A reader's guide to safer passwords

Randomization, encryption and a backup equal winning advice

We have a winner!

A couple of weeks ago, we asked you for ideas on how to create and remember strong passwords. Hundreds of you responded with very good ideas.

Ron, from northwest Indiana, took the prize, though, for developing a solution that is sophisticated but doable. It helps that he was motivated: He works for a company that stores business and medical records, and its documents are managed in the cloud.

“Since any information is only as secure as the password needed to access it, I create 16- [to] 24-character passwords, encrypt them on a flash drive that I carry with me at all times, and duplicate in a safe spot, e.g., safe or safety deposit box. I need to remember only one password to access the list — and like everyone else, it's a long list — if I've forgotten something. Keeping the flash drive safe and accessible is easier than you might think. Like any other system, it takes some adjustment. But I know that my information and my clients' information will remain accessible only to those who are authorized to view it. Of course, we take other precautions. Passwords are only the first step in a long line of security procedures but one of the most important.”

Ron’s approach meets just about every guideline security experts recommend. His passwords, which are lengthy and use a mix of character types, are unguessable. The encryption means that anyone who steals the flash drive would still need to crack the encryption to get anything useful. The backup copy means Ron can get into the various sites for which he has passwords and change them. And his organization adds more layers of security so that the password is not the only thing keeping malefactors out.

The Case for Skepticism

However, not everyone agreed with the conventional wisdom. Blogger William Cheswick, who wrote his comments in detail on his site and called our attention to it, believes the security experts who recommend long passwords, mixing character types and never writing passwords down are not properly appreciating today's threats.

"Previous admonitions against writing down passwords contemplated local attacks — people reading your Post-it notes on your terminal in the office, for example," he wrote. "Most attacks come from distant malefactors, and they will never see your terminal."

Meanwhile, other readers offered their ideas.

Off-the-Shelf Passwords

Jack Holbrook of Lacey, Wash., suggested a literary fix. "Keep a favorite book around the office, in a drawer or on a bookshelf. Pick a page and a line number. Use a phrase from that line on that page number," he advised. "Now you have as strong as a password as you like, and you don't have to write it down. You can even keep the page and line number written down somewhere in plain sight. No one knows your favorite book or where it is located."

Another reader suggested a method that could leave your passwords unknown even to you, at least by sight. "With one hand, type a random key sequence using letters within reach of your fingers. With the other hand, press the shift key as often as you'd like to capitalize letters," wrote the reader, identified as C.H. "Memorize the finger movements instead of the characters. When a password change is required, move the thumb of the character-typing hand to another key and repeat the typing movement sequence."


About the Author

Technology journalist Michael Hardy is a former FCW editor.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group