Filed under: lifehacking | Tags: effectiveness, excellence, lifehacking, memory, passwords, planning, prevention, security, strategy, tips
Having seen my fair share of “bad passwords” and understanding that for many IT departments password resets can account for 20-30% of all calls, it seems there is the need for a post on this topic that might help people choose good passwords they can remember.
(flickr credit: ferran.pons)
There are two very different perspectives
From the IT side of things, generally the focus seems to be on security, so this results in policies that;
- make users change their password every 30-60 days
- require more complex combinations of; UPPERCASE letters, lowercase letters, numbers and symbols.
- lock out your account if you get your password wrong a few times in a row (ever left caps lock on?)
On the user side of things, generally the focus is on the utility of being able to log in so that you can get your work done. This focus leads towards;
- Folks who have forgotten their passwords using others’ accounts so they can get their work done.
- Passwords on post-it notes by their monitors
- Users re-using passwords between systems to reduce the number of passwords they need to remember
- People picking “easy” passwords to help remember them.
So it is easy to see how either side could view the other with disbelief. The IT group shaking their head at people choosing poor passwords and showing disregard for security. The users shaking their head at an IT group that appears to care more about complicating passwords than helping them perform their daily tasks. It doesn’t have to be contentious, there is hope. More and more, users are becoming educated about the importance of good security practices, and security professionals are realizing that the best security is the kind that works for users rather than against them.
What makes a password good?
Put simply, anything you can do to make your password difficult to figure out is good. So if your password is really long, and composed of many types of characters, it becomes very difficult to “guess”. If your password is short, a real word found in the dictionary, or something an attacker would know about you, then you make it easier for someone to guess your password. But having a “good” password is only part of the challenge. The best password in the world does you little good if you can’t remember it. Locking out all the would-be hackers is only part of the equation, making sure the account is accessible by the right person is the other.
(flickr credit: guspim)
10 Strategies for choosing a secure password you can remember
So here are some strategies for picking a strong memorable password. Read through them all, and pick 1 or 2 that will work for you.
1. Plan ahead
Have a strategy for picking passwords that you can use across many systems. That way when you go to a new system that asks you to pick a password, you can appyly your strategy rather than having to wrack your brain for a new password.
2. Take your time
Taking 60 seconds to think about a great password you will remember, rather than typing the first thing that pops into your brain will pay dividends. Apply your strategy pick something you will be happy with.
The next 3 get you to try not thinking in terms of a pass-word.
3. Think in terms of a pass-phrase.
It could be a line from a song, a poem, a story, anything, but of course you will modify it by adding punctuation, truncating the sentence or swapping in a word you like better like;
- “The dish ran away with the poon”
- “I’m dreaming of a white Xmas”
- “AllIwantforChristmasismy2frontteeth!”
- “Thyme4Golf!”
- “4getaboutit!”
- “NowwhatwasmypasswordCharlie?”
4. Think in terms of a pattern.
A very popular pattern is to apply a prefix, a root, and a suffix to your passwords. here is my version of “the pattern”
- The prefix modifies the root, so you might want to relate it to what it is your are logging into. If you logged into a system for email, you might use “email” or “Email” or “e-mail” or “E-mail” as a prefix.
- A good choice for the root is a non-dictionary / non-name word like “selebrait (yes exactly, it isn’t in a dictionary)
- The suffix is something you add to your pattern to add the required “non-letter” characters so that your password is “complex” enough. Lets choose “$4”.
- For email your password might be “emailselebrait$4”; for AOL it might be “aolselebrait$4”, for gmail it might be “gmailselebrait$4” etc…
5. Think in terms of a simple puzzle.
Where am I, who am I, what kind of login is this could yield unique results. for every login while requiring only a little bit of mental gymnastics. For a gmail login it might be “gmailGregWebmail”
6. Anticipate being asked to change your password.
So if you have picked out a fabulously strong password that you can remember well, don’t let the “prompt to change your password” cause you stress, build a “counter” into your password which you can simply increment. It might look like;
- “Sallysellsseashells!1”, “Sallysellsseashells!2”, “Sallysellsseashells!3”
which is a reasonably complex password you could remember and which would allow you to “survive” the password change without having to think of a new password. Note, lots of password systems won’t let you simply tack on a number (too easy). So I recommend you resort to one of two ninja password moves I’ve come to appreciate. The first is to us a numeric increment, but not on the end;
- “Sallysells1seashells!”, “Sallysells2seashells!”, “Sallysells3seashells!”
