Passwords: Writing down valid data to look random

We have heard time and time again that we should NEVER write down our password(s).  That is our recommendation to people as well, but writing down a password is pretty much required these days due to needing a different and complicated password for each account.  Our recommendation is to never write down all passwords in one place.  Our basic recommendation for remembering passwords is to use a password manager, but there are some passwords you may want/need to write down to keep in your wallet or purse or store on one of your devices (phone, tablet, computer, etc.).  When writing down a password, you need to be extremely careful.  You will want to record the password in such a way that someone wouldn’t know what they were looking at if they found/read it.  You must find a method that works for you, but we will provide you with some tips/options to get you started.  We strongly recommend using a password manager to help create and remember all of the passwords for your accounts.  You can read our Security 101 blog post on Password Managers to learn more.

If you plan to store a couple of passwords on one of your devices (phone, computer, tablet, etc.), the first thing to do is either have a note or word type application on your device.  If you can password protect the file with a password, we strongly recommend doing this.  Even though we are going to make our passwords difficult for someone to guess if they found our file, one extra layer of security always helps.  If someone had to first hack a password before opening the file, it would give us even more time to change the passwords we stored in the file.

Once you have the method you plan to use (paper or application), you need to come up with a method/system to write down the passwords and what accounts they are for without making them obvious to anyone that may read them.  The last thing you would want to do is write down the exact password you use on and account along with the user name (or email address) for that account.  Writing down a password without the email address or user name is not enough either as it isn’t difficult to figure out what our email address our account user name is these days. 

While we go through the example below, remember you can change it up any way you like.  However, your changes must make it look random and confusing.  One IMPORTANT thing to remember…there will be people that may be able to look at what you have done and figure out your method.  So never assume it is totally secure or unbreakable.  If you have the file stored on one of your devices (phone, computer, tablet, etc.) and the device is lost or stolen, or if the device is out of your control for a long time and others have had access to it, assume the list has been compromised.  By compromised, we mean it’s best to assume someone saw the list and has figured out the method you used, which also means they now know your passwords.  Even if the file was password protected, assume it was compromised.  This means you should change those passwords immediately and come up with a different system.  If you stored your password(s) on a piece of paper in your wallet or purse and they were out of your control for an extended period in a place you don’t trust and it looks like someone went through them or they were lost or stolen, the same rule applies.  Assume your paper list was compromised.  This is why we recommend your list only include a couple of passwords you need most often while on the go, at work, etc. and not all of your important passwords.  The less passwords you write down, the less accounts would be in danger of being compromised.

This will be a bit confusing, so please bear with us.  One method you can use is to make 2-3 lines where there is an indicator you understand to alert you to which account it is for.  On each line, you will want to break your password into chunks.  Some of those chunks would be your password and other chunks would be random characters you use that are not part of your password.  This means someone would need to try all the combinations to figure out what your password is.  The more lines and chunks you have, the longer it will take or harder it will be for someone to hack your password.  Next, you need to separate the chunks with something you can remember such as 1 or 2 characters (i.e. >>, TT, 00, 12, etc.).  This will make it easier for you to know where the chunks are, but it also means it would be one way someone could figure out your method.  An example of this method would be:

  • H >> Th!s >> RudeD0g2 >> W1ll >> B3My >> L@st >> 43v3r2
  • D >> L1v!n >> E$Ster7 >> D1E2N1 >> ght >> T0Tal2 >> 4rt
  • R >> TR33 >> y0u >> pry1 >> h3ll >> n3v3r >> g1v3 >> f00d
  • Y >> Drug2 >> F1re >> 2day! >> TRh1v3 >> IR8!2 >> RuN

At this point, it looks like complete gibberish to anyone that would read it, including you, since no one knows the password that is hidden.  We will give you the password and account, so you can see how it is hidden in the gibberish above.  Then we will talk about different methods you can use to change up this example.  In this fictitious example, let’s say it is for your email account, which is house@yahoo.  The password for that account, again for example purposes only, is Th!sW1llB3MyL@stF1re2day!  Please Note:  We would recommend not using this password for any of your accounts.

