Better Password Management with Smarter Easier Passwords
February 27, 2008
The password commandments that we all know:
- Don’t write down your passwords
- Don’t give out passwords over the phone
- Come up with unique passwords for every service
- Clear your cache on public computers
- etc. etc. ad nauseum
While good advice, are a little overwhelming. It starts to look like a full time job when you consider the lists of rules for passwords.
And, the even sadder thing is that these rules and suggestions are great advice. And they really should be followed to the tee. The problem is that most people don’t have the patience. And even further than that, we’re all afraid to forget a password.
A Weak Solution
So, what do most people do? They do the same thing that I’ve always done: they keep a few passwords, each one with a different “security level”. Here’s the way it works, and I’ll bet you do something like this:
- The first password is the low-security one. This is the password you use for all of the little things you sign up for. You use it for all of the things that you don’t really plan on using often.
- The second password is the slightly more secure one. You don’t use this one in nearly as many places as you use the first one. It’s the gate keeper for you Facebook and Myspace accounts. It’s the one you use when security is a concern, but not life-devastatingly important.
- The third password is the doosy. This is the password you use for online banking and bill pay. If this password got out, you’d be screwed.
And, this system is better than no system, but it’s still not good enough. The reason it’s not a good system is because that’s what almost everyone does, and anyone out there that might be trying to steal your password knows it.
But, faced with the enormity and involvement of managing our passwords the way the experts tell us to, we prefer to keep an easy to remember set of passwords. And, besides, we’re the only ones that have to know our dirty little secret aren’t we?
There’s a better way
I know what you’re thinking. You’re thinking that I’m about to spout all of the rules at you again, and slap your wrist for handling your passwords improperly.
Well, even though I probably should, that would make me a hypocrite, because I’m equally guilty, so rest easy.
But, what if I told you that you could have a unique password for every service and that you’re not going to need a complex password management system to maintain them?
Hard to believe I know, but it’s possible.
Stronger Passwords
Here’s the system I’ve started using that works wonderfully for me.
Take your three passwords, the three that you already use. I’m sure that they are fairly good and the only problem with them is that you use them for so many different services. If you were to compromise one of them even one time, you’d give up all passwords for that security level.
But, because they’re so good, and because you’ve already got them committed to memory, there’s absolutely no reason to throw them out. You’ll be using them as the base of your passwords from now on. Your old passwords will be the group of numbers, letters and symbols that will be the same in every password you use. This is the base that you will start with when creating a new low security password.
Now, to make the password more secure you need to throw in a modifier. A modifier mixes the password up and adds characters, and if you make the modifier service-dependent, it’s easy to remember and creates a unique password for every service.
I think we need an example.
Example
Step 1 – Define your Base
Let’s say that your low security password is: 3a5ypa55w0rd
Step 2 – Define Your Modifier
The modifier is what makes your email password different from your Digg password. It switches things up for every site, and insures that mismanagement of one password isn’t mismanagement for every password.
Your modifier will be based on a rule, that you define, that will stay the same for every password you make. This is possibly the most important part. The rules are what make your passwords unique and distinctly a creation of your own mind. Be creative when coming up with your rules. Just don’t forget that you have to remember the rules you invent.
One example of a modifier rule is to make the modifier the first three letters of the service, written backward. So, if you are registering as a member for my website: Flowercast, your modifier will be “olf.” Because, the first three letters of “Flowercast,” “F,” “l,” and “o” written backward are “olf.”
There are a number of rules you can set for your modifier (Using the first two consonants followed by the first two vowels, using the last three letters, spelling the entire thing backward, etc.) but it’s important not to be lazy and do something silly like use the name of the service (ex: “flowercast” spelled out explicitly) – doing that would make your system much easier to crack.
Step 3 – Place Your Modifier
The last rule for your passwords is where you’re going to put your modifier in the password. There are a number of places to stick it without making the password too difficult to deal with. You can addend it to the end, or place it in the center of the old password, or at the beginning. You could also split the modifier up and disperse it throughout. The important thing is to maintain consistency, so that your system is easy to remember.
In our example the rule we’ll be using is that we’ll always place the modifier between the 2nd and 3rd “5″ in 3a5ypa55w0rd.
Putting it all together
So, to start at the top with our example:
With the low-security password 3a5ypa55w0rd, we decide to register for The Flowercast.
Our modifier is “olf” and we always place our modifier between the two fives in 3a5ypa55w0rd.
The final product, and our new password for The Flowercast, is 3a5ypa5olf5w0rd.
With the same rules our passwords for Facebook, Myspace and Digg would be 3a5ypa5caf5w0rd, 3a5ypa5sym5w0rd and 3a5ypa5gid5w0rd, respectively.
By maintaining your old system and adding the site-independent modifier, you can exponentially increase password security without having to do more than look up at the title of the website.
What do you think? Would this system work for you? Is it too difficult? Too easy? How would you improve on it?
Comments
About
Justin Flowers
Mad Scientist
Zombie Expert
Fort Worth, TXSubscription
