# The weakest passwords you can get away with

::

Or: why password strength checkers are useless.

A lot of people work in environments where they have to change password every few months, and where there are restrictions on what passwords must look like. Here is how to deal with that, if you don’t care about security.

1. Pick two strings which are complicated enough to keep the password checker happy, which I’ll call $s_1$ and $s_2$. Remember them.
2. Also remember a two-digit count, starting from $00$.
3. The first password is $0s_10$, the second is $0s_20$, the third is $0s_11$, the fourth $0s_21$ and so on: each time you need to change passwords you swap between the two strings, and every other time you increment the count.

This gives you two hundred passwords, at the cost of remembering two strings and a two-digit count: if you have to change password every three months this will last you fifty years.

This works becaus the thing that is forcing you to change password can know two things:

• the current and new passwords, in plain;