Strong passwords: You DO have better ideas!
Our contest runs through May 24
- By Michael Hardy
- May 18, 2010
Wow! We asked you for ideas on how to create and remember strong passwords, and the initial response has been strong. Dozens of ideas flooded in during the first few hours. Apparently, a lot of people still use really bad passwords, such as "password" or "1234567."
We'll keep the window open until next Monday, May 24, so keep the ideas coming. Remember, a key aspect of smart passwords is how to remember them without writing them down, while maintaining a different one for each site where you need one.
Don't give us any actual passwords you use, of course. We want everyone to come out more secure, not less.
Some of the suggestions we've received so far:
Joe Brosky uses a combination of sequential numbers, partial words and symbols, but maintains a consistent format to keep them easy to remember. For example, he wrote, he might use the numbers 910 and 1112, separated by words and symbols. "When I need to create new passwords, my next numbers will be 1314 and 1516. This makes it easy to remember them without writing them down," he wrote. For the words, "First, I come up with two words, such as, Pittsburgh and Cleveland. I shorten them as follows: Pitts and Land. Thus, my easy-to-do system creates a password as follows: 1112@PittsLand@1314. When it expires, I just change it as follows: 1516@LandPitts@1718."
Martin from Fairfield, Calif., describe using variations on memorable words. "I start with a proper name or two-word phrase that meant something special to me in a certain year. For example, I went to Disney World in 1996, so I start with '96DIsneyworld' (using upper-case for the first two letters). I precede that with two special characters that I always keep the same. Then I precede that with the first letter again in lower-case. That gives me d,,96DIsneyworld.' To avoid using the very same password on all my various accounts, for each one I add a lower-case letter just after the digits that represents the system to me (e.g. 't' for the Timesheet system, 'e' for e-mail). This would give me 'd,,96tDIsneyworld' for my Timesheet password. When I need to change my passwords, I try to change them on all my accounts at the same time, thinking of a new special word (for example, a crazy kid I remember from 6th grade named Bruce Roble). Since that was in 1989, my Timesheet password would become 'b,,89tBRuceroble.'"
Martin was one of several readers who suggested writing down mnemonic keys to the passwords, meaningless to anyone else but enough of a trigger for the password's creator to recall the significance.
Jack Holbrook of Lacey, Wash., suggested a literary fix. "Keep a favorite book around the office, in a drawer or on a bookshelf. Pick a page and a line number. Use a phrase from that line on that page number," he advised. "Now you have as strong as a password as you like and you don't have to write it down. You can even keep the page and line number written down somewhere in plain sight. No one knows your favorite book or where it is located."
Bill Branning from Clay County, Fla., suggested using meaningless but pronounceable combinations of letters. "I recommended using random combinations of consonants and vowels in non-word strings that could be pronounced," he wrote. "I found that if a user could pronounce a non-word combination of syllables, it could be remembered without having to make a written note. Since then I have also recommended using added or inserted punctuation and caps."
Branning added that in his opinion, organizations should not require password changes unless there's evidence that a password has been compromised. "When I run into a system that forces frequent changes I alternate between only two strong passwords," he added.
John, from Chantilly, Va., suggested using the initial letters of a meaningful phrase, spiced up with symbols and upper-case letters. "For example, 'Now is the time for all good men to come to the aid of their country' becomes 'Nittfagmtcttaot,'" he wrote. "While this not bad for starters, it lacks the complexity of having special characters and numbers. This can be solved by substituting digits for vowels and holding the shift key every other time a letter or number would appear. For example, if you chose to substitute 1,2,3,4,5 for a,e,i,o,u your password would actually be: N3tTfagmtcTt!4TC. The nice part of this is that you can choose phrases that have meaning to you. I have friends who like to [use] song lyrics, which is fine as long as they don’t hum too loudly."
Another reader suggested a method that could leave your passwords unknown even to you ... at least by sight. "With one hand, type a random key sequence using letters within reach of your fingers. With the other hand, press the shift key as often as you'd like to capitalize letters," wrote the reader, identified only as C.H. "Memorize the finger movements instead of the characters. When a password change is required, move the thumb of the character-typing hand to another key and repeat the typing movement sequence."
E. Miller of Portland, Ore., recommended making passwords out of stories. "'I walked down Bourbon Street with Sarah in 1992' can be 'bourbon1992Sarah' or many other variations," Miller wrote. "Getting individuals to understand security policy, weaknesses and responsibilities; that's another issue entirely."
Keep the ideas coming, and by next week all of our systems may be a little more secure!
Technology journalist Michael Hardy is a former FCW editor.