The Problem With Passwords

I’m often embarrassed by my inability to remember phone numbers now that they’re saved in my phone.  I realize now though, that the space in my memory that used to be reserved for phone numbers has now been replaced by a ridiculous amount of usernames and passwords.

I have 92 passwords to remember.  That’s right, 92.  At least once a day I find myself resetting a password or going digging through my notes to find one.  Security is my business, and yet every day I’m tempted to eliminate all of my unique passwords and to choose a couple of simple ones that I might remember.

Granted, I might have more passwords than most, but they add up if you stop to think about it.  You probably have more than you realize:

  • banking passwords
  • email passwords
  • social media passwords
  • computer passwords
  • sites, blogs, games, etc.
  • hardware passwords (modems, routers, phones)

Much has been written about best practices for passwords, but few people have taken the advice.  The simple reason is that it’s a pain to use “strong” passwords. 

How many of you out there use one password for multiple things/places on the internet?  I’m betting almost all of you.  I imagine you wouldn’t carry one key that unlocked for your car, office and home, but that’s exactly what you’re doing online.  If your password for facebook is exposed, do you really want someone to be able to log in to your bank account, your email account, your online dating profile?

Is your password “password123, iloveyou, michael74” etc?  If so, it’s time to change.  Now.  Online crime is a massive business.  In terms of scale, it has been compared to the illicit drug trade.  This is 2012, not 1993.  There is simply no excuse for being lazy when it comes to securing your information and your privacy.

Don’t feel too badly, you’re not the only one.  Plenty of big name companies, governments, and even security groups have been burned by using lazy passwords.

How to Choose

There are lots of methods to choosing a more secure password.  I won’t argue the benefits of each, I’m just going to share my tips with you.  There will be no math, no discussion of entropy, just my personal process for choosing a password that is likely much more secure than what you are using now.

Unless your house is secured by a moat, infrared detection, and attack dogs, I doubt you want to try to remember a password like “QctT8’*t*$!.hHne[+)^`.,knbB,”.  Don’t worry, there are all kinds of easy options that will help you remember your passwords while making them more secure, you just have to take the time to think about it. 

Make your existing passwords stronger

Let’s say that your email password is “whiskers”, the name of your no doubt lovable cat.  You can easily keep the familiarity of the password while increasing it’s effectiveness as a password.

Old password:  whiskers
New password:  I have loved Whiskers since 2004!

Easy to remember, and vastly more secure than the original password.  If you can’t use spaces, simply remove them.

If you’re one of those who is determined to use birthdays as a password:

Old password:  120896
New password: (Dec. 8th 1996)

Password for a site you don’t often visit:

Old password: myspacepw
New password:  #MySpace has been dead since 2005#

These are just my suggestions.  I like phrases and sentences.  If you prefer math, try something like:

Old password: 120896
New password: 12+08 doesn’t = 96 or 12*8=ninety-six

Perhaps you prefer pictures?

Old password: ilovejessica
New password: I <3 Jessica 🙂 or Miss Jessica makes me 😀

A few things to consider:

Password vaults and their ilk.  I don’t use them and I don’t recommend them.  How do you secure your password vault?  With a password.  So if an attacker gets one password he gets them all?  No thanks.  Convenient, yes.  Ideal, no.

Some companies, banks, and sites limit the security of your password by not allowing special characters, having a character limit, etc.  For now, just work within their limitations until they come to their senses.

Whenever possible, use words and terms which can’t be found in a dictionary.  This sounds harder than it is.  You can use altered spelling, nicknames, and clues instead of the actual term.

If you can deal with the hassle of two factor authentication, I recommend using it if available.  Gmail and Yahoo offer this to all users, I’m not sure about others. 

Storing your passwords

It’s likely that you will need to write your passwords down in case you forget them.  It’s not ideal, but can you really be expected to remember 92 passwords?  My solution is not exactly high tech, but it’s handy and effective.  Post-its.  That’s right, I store my passwords on post-its. 

The key to this is not to put the username, password, and what it’s used for on the post-it.  My passwords often contain a hidden reference to what they are related to.  For example, let’s say that you bank at TD Canada Trust and your branch is located close to a Costco store.  Your password could be something like:

$Across from Costco$

Most people looking at this post-it wouldn’t know that it was a password at all.  If they did, would they know what the password was for?  Sure, they could try this password everywhere, let them.  Absolute security is a myth, we’re trying to make this as difficult as possible.  If someone is determined to gain access to your data, chances are good that your passwords won’t help you anyway.  A few reminders:

  • Don’t store a password list on your computer.
  • Don’t keep your passwords in your laptop case, or in the same location as your computer.

Remember

The goal with a password is to make it easy to remember while making it extremely hard to guess or fall victim to a brute force attack.  If your computer has already been compromised and your keystrokes are being recorded, strong passwords won’t help.

We’re aiming for increased difficulty here, not impossibility.  If there’s one thing we’ve learned, it’s that anything too annoying to remember will end up being reset to password123.