How to create and use an unguessable password

A weak password, one that can be easily guessed, is almost as bad as no password at all.

For example, if you use a password that conforms to common patterns that most people tend to use, it can be easily guessed. According to Wikipedia, repeated research has demonstrated that around 40% of user-chosen passwords are readily guessable because of the use of these patterns:


  • blank (none)

  • the word “password”, “passcode”, “admin” and their derivatives

  • the user’s name or login name

  • the name of their significant other or another relative

  • their birthplace or date of birth

  • a pet’s name

  • automobile licence plate number

  • a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.

  • a row of letters from a standard keyboard layout (e.g., the qwerty keyboard — qwerty itself, asdf, or qwertyuiop)

So, the lesson here is simple – Use an unguessable, or difficult-to-guess password always.

What’s an unguessable password?

I’ve given some examples of easily-guessable passwords–what not to do. Now I’ll give you an example of one thing you can do to create strong, unguessable or difficult-to-guess passwords.

By far, the most unguessable password would be a string of random characters like ‘Qt6W’{/b?@mn,QL”Q% and the longer, the better. Sure, a computer could eventually discover such a password using a brute force attack, but it gets more difficult the longer you make your password. For example, to crack the above password, assuming a supercomputer that can guess a billion passwords per second, it would take 10,533,833,066,248,927,000 (10 quintillion, 533 quadrillion, 833 trillion, 66 billion, 248 million, 927 thousand) years to look at all the possible combinations. Shorten that password to 9 characters, and it would only take 26 months.

There are plenty of password generator programs available. GRC’s Ultra High Security Password Generator page is a good example. The problem with such passwords is that they’re impossible to remember; you have to store them somewhere or print them out. It’s far better to have a password that looks random (to a computer, at least), but means something to you so you can remember it without having to write it down. That’s easy to do: Simply come up with a meaningful phrase and then convert it to a string of characters. Here’s one: I drive 33 miles round-trip each day. (Notice I included numbers and a dash.) That could become id33mr-ted. Make some of the characters uppercase: iD3mR-TeD (I made every other character uppercase — easy to remember).

You can, and should, come up with your own pattern or algorithm for creating unguessable but easy to remember passwords.

The problem is the sheer number of passwords we all have; which phrase created the password for which login? It would appear as though we’re back to writing them down or using a password manager. Don’t worry, though. Here’s how to create secure passwords that you can safely write down; yes, write them down, give them to all your friends–even your enemies–and still be safe. Post them on your monitor at work. Leave them lying around on the bus or train. A simple trick based on cryptographic techniques will conceal your actual password in a form that almost anyone will mistake for the password itself.

Let’s say you found a piece of paper that had this written on it:

Work BDAbe%x#
Home 1941phx!n
email fon!%m

What would you think it was? Bet you’d think you’d found someone’s password list, eh? That’s exactly the deception we want: What those strings of characters really mean is known only to you. So, what DO they mean? Let’s take the first example; It’s a substitution cipher based on a date. This one uses two levels of secret "keys": 1. a clue or mnemonic for the date; 2. an abstraction of the encoding algorithm. We’ll use Abe Lincoln’s birthday in numeric form–02/12/1809–for our plaintext, leaving out the slashes, i.e., 02121809, which will result in a strong, eight character password. Now, for the first key, we can use "BDAbe." This immediately reveals the plaintext, but means little or nothing to anyone else. (NEVER use your own birthday, for obvious reasons.)[Note: even if someone guesses that it’s Abe’s birthday, they still have a long way to go to figure out how it was used – Ken]

Next, we decide to use alternating shifted characters, beginning with the first character. So, for key two, we make an abstraction of that: %x#, for example. It doesn’t matter what characters you use, only that they clearly represent shifted and lower-case characters; you could just as easily use AyT or !2@. The pattern of shift-lowercase-shift on the keyboard is what matters to you; the characters mean nothing else. Put the two keys together and you have this: BDAbe%x#. That’s your cipher pattern, the “something only you know,” with an added level of complexity: it’s something only you know (the plaintext) and only you know what it means (the encoding pattern).

Pretty slick, eh? This should give you a clue as to what the second one is: 1941ph means (to me) 12/07/1941, the date of the attack on Pearl Harbor that led us into WWII. Based on the pattern, the actual password is 1@0&1(4!. Can you figure out what the last one might mean? (You won’t guess the actual password unless you know what I know about the first part, but you can figure out what the code hint is.) Post your comments and we’ll see how you do.

I don’t recommend you use these examples, for obvious reasons; you’ll want to come up with your own ways of doing things and your own hints using things that mean something only to you.

7 thoughts on “How to create and use an unguessable password”

  1. I interpret 1@0&1(4! to be 12/07/1941 (w/o the slashes), where the “Shift” key is used on alteranting numbers.

  2. I had to read your article a few times to follow what you were saying. If I understand you correctly, should the actual password for Home be 1@07!94!? I appears to me the patter is DUDDUDD…no?

  3. No one would bother with this much work. It also is nearly as hard as remembering the passwrods themselves.

    I figured it was going to be eaiser like
    Work BDAbe%x#

    would really be

    x%ebADBkro12ab

    All I did was reverse it, trimmed the edges and added info to the end. I also included work as part of the password itself.

    Another way to write down a password in plainsight is similar, without having to think much when transforming it to the actual password,

    EX
    The one you write down is
    DXrkPh<fy_*$7f

    your actual password is
    fr7$*_yf<hPX

    It only requires a few changes.
    1) it's backwards
    2) you moved the the "second to last character" to the beginning. The 'r'. (The D is added to throw off anyone)
    3) you removed info that's not in the real password. The k near the end.
    4) you added info that not in the real password. The D at the end.

    The problem with using formulas that require that much thinking is in the time it takes to create them and then making sure you can even remember the system you used. It also only works well if you are older and have a long history of stored information in your head.
    Put simply, if a 13 can't use it, then it's not going to get used by the vast majority of people.

  4. You lost me from the first word, can you explain it all in SIMPLE english, otherwise I will have to engage the services of a computer hacker to interpret it, hopefully in my lifetime.

  5. It’s always good to have a secure password I love to over do it myself. Eg stuff I encrypt I always set at a min of 60+ 0-9 + a-z + A-Z + symbols.
    I would not suggest making it random as I do but if you have the memory for it then go all out. Hell I can still backtrack every delivery I’ve done when I was truck driving. Plus every pharmacy that I used to fill my prescriptions the brands they carry and the cost lol.

    I did learn something about Walgreens from that lol. 240 Tabs 125.19 but every now and then I hit one where it was 56.13 and it always confused the heck out of me. I figured it to be a error or 98% of Walgreens was ripping me off :/

Comments are closed.

Exit mobile version