Using the example above, we know the H at the beginning of the first line is for our login of house.  The middle line with the D is random, gibberish and the third line starting with Y (for yahoo) contains the remaining password parts.  There is no reason to put house@yahoo anywhere on the paper, because you know that is your email address.  You can see we used the > character (>>) to separate the chunks.  You should be able to see the password mentioned above broken into the following chunks: Th!s, W1ll, B3My, L@st, F!re, 2day!.  They could have been broken up in a number of ways, but in our example the first 4 chunks are on the H line and the remaining 2 chunks are on the Y line.

Now, the most important thing to figure out in your method/system is how to determine the gibberish (random chunks) from legitimate chunks that contain/make up your password.  Because even though you see the password in this post and can find it in the example we provided, in the future you will pull up your list and probably won’t remember every character of your password and it will be difficult to pull out the legitimate chunks from the gibberish.  Trust us on this one.  We thought when we made our first list we could easily pick out our password in the future, but when you open the document weeks or months down the road, it looks like complete gibberish, even to the person that created it. 

We like to use at least 2 methods when adding/creating our gibberish (random chunks).  We use at least 2 methods, because only using 1 method could make it easier for someone to determine our pattern.  It isn’t much harder to remember 2 methods, but if you only want to use 1 method we would suggest adding at least 1-2 extra lines of gibberish.  In the example above, our 2 methods for creating gibberish is every chunk of data that ends in a number or is shorter than 4 characters is random (gibberish) and not part of our password.  That means, we will ignore those chunks when determining what our password is.  To determine our password, we will use the chunks of data that include either 4 or more characters or do not end in a number.  You can choose another method, but you should try to avoid easily spotted patterns such as any chunk of data with certain letters are to be ignored.  An example would be any chunk of data that has ru or RU in them (or any other combination of letters).  We will have additional tips at the end on how to make it easier to remember/less confusing, so be sure to check those out.

One thing you could do, is put the list in a password protected file or note on your phone and put a small note in your wallet or purse that gives you hints to your methods.  For example, the note could read:  First letter is start of account and second letter is end of account.  Hopefully it would be all you need to see to remind yourself if looking for house@yahoo in the list, lines H (start of account) and Y (end of account) would be the lines containing valid password info.  Then you could add a reminder for your method.  This could be written like Lines at the grocery store with less than 4 people in them or lines that end in single digit people (numbers) are not my favorite.  Lines actually mean chunks of data, but if someone did find the note they would focus on lines and not chunks.  Creating this note would help you remember your methods, but not provide too much information.  It also means someone would need the note in your wallet or purse and the file off your phone, which would be a lot harder to get.  Sure, someone may end up with your wallet or purse and phone at the same time, but you would know they are missing and should be able to change the passwords you know were on the file well before they would figure out what everything means and crack your code.

PLEASE NOTE:  If you store the password list in your wallet or phone, store your method list on your phone.  You want to store your method list opposite from where you store your password list.

We know this sounds very confusing, so let’s look at the example again and work through what we just discussed one step at a time.  Let’s say months after we created our list, we want to use it to get the password for our house@yahoo email account.  Based on the method we created, we know we are looking for lines that start with the beginning of the account name and a line that begins with the name of the account.  That means H for house and Y for yahoo (house@yahoo).  Here is the example again:

  • H >> Th!s >> RudeD0g2 >> W1ll >> B3My >> L@st >> 43v3r2
  • D >> L1v!n >> E$Ster7 >> D1E2N1 >> ght >> T0Tal2 >> 4rt
  • R >> TR33 >> y0u >> pry1 >> h3ll >> n3v3r >> g1v3 >> f00d
  • Y >> Drug2 >> F1re >> 2day! >> TRh1v3 >> IR8!2 >> RuN

Since we know we are focusing on lines H and Y, we can ignore lines D and R automatically.  So, no matter what is on those lines, they are not part of the password for our house@yahoo email account. 

That leaves us with the following 2 lines:

  • H >> Th!s >> RudeD0g2 >> W1ll >> B3My >> L@st >> 43v3r2
  • Y >> Drug2 >> F1re >> 2day! >> TRh1v3 >> IR8!2 >> RuN

Now we must figure out what chunks are valid and which are random, gibberish.  You may remember, the valid chunks of data, but let’s say you did not remember your method. 

What would you do next? 

Answer: Check the piece of paper you stored in your wallet or purse (or on your phone if your password paper is in your wallet or purse). 

