When I get busy, I stop doing blog posts. Instead, I seem to insert the occasional odd rabbit hole into my daily activities as a kind of a break. I went down this one and thought I’d share.

We just finished helping a client migrate their email system. (I know, it has nothing to do with design, but it was something I was able to shepherd for them… so I did.) And PINs and passwords have come up a lot.

So what’s a good one? And what’s a bad one?


There’s actually a list of every possible 4-digit PIN (no, it’s not “PIN number” — that’s what the “N” stands for). And over 10% of all the 3.4 million actual numbers that were analyzed used “1234”. So if you ever want to access someone’s phone or bank account, hey, you now have a 1-in-10 shot at getting in effortlessly.

Needless to say, if you use “1234,” go change it. Now. But don’t change it to “1111” or “0000” or even “1212” because those are next in line. Easy to guess for both humans and computers.


Randall Munroe, in one of his xkcd comics, talks about how we’ve designed our cockamamie password structure so that it’s easy for computers to guess, and hard for humans to remember — when it’s simple to design them the other way around!

Here’s what you can do. Instead of creating impossible strings of gibberish like C6uUBnZG.@3E or “clever” ones like “R0llin6-St0n3s” (RIP Charlie Watts), try stringing 4 common words together, like “engine-lollipop-zoom-guitar”. Much harder for a computer to guess. Much easier for you to remember. (How about “person-woman-man-camera-TV” for that matter?).

Here’s the math behind it:

Cartoon about password strength
Another way to go

For complicated but memorable passwords that require digits and symbols, think of a sentence you’ll remember. Let’s say it’s “Charlie Watts joined the Rolling Stones in January 1963.” Your password becomes the first letter of each word, plus the digits, plus an appropriate symbol or two. So you might use “CWjtRS-Jan1963”. Easy to remember. Tough to guess.

The best approach

Invest in a password manager. I use and like 1Password, but there are other good ones. Macs even have a decent one built in called the Keychain. These apps lurk quietly in the background until you need a password, or need to record a new one. They’ll generate random passwords for you — a different one for each website you sign up for. They’ll remember the password for you. They’ll fill it in when you need it, or let you look it up. And they keep all this highly secure.

The upshot is you never have to remember them! You can create a different password for each site or service (which protects you when one of your vendors gets hacked), and access them all via (you guessed it) one master password. Which you can (and should) make complicated, but be sure you can remember it!

Once you set it up and log in the first time, if you’re on a Mac, you can use its fingerprint or face ID, which makes using the app near-painless.

But whichever way you decide to go, do yourself a favor and stop using “1234”. We already know your PIN.