A reader's guide to safer passwords

Randomization, encryption and a backup equal winning advice

We have a winner!

A couple of weeks ago, we asked you for ideas on how to create and remember strong passwords. Hundreds of you responded with very good ideas.

Ron, from northwest Indiana, took the prize, though, for developing a solution that is sophisticated but doable. It helps that he was motivated: He works for a company that stores business and medical records, and its documents are managed in the cloud.

“Since any information is only as secure as the password needed to access it, I create 16- [to] 24-character passwords, encrypt them on a flash drive that I carry with me at all times, and duplicate in a safe spot, e.g., safe or safety deposit box. I need to remember only one password to access the list — and like everyone else, it's a long list — if I've forgotten something. Keeping the flash drive safe and accessible is easier than you might think. Like any other system, it takes some adjustment. But I know that my information and my clients' information will remain accessible only to those who are authorized to view it. Of course, we take other precautions. Passwords are only the first step in a long line of security procedures but one of the most important.”

Ron’s approach meets just about every guideline security experts recommend. His passwords, which are lengthy and use a mix of character types, are unguessable. The encryption means that anyone who steals the flash drive would still need to crack the encryption to get anything useful. The backup copy means Ron can get into the various sites for which he has passwords and change them. And his organization adds more layers of security so that the password is not the only thing keeping malefactors out.

The Case for Skepticism

However, not everyone agreed with the conventional wisdom. Blogger William Cheswick, who wrote his comments in detail on his site and called our attention to it, believes the security experts who recommend long passwords, mixing character types and never writing passwords down are not properly appreciating today's threats.

"Previous admonitions against writing down passwords contemplated local attacks — people reading your Post-it notes on your terminal in the office, for example," he wrote. "Most attacks come from distant malefactors, and they will never see your terminal."

Meanwhile, other readers offered their ideas.

Off-the-Shelf Passwords

Jack Holbrook of Lacey, Wash., suggested a literary fix. "Keep a favorite book around the office, in a drawer or on a bookshelf. Pick a page and a line number. Use a phrase from that line on that page number," he advised. "Now you have as strong as a password as you like, and you don't have to write it down. You can even keep the page and line number written down somewhere in plain sight. No one knows your favorite book or where it is located."

Another reader suggested a method that could leave your passwords unknown even to you, at least by sight. "With one hand, type a random key sequence using letters within reach of your fingers. With the other hand, press the shift key as often as you'd like to capitalize letters," wrote the reader, identified as C.H. "Memorize the finger movements instead of the characters. When a password change is required, move the thumb of the character-typing hand to another key and repeat the typing movement sequence."

 

About the Author

Technology journalist Michael Hardy is a former FCW editor.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.