When it comes to technology, people are on a scale. At one end are those who are not particularly savvy (and likely have less than 20 accounts), with those at the other end being particularly adept and perhaps having hundreds.
This is important because, while those people toward the right hand end of the scale can and probably should invest in a good password manager*, there are those who need something both simpler and more secure.
Anyway, those who are not ready for a password manager still need a system and to them I say,
1. It is NOT important to try and remember passwords.**
Instead it is important to keep a reliable record of each account, it’s username, its website, the password itself (clearly written) and any other important info (eg. answers to the idiotic challenge questions required by some accounts).
2. This information should be written on the right hand page of an A5 to A4 size ring bound notebook.
The account name should be written at the top centre as a page title.
(Every account gets its own page and every page has only the password for that one account).
3. Free space on the page is required for future changes.
4. If a page should overflow it must be removed and its data transferred to the next clean page.
5. Page order is irrelevant.
Pencil and paper was invented eons ago and remains a reliable and extremely secure method of recording passwords (a single paper notebook secured inside your home is as good as unhackable).
6. Passwords must contain no personal information, must be long, random, easy to type, and easy to keep in your short term memory for a minute or two.
I recommend to them that any password, for a low value account (e.g. Netflix), should contain 2 random unrelated words (previously unused in any other password) and a number.
High value accounts (Facebook, AppleID, eMail) require 3-4 random words.
Password length should always be at least 12 characters long, preferably much longer.
7. I give them a few example passwords
Molly5000 (cat name and postcode)
Too short, totally insecure.
(I don’t usually tell them this, but even in 2012 a simple PC with four of Nvidia’s GeForce GTX 480 graphics cards could cycle through as many as 6.2 billion guesses every second – https://arstechnica.com/security/2012/08/passwords-under-assault/)
Secure by length and randomness but bad if it needs to be entered on another device (especially a phone).
Easy to type and remember, but should not be considered secure – the hacker uses a massive directory (the internet) to match patterns and will probably crack this far more quickly than,
Can be remembered, secure by length and randomness but using capital letters at the beginning of words and a number at the end is a pattern the hacker will test for.
MOLECULEteleport970 is better.
MOLECULE970teleport is better again.
Don’t get clever and do this,
You just make life difficult for yourself when you’d be better off simply increasing the length like this,
8. I finally suggest to them that they flick through a dictionary and pick their unrelated words – the number can come from anywhere (remember, length is more important)
*I’m only willing to recommend 1Password and have an aversion to LastPass – I know it’s highly regarded, but it’s just…
**Passwords that are created using the methods described above are often remembered easily after being entered a few times. This is helpful for accounts where the password is required often (eg. Your AppleID (iCloud, App Store) or Online Banking).
Online banking passwords are an exception – I never write these down and have not recorded them in any password manager.