I’m glad I’m not a security expert. Talk about catch-22: security experts have to persuade their users that their systems are secure (so that they will be used) while at the same time trying to educate their users to deal with the holes in the system (without admitting that they’re holes) in such a way as to put the onus for maintaining the integrity of the system as a whole directly onto the user. So that when the security system fails, it’s not their fault – it’s your fault.
All those websites out there want your money. They’ve done a pretty good job of convincing the average Joe (you and me) that their security systems are state-of-the-art, uncrackable, safe as houses. They’ve trained us to ‘look for the padlock symbol’. But a padlock symbol isn’t a padlock, it’s just a symbol. Just because there’s a password input widget on a website doesn’t guarantee that the system at the other end doesn’t take your personal details and auto-post them to a public bulletin board alongside the password you just entered – and if you do only use a single password then it would only take ONE site like that to make every single one of your ‘secure’ transactions about as secure as a wet haddock.
OK, that’s a rather cynical view. Hey, you expect something else from a cynic? Whichever way you look at it, no security system is foolproof, and they all require both sides to do their part in trying to make sure that the security is as safe as it can be. The security system providers do their best to keep your data safe – and you don’t go around telling all and sundry what your password is.
All of the security advice I’ve ever read relating to passwords stresses how important it is not to use a single password for everything. This makes sense from one point of view – if you do use a single password for everything and then someone discovers that password… your security is illusory.
If you KNOW that your password has been ‘compromised’ (as those security folk would say), then you do have the option of changing it – assuming, that is, that you can remember all of the places where you have used it. But maybe you won’t know that someone has copied it from that post-it note stuck to your computer (or hidden inside your desk drawer), in which case you will be left ‘feeling secure’ when the reality is that anyone can peek into your privates whenever they feel the urge.
Which (of course) is why all the eggspurts say that you shouldn’t use just one password. If they were honest they’d say something like “we know our system has holes, and this is one of them” but they don’t do that because they want you to trust them.
So where does this leave us? It leaves us… needing more passwords.
The ‘Word+number+Word’ technique is a pretty reliable way of creating reasonably secure passwords. Stuck for a password? Look out of the window – oh look, there’s a Tree. Pick a number, any number: 3. Now another word… um… (examine Fingernails while thinking) there we go: ‘Tree3Fingernails’, easy.
The reason that a single word is considered an ‘insecure’ password is because it can be broken (‘cracked’) using a technique called a ‘dictionary attack’ – the password is compared with all of the words from a dictionary, something that’s pretty easy to automate. A password generated using ‘Word+number+Word’ would foil a basic dictionary attack – but a ‘modified dictionary attack’ that looked for the Word+number+Word pattern could still crack it (although it would take longer).
So… how to create passwords as strong as (or stronger than) Word+number+Word, and yet still have them easy to remember?
One way is to think of a short sentence or phrase, or perhaps a bit of poetry – take the first letter of each word and string these together. For instance (off the top of my head): “Quis custodiet ipsos custodes (who will guard the guardians?)” = “qcic(wwgtg)”.
Of course you need to be absolutely sure that you’ll be able to remember the phrase that generates the password. You don’t start by learning poetry, the first step is to think of a phrase you ALREADY know. If you begin by trying to learn something so that you’ll remember it later – you might forget it.
I’m a Lord of the Rings fan, so I find it easy to remember:
One ring to rule them all
One ring to find them
One ring to bring them all
And in the darkness bind them.
This gives us the password: OrtrtaOrtftOrtbtaAitdbt.
O.o. Just got sidetracked onto trying to learn the Black Speech version of the Ring Inscription. Back now – where were we? 🙂
I’m also a Monty Python fan, and I sat down one day (a long while ago now) and learned the Horace Poem:
Much to his Mum and Dad’s dismay
Horace ate himself one day.
He didn’t stop to say his grace
He just sat down and ate his face.
This is just the first verse, and results in MthMaDdHahodHdstshgHjsdaahf. The entire poem would generate a password that I can picture being an entire Pythonesque sketch in itself 🙂
I’m not suggesting that you learn the Horace Poem. You need to start by asking yourself what you know. Poetry? Song lyrics? Shakespeare? Famous quotes, perhaps?
Once you’ve come up with a password, use a password checker to gauge its strength. ‘Acronym passwords’ aren’t particularly strong – but there’s a simple way to make them stronger – just add a number to the end of it. Naturally you’ll need to be sure that you’ll be able to remember the number you’ve added – one way of doing this is to count the characters and then put that total at the end. For instance, Microsoft’s password checker claims that ‘OrtrtaOrtftOrtbtaAitdbt’ is ‘medium strength’, but making it ‘OrtrtaOrtftOrtbtaAitdbt23’ makes it not just stronger, but ‘best’. [update 20Dec2011: intriguing… the latest incarnation of that password checker claims that both of those strings now qualify as ‘best’. I wonder what changed?]
Now that we have more than one gOOD-pASSWORD!1 – we need somewhere to keep all of them…