Password security

I’ve been thinking about password security recently. Like many people I generally use one “strong” password for most of my access in cyberspace. The memorable strong password idea is definitely an improvement over the oldskool practice of changing a password every several weeks, which invariably led people to write down their passwords, making security as flimsy as the yellow post-its they were written on.

Hence the memorable strong password. To be considered strong, most recommend a generous mix of the various sets of keys available on the keyboard:

  • lowercase letters
  • uppercase letters
  • numbers
  • symbols (e.g. $, @, ., <, etc.)

There are many ways of making a memorable strong password… (the one that should be avoided is simply substituting numbers for vowels… there are hacker dictionaries out there that can automatically try p4ssw0rd as easily as password.) Say you have a strong password that’s memorable to you because it combines the year your parents got married, let’s say 1976, together with a phrase you like, such as “Let the good times roll!” It’s easy to turn those ingredients into a very strong, memorable password, such as, 76/L#gtr!19 in just a few steps:

  1. 1976 Let the good times roll! (the ingredients)
  2. 1976 Ltgtr! (the initials of the phrase with the punctuation intact.)
  3. 76/Ltgtr!19 (splitting the year and inserting another punctuation mark after the first numerical part)
  4. 76/L#gtr!19 (replacing the t for “the” with a symbol)

The latter result is an extremely strong password which should be very easy for the user to remember, so it never needs to be written down.

However, it only takes one shady cybercafe or one phishing site to steal your password, which might very well be the same password you use for your banking, email, and more. Is there a way to create many passwords that are just as strong, but customized for each site you use in such a way you can type it almost automatically?

I believe there is. What if you combined your strong password as a core, customized with an element of the site’s name? The sky is the limit on the possibilities, but if the same pattern is always used, each password should be instantly recallable.

Say you have passwords for Amazon, Gmail, and Paypal. You could take the first two letters of each and put them over the last two numbers of your password to keep it relatively short:

  • 76/L#gtr!Am Amazon
  • 76/L#gtr!Gm Gmail
  • 76/L#gtr!Pa Paypal

The passwords are short, quickly typeable, easily memorable, and completely different. Or if you prefer, you could use the first and last letters, or the first two vowels, or some other consistent rule, and put them in a different place in the strong password structure. Just remember to keep it simple for you and impossible for anyone else. Here’s a variation using three letters of the site name with the second and third letters capitalized, placed in the middle of the strong core:

  • 76/aMAL#gtr! Amazon
  • 76/gMAL#gtr! Gmail
  • 76/pAYL#gtr! Paypal

Again, the passwords are all strong, and all so easily memorable they should never need to be written down. But this technique’s true value lies in the uniqueness of the passwords. Should someone learn your Amazon password, he or she will still not be able to login to your Gmail or Paypal accounts.

A couple of closing thoughts. First,there are unfortunately still many sites, including financial sites that only allow alphanumeric passwords… no punctuation symbols can be used. For these sites, just keep the core password as strong as possible, using lowercase, uppercase, and numbers. Unfortunately, this means you may need two cores, one with symbols for the majority of sites that allow them, and an alphanumeric core for those that don’t. However, the alternate core can also be made very easy to remember. Here are two easy ways to do it:

  1. Use a single letter as a substition for the symbols:

    76/L#gtr!Am for Amazon

    76zLzgtrzSi for SiteWhichDoesNotAllowSymbols.

  2. An alternate solution is to just omit the symbols.

    76/L#gtr!Am for Amazon

    76LgtrSi for SiteWhichDoesNotAllowSymbols.

If you forget which sites allow symbols and which don’t, no problem. Simply try the version with symbols first, and if that doesn’t work, the version without.

Secondly, if you’re a traveler, make sure your password is possible to type quickly on any keyboard of any country you’re likely to be in. Some of the punctuation symbols on the US keyboard layout do not appear on the keyboards of other countries or require “dead keys” to produce which may not register as single characters for password purposes. For instance, our straight double quotation marks are not used in many countries. Symbols like |, [, and ^ also might not appear on international keyboards or could require additional keystrokes to type even if they do. It’s probably best to slightly limit the symbol set for your password to symbols universally used in math or on the Internet, such as # . , @ !  + – / etc. See Wikipedia’s article on keyboard layouts for more information.

  1. #1 by Louise on May 7th, 2008 - 9:26 am

    Once you’ve got a bunch of strong passwords, you need a place to store them. I worl for PassPack, which is an online password manager.

    If you are aware of how important a strong password is, you may be interested in this blog on password managers:

    http://tinyurl.com/38jxny

    Hope it helps!

    Louise

    PS PassPack also generates strong passwords for you.

    RE Q
  2. #2 by Joe on May 7th, 2008 - 10:11 am

    What makes me skeptical about strong passwords is that you can use english dictionary words with minor alterations. Some default ones like krod44! (medium strength) become strong with kr0D44! which seems so simple to crack.

    Further, most sites lcase or ucase passwords on read in to make database calls easier or usability easier. The trick comes where you sacrifice usability for security or vice-versa.

    RE Q
  3. #3 by Jon on May 7th, 2008 - 10:12 am

    Interesting, Louise.

    Thanks for the info.

    RE Q
  4. #4 by Jon on May 7th, 2008 - 10:20 am

    I’m not so skeptical, Joe… With that example, the base, krod44 is non-sensical to begin with, not found in any English dictionary or in any other language… Further strengthening it seems fine to me… Is kr0D44! simple to crack? Maybe for hackers who are natives of Krodaa. :-)

    Good information though, about the potential equivalence of uppercase and lowercase on some servers.

    RE Q
  5. #5 by Joe on May 7th, 2008 - 10:23 am

    krod is one of the originals. We upgraded it after I broke it early on with a forward/backward dictionary. we also had emtae for a while until I broke it before the security team told me about it.

    RE Q
  6. #6 by Jon on May 7th, 2008 - 11:23 am

    Agreed. Backwards English words are not strong.

    RE Q
  7. #7 by Louise on May 8th, 2008 - 6:16 am

    @Jon

    No problem. I’d be happy to hear any feedback.
    Louise

    RE Q
  8. #8 by Chad on May 8th, 2008 - 3:24 pm

    This is a great idea.

    What about setting your phrase to represent the website you are creating the password for.

    ‘I Get My Mail With’ = Gmail
    ‘I Get My Books With’ = Amazon

    Or something along those lines.

    Just my 2 cents.

    RE Q
  9. #9 by Jon on May 8th, 2008 - 4:44 pm

    Just as long as you can remember it, Chad.

    RE Q

SetPageWidth