How Do I: Create a secure and memorable password?

Passwords have been around for years, from your ATM PIN to more recent two-factor authentication.  The increasing amount of personal, and financial, information about us on the internet has made having a secure, memorable password essential.  With disparate password requirements across companies and information systems, it has become extremely difficult to maintain an authentication method that doesn't become frustrating.

There are several ways of dealing with this, from password managers to patterns that computers find difficult to guess.  We're only going to be dealing with a couple options here, but feel free to share your experiences and input in the comments!

CalArts Password Requirements

Before we get to creating a secure password that is easy to remember, we need to determine what a password is required to have.  CalArts recently removed the symbol requirement from our passwords, which makes it easier to work with while sacrificing only a small amount of complexity.

MyCalArts passwords are required to be at least eight characters long and have at least one capital letter and one number.

If you want to use a symbol in your password that's great, but keep in mind the following symbols will not work: ; \ < > ? : { } | 

You might exclaim, "but that's so easy, how could it be secure??", and your concern would be well founded.  While length and complexity are certainly very important to password security, there are much more important factors that can make a password easy, or nearly impossible, to crack.

What Makes A Password Insecure?

If you chose to use the password Apricot1 that would be technically adequate but woefully insecure.  First of all, there is a capital letter at the beginning, where it would be expected, and a single letter at the end, where it would also be expected (how many times have you just added a 1 at the end of a password?).  Second, and far more importantly, that password uses a word found in the dictionary.  

Single dictionary words are, far and away, the least secure passwords.  In the simplest of brute-force attacks a database of common words and numbers are used over and over, until Apricot1 is cracked.  Depending on some system variables (limitation of attempts before a lockout, for example) cracking that password might take 5 minutes or 5 hours, but either way that is an extremely short timeframe.

Pass Phrases and Patterns

Password length is obviously important, but the password yP5QbJmX is orders of magnitude more secure than Apricot1, but far less memorable, and a password that is written down is automatically less secure than one you can store in your head.  A good method of generating passwords that are both secure and easy to remember is to develop a pattern that you can adapt easily to different websites.

A common example is to create a pass phrase, a sentence that contains replaceable words, such as, This 1 password for Amazon should always be used.  Now, that sentence doesn't need to meet our passwords requirements, but if we turn it into a password we have something to work with.  We could take the first two letters of each word in that sentence to create a unique, but memorable password:


Not only does that meet our password requirements, it isn't a dictionary word or even a readable phrase.  Even so, if you remember what the pattern is you can modify it to whatever website or service you create a password for.

The webcomic XKCD has a pretty spot-on explanation of pass phrases, which we tend to use as a guide to those who come in to our office:


In XKCD's example, although all four words are straight out of the dictionary, the length and overall complexity (as far as computers are concerned) make it a difficult password to guess.  We'd recommend using this as a guide, with your own twist to make it unique.

Password Managers

For a few years now password managers have existed with the idea that every account you log in to would have a different, randomized password that you wouldn't have to remember but would always have access to.  The good news is for the most part, they work.  The bad news is, you now have to worry about the security of your password manager. reports fairly regularly on password managers and generally is a good resource for finding out more information.

For my own personal accounts I use LastPass.  I use it to generate the most complex passwords I can whenever I sign up for an account online, and my database of passwords are accessible from my phone and on the web using Google's 2-factor authentication.  But what if LastPass gets hacked, you ask?  That's one of the risks of an online password manager, but I like the service and have enough trust in their authentication methods  Whether that's good enough for you is an individual choice.

KeePass is an alternative that isn't connected to the web.  It uses a local database that you can put wherever you'd like.  Some people choose to use KeyPass and keep their passwords on Dropbox, which they secure behind 2-factor authentication.  This is probably a better choice for those people who want to have more direct control over their account information than trusting it to a company.

Taking the next step

There's a trick I use to put another layer of security over my accounts, and that's using my email address.  This trick probably works with other services, but since CalArts uses Google Apps that's what I'll be using in this example.  A little known feature of Gmail and Google Apps is the ability to automatically add a label to your email address... wait, what?  By adding a +labelname to your email username you can make a unique address for businesses, individuals, etc.  Obviously I'd probably think twice about giving out ccuttriss+spam @ to an acquaintance, but you get the idea.

I could use this trick to make sure I keep my logins separate to different services so I can either know when a company sells my information or if a company gets hacked they don't have my login credentials for other services or sites.  So using this method, would be a valid address and would be automatically labeled as "Target" when email is received.

Going even further down the rabbit hole, if you have your own website that uses Google Apps for email, you can set your blackhole address to route all mail to that account.  Let's say your email address was, setting that account as your blackhole address would route mail sent to nonexistent addresses to  

The great part about this is you literally make up any email address you'd like and it will always be valid.  Suddenly, or become valid addresses that you can give to even further differentiate your accounts between companies and services.

If nothing else, remember this

Your security is only as strong as you make it.  Creating a secure account creation process might seem like too high of a hill to climb, but it really is worth taking a moment to really sit down and make something unique.  We've seen time and time again large companies being compromised and customers data being stolen.  

You probably can't control how companies' handle your information, but you certainly can control how exposed you become if a breach occurs.  Be proactive.

Have more questions? Submit a request


Please sign in to leave a comment.