How to make a password hard to crack, yet easy to remember

posted 6 Jan 2017, 13:26 by Dominique Cressatti   [ updated 29 Jun 2018, 11:12 ]

Every now and there on the Internet you are being asked to choose a user name and password and find it utterly annoying because the password has to be of, a minimum of so many characters, be a mix of uppercase (capital) and lowercase letters and some numbers.

There are some very good reasons behind this scheme (and don't think that Fingerprint authentication is a good idea) but that doesn't take away the fact that it can be challenging to think of a password that fit the above requirements.

Here's an easy way:

  1. Start with a sentence, something that is easy to remember and is preferably made of short words, amount to more than 8 characters (because the longer is it, the longer it takes to crack) and has a good balance of consonants and vowels.
    For example: "This is a password" has a good combination of many short words and a good balance of consonants and vowels.

  2. Put the 1st letter (and/or other letter) of every words in uppercases (capital) and replace some vowel by it's respective number in the alphabet ("a"=1, "e"=2, "i"=3, "o"=4 and "u"=5, "y"=6) This gives us: Th3s 3s 1 P1sSw4Rd Where each "i" has been replaced with 3, each "a" by 1 and the "o" by 4

  3. Sometimes you are allowed to use symbols in password, like "! @, $ # % & * ( ) { } [ ] ; < > ? |" and so on (though I don't recommend you to  use any accents or any other characters not present on an American keyboard and only specific to your country because if you were to use a keyboard where they are not present, you wouldn't be able to type your password and log onto whichever account you needed to), which allows for an additional increase of security.
    So we can have something like: Th!$ 3$ @ P1$Sw4Rd
    where the "i" have been replaced by "!" and 3. The "a" have been replaced by @ and 1. The "s" has been replaced by $.

  4. Finally, remove the spaces which gives: Th!$3$@P1$Sw4Rd Which (though not perfect because the "$" is used more than once) you will never find in any dictionary (hence will have a better chance to resist to brute dictionary attack), is nonetheless based on a sentence that you can remember but where you have substituted some letters with a number and possibly some special characters, using a logical rule.


  • Use my example password!

  • Never reuse the same password on multiple sites, because if somebody finds it, that person (or those persons) will be able to log and use every accounts on every Internet sites where you have used the same password. Believe me, you don't want anyone who got hold of your Facebook account password to be able to log into your email or bank account because you used the same password everywhere!

  • Merely use a word that can found in a dictionary like "sandwich" without changing it because it can easily cracked using brute dictionary attack.

  • Use a word and merely put it's 1st letter in upper case and put numbers at it's end.
    For example: Sandwich123 is easy to crack because the letters and numbers are not mixed.


  • Use (or a similar site) to check your password strenght and try different combinations.

  • Be creative. For Example you can substitut:
    - a 0 (zero) to an “O”
    - !\! (exclamation mark, slash, exclamation mark) to an “N”
    - !/\! (exclamation mark, slash, backslash, exclamation mark) to an “M”
    - /\ or \/ for an “A” or a “V”
    - !_ (exclamation mark, underscore) to an “L”
    And so on.

  • Have fun with it, insert emoticons/emojis within your sentence. For example:
    - :) (happy)
    - ;) (wink)
    - :-p (cheeky sticking out tongue
    And so on.

The good reasons behind making it difficult to create a password and why never reuse it on multiple sites

  • While I’m no security expert, as an IT geek I know that Dictionary attack and Brute-force attack are popular methods to crack passwords. The 1st method simply check if your password is word that can found in dictionaries. It pretty fast and effective if your password falls into that category.
    The 2nd method tries to crack your password by simply iterating through every possible letters, numbers and odd characters, one by one. While in theory this method can crack any password, it takes time and the longer and more unlikely to be a real word, your password is the longer it will take to crack. And if it takes several month, years to do it, it is pointless.
    So idea is to make your password so unlikely be a real a word, that by the time it is cracked (say many years), it has changed, or it can’t be used anymore, or a lifetime has passed, etc…

  • As for using the same password on different sites, if your Facebook or some other sites gets cracked or stolen, having somebody who impersonate you can be annoying and really embarrassing. But if it the same as your email account, things get really dangerous. Once somebody else can log into your email account, they may able to look at every sites where you have made a transaction and possibly order some goods or use it find some of your personal information in order to steal your identity