Use my easy method to produce and protect your passwords

Passwords are an integral part of our lives. We use them to gain access to our phones and computers and to withdraw cash or pay bills. They help keep our personally identifiable information and finances safe.

However, fraudsters commit identity thefts, account takeovers and many other frauds by obtaining victims' passwords via shoulder surfing, social engineering, phishing or other illicit means.

Media headlines report password hacks every day. Ashley Madison, that website catering to adulterers, lost 11 million passwords to hackers. (See These Hacked Ashley Madison Passwords are NSFW … or Anywhere Else, Really, by Lulu Chang, Sept. 11, 2015, Digital Trends.) Chang reports that 120,511 customers of the site used "123456" as their password. No wonder they got hacked!

Many companies use biometrics techniques ranging from the standard loop, whorl and arch patterns of our fingerprints to the identification of our faces or corneas. But biometrics identification is still in its infancy, so traditional passwords likely will be around for years.

We're always reminding our clients and employees to protect their data. We tell them, "You lock up your houses and cars; do the same with your personal data." But how safe are our passwords?

Of course, we know we shouldn't use a single master password, and we should regularly change our passwords. We also should avoid useless passwords, such as password, default, admin, qwerty, favorite football teams or players, family members' names, reversed birth dates, pets' names or even futilely adding numbers at the end of weak passwords.

Hundreds of for-profit companies offer to provide us with strong, secure passwords and to store them for us. But have you ever created a robust password and months later spent hours trying to remember it? I have!

A nearly uncrackable method

You can go to extremes to make very difficult passwords and try to invent clever ways to remember them. But institutions often force us to change our passwords for security.  I've devised a simple method to create a password and 100 variations, which you can record with a simple notation that won't reveal the source data.

You won't need to buy or use any special software. And my method doesn't require encryption or sophisticated technology.

Of course, no password is totally uncrackable. Hackers can use "brute force" — endless trial-and-error efforts — to decode encrypted passwords. However, according to How Secure is My Password?, it would take an average desktop computer about 58 years to crack passwords you'd make with this method. This process is quick and simple, and you'll have a set of passwords you can keep forever.

First take a memorable four- (or more) digit number. For this example, I'll use a fake bank pin number, 0647. Next I use a favorite song title or saying — preferably (but not necessarily) with six words in its construction such as: "A bigger bang for your buck," "A leopard cannot change its spots," or "Lucy in the Sky with Diamonds." I'm going to use the aptly named Beatles song title, "I Forgot to Remember to Forget."

Next I strip away the words of my song so just the first initial of each word remains: "I Forgot to Remember to Forget" becomes iftrtf.

Then I write down the first digit of my number followed by the first two initials of my song, then the next digit followed by the next two initials and so on. For example, 0647 and iftrtf become 0if6tr4tf7.

Finally, I introduce a capital letter and special characters. (IT experts are always encouraging us to include at least one capital letter and special characters such as "%," "&" and "^.") To make it easier, I'll capitalize the first letter, but it can be any letter because I'll record it and never forget it.

To introduce the special characters, I simply press the shift key when I enter the last three digits of my number so 0647 becomes 0^$&. Hence my password now becomes 0If^tr$tf&, which is very different from my four-digit number and favorite song.

Remembering our passwords

I've now created a strong password. But I need to remember it. So I use four keystrokes to record my password. "A" = capital letter, "a" = lower-case letter, "0" = a number and "S" = a special character. So, I can represent my password as 0AaSaaSaaS. This reminds me that "0" is the first digit of our four-digit number, "A" is the capitalized first letter of my song (in this case "I"), "a" is the second lower-case letter of my song title ("f"), "S" is the special character of our second digit (shift + 6 = "^") "aa" are the two next letters ("tr"), "S" is the third special character (shift + 4 = $), "aa" are the last two letters ("tf") and "S" is the last special character (shift + 7 = "&").

To change the password using the same data, I simply change the notation. So, for example, if I want to make the second letter of my song title a capital we record our new password, 0iF^tr$tf&, as 0aASaaSaaS.

I can interchange the special characters for numbers and vice versa. Below are notations for recording the passwords followed by the six passwords themselves; you get an idea of how easy it is to change passwords using the same data.

1. 0AaSaaSaaS   0If^tr$tf& 
2. 0aASaaSaaS   0iF^tr$tf& 
3. 0aaSaaSaAs   0if^tr$tF& 
4. SaaSaa0Aa0   )if^tr4Tf7
5. 0aa0AaSaaS    0if6Tr$tf&
6. 0Aa0aa0aaS   0If6tr4tf&

For the final step, I create a new folder on my desktop — "Passwords." I open a Word document and record my passwords:

1. 0AaSaaSaaS   bank account 1
2. 0aASaaSaaS   Facebook
3. 0aaSaaSaAs   LinkedIn
4. SaaSaa0Aa0   Twitter
5. 0aa0AaSaaS   Gmail
6. 0Aa0aa0aaS   credit card

If I'm in Windows, I go to the "Office" button at the top left and from the drop-down menu, pick "prepare," and then "encrypt" — perhaps again a four-digit bank pin code. (In Word for Mac, I go to Preferences/Security.) I save the document to my password folder. I'll be totally secure. Even if a determined hacker actually cracks my pin and opens the Word document, all they'll see are codes like "0AaSaaSaaS" and not the actual passwords.

Tim Harvey, CFE, JP, is director of the ACFE's U.K. Operations and a member of Transparency International and the British Society of Criminology. His email address is: tharvey@ACFE.com.