Or you could use something other than number to increment. If you held down “SHIFT” while pressing the numbers 1-9 you would see “!@#$%^&*(“, so using our Sally example again it might look like this;
- “Sallysellsseashells!!”, “Sallysellsseashells!@”, “Sallysellsseashells!#”
Or you could substitute letters for numbers along the lines of A=1 B=2 OR Q=1 W=2 E=3 (look at your keyboard to understand why I’m choosing those letters.
7. Use your muscle memory.
What do the following 4 passwords have in common?
- ajskdlf;
- quwieorp
- zmx,c.v/
- 17283940
OK, that last one should have given it away. The fingers type the same sequence in a different row of the keyboard. by mixing up the rows and columns on your keyboard you could easily come up with dozens of “muscle memory passwords” that feel the same to your fingers but would leave a potential hacker scratchign his head. NOTE: Left to right rows of keys like “qwerty” and “asdfg” are REALLY bad passwords.
8. Test your password strength.
Not sure if you picked something strong enough? You could always try typing it into the Microsoft password checker; http://www.microsoft.com/protect/yourself/password/checker.mspx Don’t worry, if you are a bit paranoid like me you won’t like the idea of typing your password into a webpage. Microsoft assures you; The password is checked and validated on your computer, but is not sent over the Internet.
9. (Guys only) Write all your passwords down on paper in your wallet.
We are talking about the wallet that never leaves your front pocket. If you lose your wallet, treat your passwords like your credit cards and get them all changed. (Ladies, nothing personal here but the purse left slung over a chair in your office is nowhere near as safe as the wallet located in a guys pocket.) Guys, if you don’t trust the people living in your house this might be a poor choice.
10. Use password safe software
Password safe software can hold all of your passwords. These tools use a master password to encrypt all of your passwords. If it fell into the wrong hands it is useless to the bad guys, but in your hands, it can help you not only remember passwords, but also usernames, URLs for logging in and other details you record with the entry in a searchable “password database”. I recommend KeePass which I’ve discussed previously.
Hopefully these 10 strategies for choosing a secure password you can remember will lower your password stress, raise the strength of your passwords, and save you some time chatting with the nice guys at your company’s IT support desk.
Cheers,
Greg.
Filed under: lifehacking | Tags: bad, car theft, encryption, lifehacking, memorable, passwords, security
If you want to pick a bad password you have come to the right place. A password is only useful if it is something you can remember and nobody else can figure out. Today we are going to discuss as several common password mistakes so that your passwords can be;
- Easy for hackers and others to guess
- Easy to disclose
Password (flickr credit: Bruno Santos)
For picking a bad password try…
- Making your password the same as your username
- Use a meaningful name, like your name, your middle name, your mother’s maiden name, or the name of your children, the name of your pets. Basically choose anything someone could read off of your facebook page. Remember if you are really tricky you can REVERSE the name. I’m sure nobody would think of that.
- Use significant numbers like a date. Your postal code, your birthday, your aniversary, your kid’s birthday.
- Use 0bscenities. No decent hacker would dare type THAT. (Most password cracking software will try them early on because they are very common.)
- Science fiction terms, greek letters and mythology. Like; “Data,” “Spock,” “Borg” and “HAL.” “Epsilon”, “Venus”, “Aphrodite”
- Computer terms: stay away from “keyboard”; “mousepad”; “megabyte”; etc.
- Line-of-sight terms: e.g., “Gateway” because that’s the brand of your computer, or “telephone” because there is one on your desk. Though this can help you remember your password, it is a trick that password crackers are on to. To play it safe, avoid any reference to common objects found in households and offices.
- Common phrases: in particular, those pertaining to greeting or getting down to work, such as “Good morning,” “Wake up”, “Hey you” or “Get going.”
- Anything related to your login ID: It’s relatively easy for other people to get your login – don’t let it provide a clue to your password! For instance, if your login is “basset” don’t make your password “doglover.”
- When choosing an ATM PIN, make sure that the (4) numbers you pick spell a word like “Love” (hardly anyone would think of that one… Sorry if I’m giving all your secrets away.)