After looking at your paper, do you remember what determines which chunks are the random, gibberish? 

Answer: It is any chunk that is shorter than 4 characters and any chunk that ends in a #.  You could also look at the note you put in your purse or wallet.

So, we now know we must ignore (or cross out) any chunk of data less than 4 characters and ends in a #.

  • H >> Th!s >> RudeD0g2 >> W1ll >> B3My >> L@st >> 43v3r2
  • Y >> Drug2 >> F1re >> 2day! >> TRh1v3 >> IR8!2 >> RuN

That leaves: Th!sW1llB3MyL@stF1re2day!

Was this the original password we provided in the beginning? 

Answer: Yes, this is the original password. 

Two IMPORTANT notes to remember when creating your method and random data (gibberish)

1.  You should make the random chunks of gibberish look like the valid chunks of data.  In our example, we made the random chunks of data look like words with numbers, because our real password looks like words with numbers (i.e. Th!s and W!ll).  We wouldn’t want our random chunks of gibberish to look vastly different than the valid chunks that are part of our password.  So having a random chunk look like 4Tl!jk08 would make it obvious that it is either part of our password or part of the random data and could be figured out quickly.  If our password was random strings instead of words with numbers, such as r5L7#tw vice Th!sW1ll, we would want to make our random chunks of data also be random strings.

2.  To make it more confusing to others and make it harder to determine our method/pattern, on the lines we know aren’t part of our real password (lines D and R above), we want to create chunks of data that look like the valid data on the lines that do include our password (lines H and Y above).  That way if someone did crack our method and was trying to guess our password, they would also need to use the same type of data chunks on the lines we know are false when guessing our password.  Example, we know valid chunks of data are longer than 3 characters and do not end in a number.  So, we want to create chunks of data that do not end in a number and is at least 4 characters long on lines D and R, which we did (i.e. L1v!n, n3v3r, and f00d).

Here are a few more tips to help you establish your own system/method:

  • You could add multiple accounts without having to create lines of gibberish.  In our example above, lines H and Y are for our house@yahoo email account and lines D and R are gibberish.  However, lines D and R could be valid information for one of our other accounts.  This means each line contains valid information for one of our accounts, but being mixed together creates randomness automatically without us having to create lines of randomness.  < bold > Remember< bold > to follow the 2 important notes pointed out above.
    • If you use the method above, you could spread your password out amongst lines where you wouldn’t have to create random chunks of data (gibberish).  You could have the H line at the top of the list, include lines for other passwords you have then have the Y line like 4 or 5 lines down.  You would know anything on your H and Y lines are valid, but since they are spread out it would be harder for people to notice.
  • You could do a simple pattern like instead of H and Y lines being for your house@yahoo email, it is one letter up or down in the alphabet so G and X or I and Z. 
  • Instead of H and Y lines, you could think of 2 words that remind you of what account it is.  For example, maybe you created your house@yahoo email account when you lived in a certain city (i.e. Seattle, WA) and you can easily remember that.  The H line could be Seattle and the Y line could be WA.
  • You could add multiple valid lines for each account to make it more confusing.  For example, could have had 2 lines starting with H and 2 lines starting with Y for your house@yahoo email account.  You would then break your valid password up into 4 lines instead of 2 like we did above.  You can distribute the valid chunks of data amongst those 4 lines as you wish.
  • You could make multiple lines for each account, such as 2 lines starting with H and  2 lines starting with Y for your house@yahoo email account, but put a number in front of each line to alert you to which lines are valid for that account.  Example, you could do 1H, 2H, 3Y, 4Y.  To know which ones are valid, you would need a method.  One method is to add up the total letters in your login name (house).  There are 5 characters/letters.  This means you could either make the even number lines valid (2H & 4Y) or the odd number lines valid (1H & 3Y).  The lines that aren’t valid would replace lines D and R in our example above.  You could also flip/flop the even and odd method.  This means even (or odd) number of first letter and the opposite odd (or even) number for the second letter.  Example, 1H and 4Y or 2H and 3Y.
  • You could add additional information to the note in your wallet or purse to indicate how many characters are for each password.  Such as 25 people make up the Hello You group.  This would translate to the password for lines H and Y, or house@yahoo account, is 25 characters long.