A password recipe
Maarten | On 21, Dec 2012
New Year’s Resolutions for Technology (1)
There have been lots of reasons to think about the security of our personal data this year, so resolved that we will do better in 2013. Resetting passwords is time-consuming, mentally challenging and not really much fun. The alternatives are even less interesting.
I’ve been spending a lot of time (mostly while I’m in the shower, a very productive place for me) thinking about passwords. I’m now in the process of consolidating to two passwords, or rather, two models for passwords. I use a model or formula, so that when needed, I can quickly devise a new password that conforms to certain parameters.
The most important learning of 2012 was that the email address used to validate passwords on sites requiring a login is my greatest vulnerability. If a hacker can access my email, then all of my passwords are compromised – simply by requesting a password reset.
I’ve been contemplating creating an email account to use only for password purposes. Until I go to that step, on my prime email account, I’m using two-step authentication. Two-step authentication requires a new device to respond to a second password. For example, when I logged in from my iPad for the first time, Gmail’s two-step sends a code to my mobile phone to verify that I’m using the Gmail account on a device where it’s not been used before. You must enter that code before Gmail will allow you to log in. Although Godaddy ( my host for heilbron.com) does support two-stage in the US, it’s not yet available in Canada. Until they do, it’s not a secure email address to use for passwords.
I use the first model for any of the many sites that ask for a password just to send a newsletter, or access some files. Really, who cares? For these sites, I have a “goto” password that I re-use at every opportunity. I’ve taken an eight-letter word (like paradigm) and added the features (a number, a capital letter, a symbol) to make it pass requirements. At nine characters, “paraD1gm!” is a reasonably strong password, but it’s compromised because I don’t ever change it and I’ve used it for so many accounts*. And I don’t ever have to look it up.
If you are worried about the possibility of compromise, there’s an alternative – especially for sites you don’t intend to frequent anyway. As most of these sites use simple email password resets, simply enter any ten random characters from the keyboard. Next time you need to login, just reset.
I use a more secure model for shopping and banking sites. If a site requires me to enter my credit card information I’m going to be careful. I’ve been surprised more than once that a shopping site saved my card info, even when I didn’t ask them to do so.
To create a secure password, start with a list of items that you can remember with ease (I’ll explain why in a moment). It may be the months of the year, the first five books of the Bible or the names of the seven dwarves. It’s best if it’s somewhat personal, like the names of your siblings or aunts and uncles. It’s best if there are at least four, and they have at least eight letters. If some don’t have five letters, skip over them. That leaves you with seven months. If names are short concatenate. So Uncle Bill and Aunt Josie (both too short to be useful – I mean the name, not the person) becomes billjosie for your list.
For the example, we’re going with months. When I need a password, I take a month (february), and using the same requirements, (9 or more characters, must have a capital, a number, a symbol) I create the password “feB19#ruary67”.
Let me digress for a moment and discuss how I store passwords, so that I have easy access when they’re needed. I know there are many apps and applications to manage passwords. They may be convenient, but I’m not confident that they can’t be compromised. As well, at the rate that web enterprises come and go … as I say, not confident.
I store all my passwords in a plain text file, encoded so that I can easily decrypt them. After all, that’s how the password managers work, except only they know the code to decrypt. In this case, only I know the code. And here’s how the model works. The password “feB19#ruary67” is stored in my text file as “2Bleafscup6#”. While “2Bleafscup6#” looks like a password, I re-interpret it as:
2 – the second item on the list (february)
B – the letter that’s capitalized, and the break in the key word
leafscup – a year I remember (1967, the last year the Leafs won the Stanley Cup) – you can use any year you can easily recall
6# – the position of the symbol, and the symbol itself.
Feel free to add further refinements, like using the year, the word or sections of the word backwards (“76yraur#91Bef” – which is admittedly adding additional effort on your side). Or use the whole model in reverse – for example use “2Bleafscup6#” as the password and “feB19#ruary67” as the reminder. More variations are possible.
However you proceed, you should change your password regularly and this formula supports the easy creation of new passwords at any time.
I could use the same formula to devise my email password, but I decided it needed a slightly higher level of security. So I add one more wrinkle, 4 or more random characters from the keyboard. I add that to the key by appending the first character, the direction and the number of characters. So “feB19#ruary67” becomes “feB19#ruary67hgfd” and the key becomes “2Bleafscup6#hL4”. Again, both make excellent passwords that are easily and securely stored in a text file.
Physical compromise remains an issue, and the password/screensaver security offered by the devices that have access to my email (my computer, my tablet, my phone) is relatively low. If they’re stolen, all my passwords are compromised. After all, I’m automatically logged in. Here I’m counting on my ability to safeguard my devices from theft or inappropriate access as the primary gatekeeper, with the password a secondary barrier.
The whole system is likely not perfect, but it’s certainly better than what I was doing last year. I’d be happy to hear your suggestions. In the meantime, there’s a glass of eggnog and Kahlua calling my name and some of Debra’s panforte just waiting to be enjoyed.
* my password is not really “paraD1gm!”