For bad password management try…
- Put your password on a note and tape it to your monitor. This way an unethical coworker could read and use your account pretending to be you.
- Use the same password everywhere. This way if someone gets into one of your accounts, like an online email account, they could figure out what other services you use and use the same password to access those other services.
- Base your password on something that will change over time, like the date. “MyBrandNewPasswordFor2001” made sense in 2001, but 8 years later you may find yourself trying out all the intervening years.
- Share your password with people who need to “borrow” your accountt, then don’t change the password even after it may have been discovered.
- Use an unmemorizable password like; awnf65ayr8f9as6df584 as nobody will argue that it is not secure. This way you will have to write it down. Maybe in the front cover of your daytimer, or in a file on the desktop called password.txt.
- When you forget your password, you can rely on the “security questions” like what is your favourite colour to recover your password. Choose easy or predictable security questions. In response to “what is your favourite colour?” choose “Blue” rather than Oceanic815.
- Type passwords slowly in full view of those around you.
- Never look around at ATMs for hidden cameras which may be watching the keypad.
- Do not shield the keypad when using your bank card
- Don’t change passwords on electronic door locks with push buttons so the worn buttons can remind you of the numbers in your combination.
- Leave Laptop locks and safe combinations “set” so that you can open these items more easily.
There, those should be enough tips to get you started on choosing poor passwords and using them badly. I hope you found this informative despite the tongue in cheek delivery. Watch for an upcoming article on “Choosing and remembering really good passwords”.
Cheers, and safe computing!
Greg.
Filed under: lifehacking | Tags: encryption, lifehacking, passwords, security, tips, tool
Remember all your passwords easily by storing them securely in a password safe.
When it comes to password security, we continue to hear about the importance of choosing passwords;
- that are too complex to be guessed
- that are unique from every other password we use
- that aren’t real words or dates or names
And it works great to keep our accounts safe… until WE forget our own password. Then we wish we’d re-used a password, or picked something we could guess. God help us if the account locks itself after 3 wrong tries. I am at the point in my Internet experience where I can’t keep track of all the places I have accounts (never mind my passwords). So I needed a tool to help me, because apparently large amounts of fair-trade coffee isn’t enough to jog my memory
I needed a place I could keep all my passwords. I needed a password safe. It had to hold; passwords, URLs, usernames, comments, the ability to organize those passwords in a hierarchy that would make sense, and it needed to be secure lest it fell into the wrong hands. For several years I have used PasswordSafe which promises Simple & Secure Password Management. It worked great, but I had one problem using it. I could rarely remember which subfolder in the hierarchy contained my entry… I needed search. Enter Keepass. Keepass offers all the above features including “search” if you type in some text it will match every entry in the encrypted Keepass database that matches this.
way better than a post-it note!
I have been absolutely Loving Keepass, and as long as I’m disciplined to put my passwords in there, they are available to me when I need them. The Keepass website makes this introduction; “KeePass, the free, open source, light-weight and easy-to-use password manager.”
So there was one more problem I needed to address and it was the question of how do I synchronize keepass databases across the multiple computers that I use in a week. I don’t have a magical 5 minutes every time I’m done using a computer to make sure my database is copied correctly. So the fear would be that an old copy overwrites a new copy, or that a password is in one location and not the other location where I need it. (What computer was I sitting at when I signed up for that account?).
To synchronize files, I turned to Dropbox. The promise of Dropbox is that you can “synchronize files online across computers” . On the downside Dropbox requires you to install some software on your computer which runs at startup (or else there is little point of automatic synchronization). It probably uses more memory than it needs, but hopefully someone on the Dropbox team will be working at reducing that memory footprint further. Essentially you share a folder with yourself via the Dropbox website. Your application checks every so often to see if the file has been updated, and if so, you get the most recent copy. For myself there is no synchronizing via this method at work in order to respect policies around automated Internet traffic and not installing unsanctioned software. So I have ALMOST solved my problem right? The rest of the solution is provided by Keepass itself which has a handy importing feature. You can import from another keepass database into a specified folder, and then the passwords themselves have a unique identifier to help make sure that you are truly synching the same password.
I hope this is helpful, let me know how you make out.
What password strategies work for you?
Greg.
Quality In Life - Living Smarter... 