Tuesday, March 27, 2007
Passwords By Design
If you are like me, you find it a pain to remember passwords for a variety of systems of all types. And storing them in a password manager just puts your entire life in the hands of some memory key, and limit yourself to accessing your accounts from computers with the password manager software.
This system isn't perfect, but it does allow for a reasonable level of security. If in doubt (especially for any critical system - use a randomly generated high secure password)
Well, the system I've been using has three components:
- A part that you easily remember
- A part that is related to the website you are logging in.
- A part you can work out easily.
It also assumes that you can divide your accounts into four basic types:
- Trash - systems you log onto just to get registered for some trivial reason (My world of warcraft guild site for example).
- Low - Forums etc where you log on to discuss things (for me - http://www.whirlpool.net.au is an example)
- High - Anything which can cost you real time, money or inconvenience (Your internet access password, email passwords, software purchasing sites)
- Critical - Reserved for anything which allows access to your money (Banks, Insurance, Tax etc)
The aim is - you are not going to remember a password, you are going to create one on the fly.
First - think of 4 things you can remember, one for each security level. The more secure the thing is, the more complex and unknown it should be.
Step 1 - 'EASY TO REMEMBER'
For example, If I choose to use words (you can use what ever you want):
My 'Trash' word might be 'Rubbish' - easy to remember, and I associate it with my trash.
My 'Low' word might be 'Joeseph' - my middle name.
My 'High' word might be 'Frank.Sinatra' - my favourite singer, with a dot to separate the names.
My 'Critical' word might be 'Jan1962Nancy' - the birth year month and name of a child.
These words don't have to change too often, so make them things you can remember - just four things.
Step 2 - 'RELATED to the SITE'
Think of a part of the website which you can use as a key to that site. Something on the website itself can be used, for example:
The first 5 consonants from website (e.g. Whrlp - whirlpool, Cnn - CNN.COM, Slshd (slashdot)
The year you joined
Either way, make this a consistant across all sites - so it's easy to remember. Can be as bizarre as you want - you only have to remember it once.
Step 3 - 'WORK OUT EASILY'
Think of a trick you can use to modify the two components into a single password - again, make it as bizarre as you want - you only have to remember it once. For example:
Interleave the characters
Change 0s to o, 1s to i etc
Append the words with an @ inbetween and # at the start.
I use http://www.whirlpool.net.au to cause heartburn and distress to a large number of fellow users discuss issues related to broadband, here is an example of creating a password:
My Low word is 'Joseph'
My Related word is 'Pool'
My Work out is 'change o to @ and interleave the letters and add a # at the start.
My Whirlpool password is #JP@@s@elph
This is a total of 6 things I have to remember to remember hundreds of passwords.
Of course, this is to address trivial passwords - anyone who is using superior methods - stick with them. The aim of this page is to assist people with password generation with more security bang per mental buck.
Update: I am working on a simpler and far more secure password system called Password Squares, keep your eyes peeled (27th March 2010)