How to choose a password
Last week was some sort of 'international password day', which has prompted me to write down something I've been telling people over the last few years about password tricks.
(Obviously, I have some very interesting conversations. You should probably think about inviting me to your next dinner party.)
The first thing about passwords is - as XKCD points out - having a super-secure password isn't much use if you can't remember every single upper/lower case letter, number and §&#%ing 'special character'.
As XKCD also points out - if you don't have a different "$p3C14L P455w0rd" for every site you use, you're creating a security risk each time you re-use it.
And as XKCD again helpfully illustrates, a cry,ptographically secure single-use password doesn't mean your data is safe - just that attacking your password isn't the most likely way someone will attack your data.
So - you need an approach to passwords that means;
- You have a different password for everything,
- They all need to be 'good' passwords
- You need to be able to remember them all - a number of passwords that is, for all intentions, unlimited,
- Your passwords follow all the 'rules' that various logins insist on following.
Unfortunately, that seems to be an impossible problem - the last one is a particular challenge (a potentially infinite number of constraints that might be mutually exclusive - ie. one system insists on at least 9 characters minimum, while another insists on an 8 character maximum.) But I have some useful tips for the first two.
Lets start off by imagining you have one password that you use for everything - for the sake of simplicity, lets say its "picture1" (see Wikipedia for why thats particularly bad.) We can make that better by simply sticking the name of the thing that its a password for onto the password - so, your Facebook password becomes "facebookpicture1", your Twitter password becomes "twitterpicture1" and so on. Voila - a different password for every service, that you can remember, based on a very simple algorithm.
Ok - we've fixed the first problem. But realistically, if someone sees one password, then they can probably guess them all. So, we want to 'mask' it somehow.
A simple approach might be to take a few of the letters instead of the full name- say, the last three letters. And maybe throw in a capitalisation somewhere- say, in the middle. So, "facebookpicture1" becomes "oOkpicture1", "twitterpicture1" becomes "tErpicture1" and so on.
Better, but not great.
How about - instead of those three letters, we take the three letters next to them on your keyboard? So- we replace "q" with "w", "w" with "e" and so on - so the Facebook password is now "pPlpicture1".
Take it a step further and go the opposite direction for the 'root' part (ie. the old password that we were using before) - so our new Facebook password is "pPlouxryew§" (on a Mac keyboard- a UK Windows equivalent would be "pPlouxryew|".
Now we've got something far less guessable, but still fairly simple to remember - assuming you can remember the 'algorithm', and have the same keyboard. (For ease of use on mobile devices/consistency on different keyboards, you might want to skip the special characters and just 'wrap around' - so, going to the left, "q" becomes "p", "a" becomes "l", "z" becomes "m".
One place this approach falls down is services that force you to change your password on a regular basis (usually work-based things that need to be SOX-compliant force a reset every 90 days or so) - I haven't really got a good approach to this, other than sticking a number on the end and adding 1 each time you need to update it - then you can keep a note of the number somewhere (don't write down your full passwords!) if you need a memory jogger.
So - a cryptic but memorable password for "work thing" now might become "oMhouxryew01" - which, after 90 days, gets updated to "oMhouxryew02" and so on.
Obviously, you should pick your own pattern - maybe skip the last letter of the service, so you're taking the three letters except for the last (so for Facebook, you could take "boo" - then the letter to the right on the keyboard with a capitalised middle letter becomes "nPp"), throw in a special character or two - use your imagination. Just keep it simple - the important thing is that its memorable.
Of course, a genuinely random password generated by a password manager of some sort will be even more secure - provided the password for the password manager is a good one. (My recommendation there would be to make sure that one password that you need to type regularly is easier to type - the 'letter to the side' approach is a good one for being easy to remember, but can be surprisingly slow to actually mentally process and type out (until it becomes muscle memory.)
So there you go - a fairly simple way to keep a potentially infinite number of passwords in your head, no need to write anything down, without being reliant on having your phone to hand.