Tuesday, March 3, 2009

How to Choose a Single Memorable Password

Passwords are getting trickier and trickier. You know that. So do I. Just this week two web sites have asked me to provide a password that includes mixed case letters plus numbers. One of them even asked me to include punctuation. What a drag!

I think the main obstacles to your getting a good password system are:
  1. Fear. The sheer drag of having to make another change is discouraging. I hope this post will give you some ideas, optimism, and energy.
  2. Uncertainty. You aren't sure about what needs to go into a good password system. Hopefully this post can resolve that.
  3. Doubt. You feel changing your password system won't be a permanent solution. You feel the situation is hopeless. I hope I can resolve that and get you excited about a once-and-for-all renovation to your password system.
Disclaimer: I thought I had a system before that could not fail, but I didn't. If you have insights that may help, please share them with me. [Last edited March 20, 2009]

So, here we go.

You'd like a password system that balances all these criteria:
  1. Long enough. Very important. Some sites require at least 8 characters.
  2. Short enough. You should have a "base security" portion of your password of just 6 characters including all and only lower case letters, upper case letters, and numbers. Some sites allow only those. You can/should customarily pad it as discussed below.
  3. Memorable. Nothing written down.
  4. Typeable. Typing difficulty doesn't equal security. Make it easy for you to type.
  5. Adaptable. Plan so the same system can handle broad circumstances.
  6. Includes lower case letters.
  7. Includes upper case letters.
  8. Includes numbers.
  9. Includes a dot.[Update 2009-03-06: I visited a site that permitted only underscores and a single period for its own security. Arrggh. However, this site also disallowed my valid email address, so there may be hope.]
  10. Includes other printable characters.
So you choose a fact that is personally important or memorable to you, and you use the criteria above to fashion it into a password. Include the following.
  • Base security portion. 6 consecutive characters that meet criteria 2 through 8 above.
  • Addition 1. One more character that adds criterion 9.
  • Addition 2. One more character that adds criterion 10.
  • Expandable portion. An expandable sequence that you add (even a repeat of portions of your password) when a system requires you to increase the length of your password. Examples: 98765432109876543210... zyxpdqZYXPDQzyxpdqZYXPDQ... "Mary had a little lamb Mar...." . You may need to write this portion down, because you probably won't be using it very often. It may be better from a security perspective to make it either unrelated to the rest of the password or similarly unintelligible.

Examples:

George Washington: I chopped down a cherry tree in 1741. I am building an amazon.com password today.
  • Base security portion. Ic41ac (I chopped (tree in) 41 amazon com)
  • Addition 1. Ic.41ac
  • Addition 2. Ic.41ac#
  • Expandable version if amazon requires 12 characters. acacIc.41ac# (amazon com amazon com I chopped . (tree in) 41 # ...)
You: I dead lifted 335 lbs. in college. I am registering at google.com today.
  • Base security portion. e3HPl (googl"e"3 HectoPounds lifted)
  • Addition 1. e.3HPl
  • Addition 1. e.3HPl@
  • Expandable version. "e.3HPl@googlegoog..."(mere domain repeat at end)
You: Jesus had 12 apostles and one was lost. You are registering at ebay.com
  • Base security portion. a12E1l (apostles 12 Ebay 1 lost) (you decided to capitalize the first letter of the domain name every time).
  • Addition 1. a12E.1l
  • Addition 2. a12E.1l-
  • Expandable version. a12E.1l-JudasJudasJuda....
You will never have to guess far what password you used nor write your password down. Finally, be sure you practice your password to be sure you can type it easily. Rework the characters and their cases until you feel comfortable with it.

If any web site disallows any portion, you just have to omit it and report it here.

Let me know if this helps or if you have thoughts.

Tom

No comments: