CartGenie Tip of the Week: How to create secure passwords

One of the challenges of living online — which nearly all of us do more and more — is that we have passwords for everything. Facebook, Gmail, Hotmail, Bank of America, Twitter, Amazon, Overstock, eBay, PayPal…the list goes on and on.

For E-commerce merchants there is a whole new layer of complexity: passwords necessary to run an online store and keep business and customer data safe.

Let’s face it — it’s hard to remember a unique username and password (i.e. “credentials”) for each site we use. As a result, people often do one of two foolish things:

  1. Use an incredibly un-secure password. Say the website is Facebook. Your password? “Facebook.”
  2. Use the same password for everything. Gmail? “ilovepuppies” Facebook? “ilovepuppies” Amazon? “ilovepuppies

Unfortunately, a lot of folks do both — use an incredibly un-secure password for everything.

“But- but- I can’t be expected to remember an obscure, unique password for everything!” you protest. No you can’t. And neither can most people. So here is a handy-dandy guide to creating obscure, unique, hard-to-guess passwords.

Many web sites tell you to choose a password “easy for you to remember but hard for others to guess” Here’s how:

Step 1: Choose a memorable phrase

This could be a favorite movie quote, proverb, or line from a poem. It could be the sweetest thing your significant other has ever said to you. It could be a favorite line from your favorite politician. The origin of the phrase isn’t as important as the fact that it needs to be memorable to you and approximately 6-15 words long.

Let’s say you choose perhaps the most memorable line written by Percy Bysshe Shelley in perhaps the greatest English language poem ever, Ozymandias:

Look on my works, ye Mighty, and despair!

Step 2: Create a passphrase

Easier than it sounds, all you do is take the first letter of each word of your memorable phrase, so:

Look omworks, yMighty, and despair!” becomes lomwymad

Now, if you told a friend “My password is l-o-m-w-y-m-a-d or ‘lahm-wee-mad,'” there is a very slim chance she would remember it. That’s a password that is difficult to guess. But if you simply say in your head whilst you type, “Look on my works ye mighty and despair” you’ll enter your password correctly every time.

Since this isn’t really a “word” it’s not technically a “password” but rather a much more sophisticated-sounding “passphrase.”

Bonus Step: Add capitalization, punctuation and/or substitution.

If you simply stopped after completing Step 2, your new password would be more secure than 99% of internet users. No, not joking. But let’s take it a few steps further. If someone knows you well enough to guess your favorite phrase — let’s say (for example) you stand up, raise a glass, and quote Shelley every year at Thanksgiving dinner —  he or she might be able to crack your pretty-awesome passphrase.

Solution? Add capitalization. Any word that is capitalized would also be capitalized in your passphrase so:

lomwymad becomes LomwyMad

Better, right? Now, add punctuation. And, optionally, if your memorable phrase contains words like “at,” “and,” “to,” or “too” you can switch them out for more-secure symbols like “@” “&” and “2” — so now your passphrase is


Now that’s secure!

You can also swap out letters for unrelated numbers or symbols. For example, the letter “o” could be swapped out with the number “0”, the letter “s” could be swapped out with the symbol “$”, the number 1 or the letter “l” could be swapped out with an exclamation point “!”, etc.

Why bother adding special characters like this? Check out this chart from Internet standards expert John Pozadzides in this post: a password hacking software could crack a password of 8 random lowercase letters in about 2 and a half days. If that same 8 character password includes special characters it takes much longer: 2 centuries.

Step 3: Uniquify

“That’s great,” you say. “But what about the caution not to use the same password/passphrase for every web site.” Absolutely right! Step 3 is to add a variable — something added to your super-secure passphrase that makes it unique to each web site.

There are a few options and variations here.

  • your variable could be the full name of the website. Example: adding “facebook” to your passphrase
  • your variable could be an abbreviation of the website. Example: “fb” or “FB” for Facebook.
  • your variable could be added to the beginning, middle, or end of your passphrase. Example: your Facebook password would be facebookLomw,yM,&d! or Lomw,yfacebookM,&d! or Lomw,yM,&d!facebook.

Let’s say you settle on adding the name of the website on to the beginning of your passphrase. Here’s a short list of your new passwords:

  • Facebook: facebookLomw,ym,&d!
  • Amazon: amazonLomw,ym,&d!
  • Bank of America: bankofamericaLomw,ym,&d!
  • eBay: ebayLomw,ym,&d!

So look at what we’ve ended up with: unique passwords for each website. 99.99% impossible to guess. 94.36% easy to remember.

Using unique, obscure passwords for all your credentials will keep you, and your sensitive data much more secure.

Share this post

Related Articles

Give It A Break

Give It A Break

Way back in the early days of my career, I was a software designer at DIS Corporation in Bellingham, WA. I helped design and build dealership software for farm equipment and automobile dealers.

Read More »