Sensible Password Strategies
Most of us know by now that passwords based on dictionary words are very insecure and that your password should be based on numbers and letters, the lengthier the better. The days of using password as a “password” are long gone (or at least, they should be).
It’s quite common, however, for people to use the same username and password on many different sites. Ask yourself “What happens if one of the websites I use is compromised?”. It only takes one breach of security, from one website, and your username and password is there for the taking on all the sites you use.
But who can possibly remember a different password for each site they use?
Well, there are two methods I generally recommend.
1. Random passwords & encrypted storage
Generate a completely random password using a random password generator, and store the list in a secure notepad such as Locknote (for Windows) or Little Secrets (for Mac).
The format of the file is flexible, but the syntax I use is:
Site : Flickr
URL : http://flickr.com
Username : MyUserName
Password : Sp5macapraW3phex
Email : flickr@mydomain.com
—
Site : del.icio.us
URL : http://del.icio.us
Email : delicous@mydomain.com
Password : k7G26RaPRUp5uCus
—
You can then simply access the file whenever required, and copy and paste the password into place.
The beauty of this file format, is that it can also be adapted to store serial numbers, ftp details and other important information. However, it is obviously critical that you store this data in an encrypted format.
This method is about as secure as you can get, but what happens when you want to access the sites from another location. You could store the file on a USB key, but that’s not something I’m comfortable with, encrypted or not, but that’s just a personal choice.
2. Algorithm based passwords
Rather than generate a password that is completely random, what about one that looks random, but is actually easy to remember based on a simple algorithm.
Let’s take flickr.com as an example, and assume I have a dog called “Barney”.
A good password for this site might be lib4rn3y6r
Looks nice and random, right? Well, this password is actually composed of 4 parts, 3 of which are completely unique to every website used.
li = the 2nd & 3rd letters of the domain name
b4rn3y = my dogs name, transposing some letters for numbers
6 = the number of letters in the domain name
r = the last letter in the domain name
Obviously you can (and should) adjust the algorithm for your own purposes, but with a little thought, and using a combination of the methods described above, you can create an system that creates (and stores) extremely safe passwords which are different for each website you use.
For the ultra paranoid, you may want to create a multi-tier system, with one system used for generic websites, and a completely different system used for online banking, etc.
You may also want to check out this guide to creating “compound passwords“, designed to thwart keyloggers, shoulder-surfing colleagues and brute force attacks.
Update: There’s a very well written post entitled How I’d Hack Your Weak Passwords which expands a lot more on password security.
Leave a Reply