The Worst Ways to Choose a Computer Password

Like most of America, I'd rather worry about online security than change my computer passwords, thanks.

My son Jake came home from college this weekend to watch the Super Bowl with us — I think because he likes my guacamole. The night before the big game, he and I and my husband got to talking about computer passwords. Jake’s a computer science major, and he announced that the best way to choose a password is to pick any three random words out of the dictionary and string them together. (He said this proved it, which it well might, if I understood it.) I announced that that was stupid, because how would you ever remember three random words?

I grew up in the days when you only had to remember two things in life: your street address and your seven-digit phone number (and the first two numbers of that were actually letters). There was no such thing as identity theft, except on The Fugitive. Now I’m expected to memorize — and keep straight — dozens of different passwords that online gatekeepers to my bank, my work email, my home email, my Twitter account, my Amazon one-click account, my primary-care physician’s health portal, etc., etc., etc., decree must be between seven and 10 characters, or must be at least 11 characters, or can be no more than five characters, or must contain at least two letters or can contain no letters or must be all lower-case or must include at least one upper-case letter and the name of one living ex-president.

This wouldn’t be so bad if my mind wasn’t already stuffed with a whole bunch of other people’s very important numbers, like both kids’ FAFSA passwords, their SAT results, the amounts of their college loans, their birthdays, their birth weights, and other crap I just can’t seem to forget, like the address of every house I’ve ever lived in, even though I really could use that space for my guacamole recipe.

What makes passwords so hard to me is that you don’t just have to remember them; you have to remember the reason why you chose that password, rather than some other string of letters and numerals. Once you decide that your bank password, for example, will be your first pet’s name plus the first three digits of your current license plate, you have to hang onto that pretty random combination and not get confused into wondering if it was your first pet or your first cat, and was it the first three digits of your license plate or your high-school GPA?

Clearly, anybody who intends to get anything done in this life besides remembering passwords has to come up with a system, which I have. I have three passwords that I use for pretty much everything. Jake is appalled by this. So is my husband Doug, who over the years has concocted an elaborate system for choosing and regularly updating his array of passwords — one that involves, if I have this right, the month, the English Premier League standings and the phases of the moon. He says it’s nearly hack-proof, and he may be right, because he’s never been hacked. But then, neither have I. This survey says most Americans only change their passwords once a year, but 89 percent of us feel secure about our online security. (It also shows that 18-to-24-year-olds reuse passwords more than any other age group.)

I do know there’s nothing so frustrating as trying to view your bank account online and not being able to remember which password you used, then trying one password after another until the bank thinks you’re a hacker and freezes you out, at which point you have to wait and begin the whole process again. Once when this happened, I threw up my hands and let the bank send me a whole new password, which I think was supposed to be temporary but which I kept because the combination of rhyming letters and numbers in it sounds like a pretty little song. I’d sing for you, but then you could hack into my bank account.

Anyway, another recent survey of workers in five different countries, including the U.S., showed that on average, they only use three different passwords in their online lives. Fifty-six percent said they reuse the same passwords for work and personal stuff, and 20 percent share their passwords with fellow workers, which I think is rather nice and comrade-y but which the survey-givers didn’t, since they were studying workplace risk management. The survey also showed that one in every five U.S. workers would sell their work passwords to a third party for as little as $150.

I would never sell any of my three passwords, because then I’d have to learn new ones, and I’m too old for that.

I suppose I could do what Doug does, and keep a regularly updated list of my phases-of-the-moon-and-Premier-League passwords in a file on my computer. But Jake burst out laughing when he heard that, so I’m guessing it’s not a great idea.

Follow @SandyHingston on Twitter.