A professional hacker reveals how to create the best possible password

Creating a strong, easy-to-remember password that is nonetheless difficult to guess can be quite the trick…

Lisa Eadicicco for Business Insider:

The perfect password may not exist, Etay Maor, an executive security adviser at IBM Security, told Business Insider. But he said there was a technique you could use to create passwords that’d be tough for hackers to figure out but easy to keep top of mind. Maor suggests creating a “passphrase” instead of a password.

The passphrase technique is exactly what it sounds like. It entails coming up with a memorable phrase you can use in place of a password, since the longer the password is, the more difficult it is for a machine to crack.

For example, you could choose a phrase like “I want to go to a Bon Jovi concert” and turn that into a password. “A computer will take, I don’t want to say an infinite amount of time, but a not realistic amount of time, to be able to guess it,” Maor said.

MacDailyNews Take: Please, do not use “I want to go to a Bon Jovi concert” as your password — or as a sentence, ever.



  1. This is such terrible advice. If you use a phrase as your password in numerous places, then one compromise could compromise all of your password protected sites.

    Use a password manager. Each password is random and the best ones used encryption.

  2. I use a bilingual passphrase, and neither language is English. Think of a phrase, then use Google to find each word in a different language—pick the ones that are easy to type. For example, suppose your phrase is “I am a secure computer.” “I am” is “olen” in Finnish, “secure” is “biztos” in Hungarian, and “computer” is “tölva” in Icelandic. So your passphrase can be:


    It will be easier to remember than you think.

      1. Password generators and password managers are band-aids not solutions. You can forget the passwords and the manager might fail. Adding in two-factor authentication and picking out pictures with wombats is also a band-aid, because you might have to do it a dozen times before you get it right. Someone has to invent something simpler and better, something that doesn’t need a cloud or a second device or even a second step. I have no idea what it would be, but if you can criticize what I just wrote, you are smarter than me. Instead of telling me off in a comment, take Igor into the lab and start inventing.

        1. Sorry. I didn’t think I was telling you off. I was just citing from experience dealing with 100’s of clients that they cannot remember lots of different phrases. They can’t even remember the 5 they need to. I do like your method of using different languages so that brute force attacks using one language won’t be fruitful. However, I’m curious how you remember the 100 or so passwords you need to remember. I have several hundred password since I work in IT so I could not do this without a password program.

          One company trying to do password-less “passwords” is Trusona https://www.trusona.com so I’ll leave it to the bigger companies with a lot of man power to try to come up with the best way to do password.

  3. What about getting all the websites onboard with 2FA/MFA (two-factor/multi-factor authentication) and if they have it, start pushing more users to use it? We (mostly) all have mobile devices that can handle this. Although someone did sue Apple for forcing it on users so I guess some users don’t care about security which is a loss for everyone else.

    1. But, there’s a BIG flaw in using 2FA/MFA that is tied to sending SMS to a phone number: it is WAY too easy to social-engineer a hack against our phone numbers, hijacking the number and thus gaining access to all our accounts.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.