Perfect Passwords, Every Time
by Richard White
Man, I am really getting tired of all this talk about passwords.
Okay, okay, I’m one of the people who has been talking about them, but… still. Seriously. Can’t we all just learn how to create awesome passwords and be done with it?
You know all the don’ts, right?
- Don’t use words found in any dictionary, English or otherwise.
- Don’t use any personal information: names, dates, social security numbers…
- Don’t use the same password for multiple uses/websites
- Don’t use a password that is too short.
And then there are the dos, which can be a bit overwhelming.
- Do use a mix of letters, numbers, and special symbols.
- Do use different passwords for different sites, and change your passwords regularly.
- Do use a longer password.
I probably don’t need to spend a great deal of time explaining the rationale behind these rules, which are well-founded. Bad guys do try to guess your passwords, both to important things like your bank account, and seemingly trivial things like your email (which they can use to get your bank account passwords). Bad guys use computer programs to try to guess your passwords. Bad guys look at passwords stolen from other places like Sony and try to use them for your other accounts.
It’s a jungle out there. But here’s how you can deal with it. All you need is a system.
It needs to be your own system, of course. You don’t want to reveal your system, your pattern, your trick, to anyone else, because then they’ll know your system, and will be able to guess your passwords. Not good.
But I’m going to show you my system, and you can use something similar, and then we won’t ever have to talk about how to make good passwords again, mmm-kay? :)
Here’s what you need:
- A root
- A place indicator
- A time indicator
Let’s see what those four items mean, and how they can be used to create a good password.
1. A root
The foundation of your passwords is a good root password, sufficiently random that no one will be able to guess where it came from. You will use this same awesome root for every site you use. My personal recommendation is to use the initials of a favorite song lyric or passage from a book.
|“In the beginning, God created the Heavens and the Earth.”
|“Ob-la-di, ob-la-da, life goes on, bra”
|“We, the people of the United States…”
These are already some pretty good little passwords, but they’re too short (susceptible to random guessing) and they aren’t going to be different based on place. Let’s fix that.
2. A place
We’re going to add, on either side of your root password, one or two characters that are unique to where that password is being used. For this exercise, let’s say that we’re just going to add a single letter before and after our root, and those letters (according to the system I’m using, are the first and second letters in the place name. If I’ve selected “WtpotUS” as my root password, how does that affect our passwords?
|User password on my Windows computer
|Amazon account password
|Bank account password at Chase
Notice how cool this is: Even if someone were to see me typing in my Windows password, without knowing my system they wouldn’t have any idea which of those letters are the root and which are associated with the Windows machine. They wouldn’t even know to look for such patterns, there’s so much entropy in that password.
So now I have a reasonably good password that’s different for different situations. For some people, that’s good enough. But we can do better, and very easily.
We haven’t yet used any special characters in our password—#, &, %, (, @, etc.—and using special characters is an easy way to increase both the complexity and the length of our password. For my situation, I’m going to use the three characters “!@@” both before and after my passwords. My passwords now are:
|User password on my Windows computer, with padding
|Amazon account password, with padding
|Bank account password at Chase, with padding
4. A time indicator
It may be that you want, or need, to change your passwords from time to time. Some systems require this, and other people just think it’s a good idea. One possibility is to include some sort of date signature in your system, but keep in mind that it can’t look like a date signature; otherwise, someone who learns one of your passwords is going to have a big clue about your other passwords.
In my system, I try to change my passwords every 3 months or so, starting on my birthday in February, and append to that the digit of the year. So my passwords from February to April in 2011 will have a 21 included. From May to July the passwords will have a 51 included.
|User password on my Windows computer, with time indicator for February – April, 2011
|Amazon account password, with time indicator for May – July, 2012
|Bank account password at Chase, with time indicator for November, 2010 to January, 2011
And that’s all there is to it.
Okay, okay, I know what you’re saying: “I don’t care about changing my passwords every three months.” Fine. Leave #4 off your list.
Or, “Can’t I just use once special character for my padding, rather than three?” Of course you can—make your own system, based on similar parameters: high entropy (disorder) in your password, and greater length (in order to discourage brute force attacks).
Or, “Do I really need a system this complex for my Webkinz subscription? Probably not, but I know some 8 year olds who are pretty darned protective. Use your password system at your discretion.
It bears mentioning, too, that if most of your passwords are used on the Internet, then a service such as LastPass or KeePass might be valuable to you. They offer true entropy, and site-specific passwords managed by a single master password. Of course, relying on a third-party to manage your security can have its problems too.
Using and maintaining passwords is hard work, but it’s increasingly important that we all have a basic working understanding of what’s involved. Root – Place – Padding – Time is a useful, customizable way of creating and remembering stronger passwords.