security. Yeah, like that will ever happen.

Mark J
August 3, 2012 10:36 AM

@Glenn
I have a lot of passwords which can't be managed by LastPass or another password manager, such as TANs (transaction account numbers, ie one time passwords for two factor authentication for bank transactions) etc. I keep these in files in a TrueCrypt folder. Any method of encryption would work. I use the same password for my LastPass with a slight modification.

Benmara
August 3, 2012 1:27 PM

I don't see the problem myself...
my system is simple. Pick a folder with PC type files such as jchg.rmc, or telemx.dll, etc etc

I chose:
C:\Windows\System32
[not really, but if I told you the real one the purpose is defeated, lol-- use windows system folder, or an installed program...no matter.]

Then I look for innocuous looking files such as the two below. then I make a text file [wmpcnow.txt]. Name it something to fit between the one you chose and the one after it; and then I insert my password list. Use a few tricks, like all of them are 2nd word first redburningbarn23@ becomes burningredbarn23@

wmpcm.dll (innocuous)
wmpcnow.dll (FAKE)
WmpDui.dll (innocuous)

Now REMEMBER where it is [write it down on paper and stick it in a favorite book].
ALL files can be opened by the notepad program...
Simply right-click wmpcnow.dll {or what-you-name-it.dll, even .dl_ - or use ANY suffix} and click "open with" or OPEN and hit the "notepad" (if you get a window asking to choose web search or list of installed, etc- choose installed) {UNchecking 'always use this selected program to open this type file- is a good idea}.

Open w/ notepad and SEE! there be yer passwords...

Believe it or not, this is more simple than it seems...I am so used to doing it, I get my file open when I need it in mere seconds. a friend told me this would not work as a word search program would find passwords inside it...really? I offered him $100.00 dollars and he never did...course my passwords tend to go:

readXberningbarn23@ -becomes- berningXreadbarn23@

Also, name your file on your desktop, use your search program to find it, if you only find the desk top one you are good to go...drag it to the folder you want it in...took me 5 mins. to set it up and mere seconds to find it, now that I know where it is...

Chris Calvert
August 3, 2012 1:42 PM

I have several hundred sites that I regularly visit. Keeping track of unique passwords for these is an impossible job. Fortunately most don't require regular changes and I do my best to keep away from those that do.My bugbear are those sites (which are most of them) that require an email address as the user name AND which uses those user names as their way to keep in contact with you. Makes it hard to change your email address. I have bent over backwards to keep the same ISP because I don't want to have to change all my user names. I have ended up using the same 10 passwords so if one doesn't work I just cycle through the rest until something does work Using a password protected password program is just more keystrokes required to gain access. My bank accounts have completely seperate passwords which so far I have managed to remember.

Snert
August 3, 2012 3:48 PM

Store your passwords/phrases on a USB stick with information about which get used for what and keep it secure with TrueCrypt or similar. If the USB stick isn't in the computer it can't be hacked and you don't have to remember the passwords so you can make them as complicated as you wish. But if you lose it you're SOL, so make copies. Small USB sticks are cheap.

Maarten, Netherlands
August 3, 2012 4:27 PM

The big question now, seen comment 3, "3 My wife would agree to the defeat, but not to my ability to consistently admit it."

Is you wife a subscriber?

As a matter of fact, she is. Smile
Leo
05-Aug-2012
Gord Campbell
August 3, 2012 5:26 PM

Someday, lastpass will be down, and you won't be able to log on anywhere. If lastpass has a catastrophic failure, you will have "a situation."

I keep my passwords in a file folder, and I've memorized the most important ones by always typing in the password.

My broker thinks a SIX-character password is just right, but that just lets you log on, you can only look at things, you can't move money or place trades.

Lastpass will work if you're not connected to the internet. All information is cached - encrypted - on your machine or device.
Leo
05-Aug-2012
Paul
August 3, 2012 9:25 PM

The bane of my existence is websites that restrict you to 6 or 8 characters. Really annoying are the websites that REQUIRE me to change my password every "x" months. Worse -- those that will not allow reuse of a password for a year (or some other finite time) or double letters. Sheesh!

Mark J
August 3, 2012 9:27 PM

@Gord
LastPass keeps an encrypted copy of the passwords on the hard drive of your computer, so it works when you are off line or if LastPass is down.

Egbert Zijlema
August 3, 2012 11:46 PM

Maybe it's the situation in the USA that so many internetters use gmail, hotmail or any other public e-mail client? In Europe, anyway in The Netherlands where I reside, most internet surfers use the e-mail account provided by their ISP. Or, when they maintain an own domain name, the mail server provided by their hosting provider. In my opinion those servers are less vulnerable than the public ones.

Eliya Simion
August 4, 2012 3:49 AM

My Laptop fail to start up it shows that they're the power doesn't reach on the screen, please help me Dr. Leo

Burt Tyrell
August 4, 2012 5:42 AM

Life seems now to be full of passwords , but I suppose the tecky age is with us and acceptance of these passwords has to be acknowleged, or one has to stay away from technology, if that is possible . However the article as also, all others, was really interesting to which i am sure we all give you , Mr Leo , a vote of thanks

Digital Artist
August 4, 2012 9:38 AM

I used to keep my passwords in 4 or 5 jpg files among the several thousand jpg's on my hard drive. Some of those pix had my REAL passwords with site names, and some had bogus. The passwords were inserted with low contrasting font colors and very small font size, in amongst the scenery, and it would have taken a hacker a century to find the real ones, but it also took me a month to find one if I forgot it! I now use KeePass (with KeeFox) nice, open-source, FREE, local password safe. Magic.

Ee Teck Ee
September 23, 2012 8:59 PM

The best password to use is the birthday of your girlfriend such as "lucy11111991" or her vital statistics such as "lucy965796" (metric measurement). These will then also function as very important reminders. Why not?
The best way to remember anything is to try to forget it. Therefore you can also use the name of the person and the date of his/her demise as password, e.g."tommy31122011". Try these. They work.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.