Posted June 13th, 2012 by Mark with No Comments
With the spate of publicized security breaches this spring, I’d like to revisit the password theme. Having good passwords for your online life is just too important not to cover it again.
It seems that every time you turn around, another task you’re trying to accomplish requires a password. In general, this is a good thing, but unless you’re prepared, it’s also a big annoyance. So – let’s get prepared.
First, some overview – If the site will allow that many characters, you want to use at least 12. Ideally, you also want to mix the case of your letters and have some numbers and/or symbols in there as well. You need to be prepared, however for those institutions that have limited their software unwisely. Some don’t allow symbols, some don’t allow spaces, etc. Hopefully, though, you can use however many characters you want of any description.
To keep from getting trapped by the oh-so-tempting practice of using the same password for everything – you need a system. Here’s one that is a good mix of security and ease of use:
Pick a phrase. You can use a line from a song, book or movie, or just a phrase that means something to you. For our example, we’ll use a line from Shakespeare.
All by itself, this rates as a very strong password, but with a simple change like substituting ‘zeroes’ for the ‘oh’s’, you can make it even stronger.
Now, to make it individual, add characters to the end to identify the site for which you are making the password. If you are creating a password for Facebook, for example, put FB at the end, like this:
Similarly, you can do PNC for the bank, AZ for Amazon, GM for Gmail – you get the idea. If the site allows any number of characters, you could just use the name of the site:
Although, some sites enforce a rule that prohibits the name of the site anywhere in the password, so it’s probably safer to use abbreviations.
For different substitutions, you can use “$” for “S”, 4 for A, 7 for T, 3 for E, etc. Don’t get carried away, just make one or two substitutions and stick with that. If you can use at least 12 characters you’ll have a very strong password that is pretty easy to remember.
There are a couple of sites you can use to judge the effectiveness of any password. Here’s one that rates the strength of the password:
And here’s one that measures how long it would take to guess any password using a computer and brute force (try all possibilities until you find the answer).
If you can score high marks on both sites, your methodology is good.
Note that this system has a weakness in that if you give or anyone guesses the core part of the password you are using, they can easily guess your passwords for everything – so resist the urge to tell anyone one of your passwords, and be sure to change them once in a while.
Posted April 15th, 2012 by Mark with No Comments
Let’s all say it together now: “I HATE PASSWORDS!” Now, doesn’t that feel better? For better or worse, passwords are a necessary part of living in the computer culture. More and more websites and softwares require that you create an account with a password. To make matters worse, every one of them seems to have different rules for what they accept: “At least one capital and one lowercase letter” – “2 non-sequential, non-consecutive digits” – “Can’t contain more than 3 matching characters of your user name.”
You get the picture. It’s obnoxious and getting worse (don’t even get me started on those fuzzy letter things called “Captchas”.) Most folks resort to one of two methods. They keep a notebook by their computer where they write down all of their passwords, or to the extent possible, they use the same password for everything. As you might have already suspected, both of these ideas are bad. They are like leaving a key to the front door under your mat. There may have been a time when that was acceptable, but that time is long, long gone. Oh, and just to get this out of the way, adding the digit “1” to the end of a common word does NOT – I repeat, NOT make a secure password.
For years, I have promoted the “letter substitution” method of creating secure passwords. Pick a word or phrase you can remember, then substitute similar-looking numbers for some of the letters. If a “4” looks like an “A”, then “Paris2007” becomes “P4ris2007”.
(extra credit: Google or Wiki “Leetspeak”).
While this is better than a regular word, it’s not as secure as it once was, and you’re still at risk if you pick one secure password, then use it for everything.
As we store more as well as more-important data on our computers and online, using and (ugh) changing more secure passwords is becoming unavoidable. Unless you enjoy getting hacked, that is.
So…..I’d like to offer a short tutorial on another method for creating good passwords that you can remember and then (ugh) change and still remember. I would love to take credit for this, but it comes largely from a great article by Farhad Manjoo found on Slate.com. First, the method, then some examples.
Step 1: Make up or pick a phrase or better yet two phrases (they don’t have to relate to each other). Make one of the phrases have a date or period that you can change.
Step 2: Turn the phrases into an acronym (use only the 1st letter from each word). Keep capitalization as in the original phrase.
Step 3. Use letter substitution for some of the letters. (“1” looks like “l”; “3” looks like “E”, “4” looks like “A”; “@” can be used for the word “at”; “$” looks like “S”; “7” looks like “T”, “&” can be used for the word “and”; “8” looks like “B”; “0” looks like “O”)
Step 4: To change the password use the period chosen in step 1, and just substitute the current period.
Clear as mud? Ok, let’s do some examples.
My phrase: “In high school I scored 14 points in 1st quarter of the homecoming game”
The acronym: IhsIs14pit1qothg – (you don’t have to remember the acronym – just say the phrase aloud or in your head and type only the first letter of each word – try it, it’s easy!)
The acronym with substitutions: Ih$I$14pit1qothg – (Notice I only substituted one letter, $ for S.)
To change this password you can divide the year into quarters, so on April 1st or thereabouts, you can change the phrase to “2nd quarter”, which changes the resulting password to “Ih$I$14pit2qothg.”
If you want to change the password monthly, for example, you might use the following phrase: I like corn on the cob, especially in August.
Password with substitutions: Ilc0tc3ia (I substituted a “zero” for the “oh” and a “3” for the “e”)
In September, this would change to: Ilc0tc3i$ (adding the “$” for “s” substitution)
Once again, the only part you need to remember is the initial phrase, and which letters you use for substitution. It’s simpler to only substitute one or two, and more secure to substitute more. Start easy and work up to more complicated.
For the most important passwords (your brokerage account, for example), use two phrases that are non related, like this:
Phrases: Kermit the frog was green. Its 10 degrees in January.
Acronym: Ktfwg_I10diJ (I used an underscore character to separate the phrases since spaces are usually not allowed in passwords)
Password with substitution: K7fwg_110d1J (I substituted “7” for “T” and “1” for “I”)
Each month, change the phrase, and make the temperature a multiple of the month (20 for February, 30 for March, 80 for August, etc.) So, in September, this password would become: K7fwg_190di$.
Since you are turning the phrase into an acronym, you can use familiar phrases without compromising the security of the passwords. I love jazz standards of the 40’s, so I often use the first line of a song and a singer as my phrase, e.g. “Johnny One Note was sung by Anita O’Day”. My second phrase might describe the weather here in Pittsburgh. “It’s cold in January”. The resulting password from this combination is “J0NwsbA0DIciJ.” In July, the second phrase might change to “It’s sunny in July.” This would make the password “J0NwsbA0DIsiJ.”
Ok, now go out there and change your passwords – I’ll wait.