Have you ever heard of ‘Identity Theft’? (No? Where have you been the last few years – playing Evercrack or something?)
Using one password for everything is definitely a Bad Idea. So is writing that one password down on a post-it note and sticking that to your computer. If you want to see a security expert start ranting and tearing his hair out, write “ksH3wN$7Jjs6” on a post-it note and stick it on your computer in a prominent position. Then invite your local security expert over to your cube for a chat, sit back and wait for the fireworks :)
The alternative to the single password isn’t a particularly great idea either: maintaining a list of passwords isn’t a lot of fun (nor is it very much more secure than using a single password). The fun really starts when you lose the list…
All the security advice tips I’ve ever read say: “use strong passwords, a different one for each service you need to password-protect – and don’t write them down!” But when I look for advice on how to manage all those passwords: nothing. Nada. Zip. Zilch.
What’s needed is a means of creating a strong password that you won’t forget, and which adapts itself to the service it provides access to, in a way that is easy to remember.
Here’s my solution to this conundrum.
Step 1: generate a strong password.
Step 2: learn that password. But, if you’re having trouble learning it – don’t panic: write it down on a post-it note and stick it on your computer.
Wait, what? Didn’t we just say that using a single password was a Bad Idea? With both the Capital-B AND the Capital-I? And didn’t we say that the post-it note would cause security experts to lose hair?
Hold your horses, we’re not quite done yet.
Step 3: Mix up ‘123’, once. It doesn’t matter how you mix it up. It doesn’t really even matter if you end up with a result that’s ‘123’, either. You might get ‘312’, or ‘132’, or ‘231’. Doesn’t matter. What DOES matter is that once you’ve got a result, you fix that result in your memory. Make sure you won’t forget it, ever.
What was that? You’ve got the kind of brain that has trouble remembering a 4-digit PIN? Butbutbut… this is only three digits we’re talking about here, not four… ah, what the heck, write it down on your post-it note too.
Now we come to the canny bit. (Well, I think it’s canny, anyway.)
Step 4: when you need a new password, take the first three letters from the service you need the password for, rearrange them according to your ‘mixed-up 123’, and then use those three letters in front of your committed-to-memory-never-to-be-forgotten password (the one that’s on your post-it note).
Et voila, new password, complete with built-in unforgettability and extra security. Because even if someone does read your post-it note – that ISN’T the password.
Your post-it note reads: gOOD-pASSWORD!1 312
You want a password for your hotmail account. So, first you take a look at ‘312’.
The ‘312’ means ‘take the 3rd letter, then the 1st letter, then the 2nd letter of ‘hotmail’. Result: ‘tho‘. Put this in front of your strong password ‘gOOD-pASSWORD!1’, to make ‘thogOOD-pASSWORD!1′. Easy :)
Should I? Ah, I suppose I’d better say it. The one thing you DON’T want to do is to make a list like this on your post-it note. Definite no-no territory, that would take you straight back to square one. Do not pass ‘go’, do not collect £200 (in fact give £200 to someone else).
But do it in your head and you’re fine.
Oh, and the sooner you can commit your strong password and your ‘mixed-up 123′ to memory and throw away your post-it note, the better. Because if someone should twig that you’re using this system to generate your passwords, you’re back at that good ol’ square one again.
Now then, where was I? Oh yes… although you could use ‘gOOD-pASSWORD!1’ as your strong password, making up your own is obviously far better. Something like ‘ksH3wN$7Jjs6’, for instance.
Example Time Again
Your post-it note reads: ksH3wN$7Jjs6 312
You want a password for your hotmail account. So, first you take a look at ‘312’. This says to you ‘take the third letter, then the first letter, then the second letter of ‘hotmail’. Result: ‘tho’. Put this in front of your strong password ‘ksH3wN$7Jjs6’, to make ‘thoksH3wN$7Jjs6’.
Even if your ‘strong password’ is something obscure (like “ksH3wN$7Jjs6”), I guarantee that you’ll soon be able to remember it without difficulty. Before long, you’ll have entered it so many times it will be impossible for you to forget it. The human brain’s a clever thing. Much smarter than these new-fangled computer thingies. Really.
And when that day does come, you can throw your post-it note away; and the next time your security expert drops in for a chat, he won’t lose any more hair.
Well, OK, I grant you that it’s entirely possible that he’ll already be bald by then.
Why three characters for the ‘mixup’ part? Well, my original version of this technique simply took the first four characters (not three) of the service name and put them in front of the ‘strong password’. But when I tried it out I found that eBay considers that any password (no matter how long it is!) beginning with ‘ebay’ is ‘invalid’, and wouldn’t let me use it. You could just use the first character of the service name if you want, and forget about the ‘mixup’ step altogether – especially if you can remember the ‘strong password’ part from the word ‘go’. If you feel the need to write down your password somewhere, using the ‘mixup’ makes it harder for someone to figure out what you’re up to.
As for putting the ‘service name’ part of the final password before the ‘strong password’ part, I have a good reason for suggesting this. It is possible for someone who is able to look over your shoulder on a regular basis to – eventually – steal your password. How? Pretty simple really. If I can see that you’re about to enter a password (pretty obvious on some systems), I can watch for your first keypress. Just the first one. Next time I see you entering a password, if I see you hit the same key again – I try to see what the next one you hit is… and so on. The technique I’ve outlined above means that the ‘final password’ starts with different keys each time – so this foils any such snooping.
One final note. No security system is totally foolproof, no matter what the marketing blurb may say. If you’re the kind that talks in your sleep or has a tendency to get involved with suspicious ladies of the night armed with hypodermic syringes – all bets are off. In theory at least, if everyone started to use a technique such as this (or a similar one), then those who would crack on-line passwords might, given time, be able to farm enough passwords from enough sites to do a comparison that would spot the technique.
Password-protection systems are inherently clunky, and (let’s face it) insecure: I don’t think that it will be too long before a better system comes along. Now, if only I could be the one to design it… hmm….
[update: see https://pendantry.wordpress.com/2007/04/19/passwords-two-rings-to-rule-them-all-d/ for a minor addition to the ‘One Ring’.]