A reader's guide to safer passwords

Randomization, encryption and a backup equal winning advice

We have a winner!

A couple of weeks ago, we asked you for ideas on how to create and remember strong passwords. Hundreds of you responded with very good ideas.

Ron, from northwest Indiana, took the prize, though, for developing a solution that is sophisticated but doable. It helps that he was motivated: He works for a company that stores business and medical records, and its documents are managed in the cloud.

“Since any information is only as secure as the password needed to access it, I create 16- [to] 24-character passwords, encrypt them on a flash drive that I carry with me at all times, and duplicate in a safe spot, e.g., safe or safety deposit box. I need to remember only one password to access the list — and like everyone else, it's a long list — if I've forgotten something. Keeping the flash drive safe and accessible is easier than you might think. Like any other system, it takes some adjustment. But I know that my information and my clients' information will remain accessible only to those who are authorized to view it. Of course, we take other precautions. Passwords are only the first step in a long line of security procedures but one of the most important.”

Ron’s approach meets just about every guideline security experts recommend. His passwords, which are lengthy and use a mix of character types, are unguessable. The encryption means that anyone who steals the flash drive would still need to crack the encryption to get anything useful. The backup copy means Ron can get into the various sites for which he has passwords and change them. And his organization adds more layers of security so that the password is not the only thing keeping malefactors out.

The Case for Skepticism

However, not everyone agreed with the conventional wisdom. Blogger William Cheswick, who wrote his comments in detail on his site and called our attention to it, believes the security experts who recommend long passwords, mixing character types and never writing passwords down are not properly appreciating today's threats.

"Previous admonitions against writing down passwords contemplated local attacks — people reading your Post-it notes on your terminal in the office, for example," he wrote. "Most attacks come from distant malefactors, and they will never see your terminal."

Meanwhile, other readers offered their ideas.

Off-the-Shelf Passwords

Jack Holbrook of Lacey, Wash., suggested a literary fix. "Keep a favorite book around the office, in a drawer or on a bookshelf. Pick a page and a line number. Use a phrase from that line on that page number," he advised. "Now you have as strong as a password as you like, and you don't have to write it down. You can even keep the page and line number written down somewhere in plain sight. No one knows your favorite book or where it is located."

Another reader suggested a method that could leave your passwords unknown even to you, at least by sight. "With one hand, type a random key sequence using letters within reach of your fingers. With the other hand, press the shift key as often as you'd like to capitalize letters," wrote the reader, identified as C.H. "Memorize the finger movements instead of the characters. When a password change is required, move the thumb of the character-typing hand to another key and repeat the typing movement sequence."


About the Author

Technology journalist Michael Hardy is a former FCW editor.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.