A reader's guide to safer passwords

We have a winner!

A couple of weeks ago, we asked you for ideas on how to create and remember strong passwords. Hundreds of you responded with very good ideas.

Ron, from northwest Indiana, took the prize, though, for developing a solution that is sophisticated but doable. It helps that he was motivated: He works for a company that stores business and medical records, and its documents are managed in the cloud.

“Since any information is only as secure as the password needed to access it, I create 16- [to] 24-character passwords, encrypt them on a flash drive that I carry with me at all times, and duplicate in a safe spot, e.g., safe or safety deposit box. I need to remember only one password to access the list — and like everyone else, it's a long list — if I've forgotten something. Keeping the flash drive safe and accessible is easier than you might think. Like any other system, it takes some adjustment. But I know that my information and my clients' information will remain accessible only to those who are authorized to view it. Of course, we take other precautions. Passwords are only the first step in a long line of security procedures but one of the most important.”

Ron’s approach meets just about every guideline security experts recommend. His passwords, which are lengthy and use a mix of character types, are unguessable. The encryption means that anyone who steals the flash drive would still need to crack the encryption to get anything useful. The backup copy means Ron can get into the various sites for which he has passwords and change them. And his organization adds more layers of security so that the password is not the only thing keeping malefactors out.

The Case for Skepticism

However, not everyone agreed with the conventional wisdom. Blogger William Cheswick, who wrote his comments in detail on his site and called our attention to it, believes the security experts who recommend long passwords, mixing character types and never writing passwords down are not properly appreciating today's threats.

"Previous admonitions against writing down passwords contemplated local attacks — people reading your Post-it notes on your terminal in the office, for example," he wrote. "Most attacks come from distant malefactors, and they will never see your terminal."

Meanwhile, other readers offered their ideas.

Off-the-Shelf Passwords

Jack Holbrook of Lacey, Wash., suggested a literary fix. "Keep a favorite book around the office, in a drawer or on a bookshelf. Pick a page and a line number. Use a phrase from that line on that page number," he advised. "Now you have as strong as a password as you like, and you don't have to write it down. You can even keep the page and line number written down somewhere in plain sight. No one knows your favorite book or where it is located."

Another reader suggested a method that could leave your passwords unknown even to you, at least by sight. "With one hand, type a random key sequence using letters within reach of your fingers. With the other hand, press the shift key as often as you'd like to capitalize letters," wrote the reader, identified as C.H. "Memorize the finger movements instead of the characters. When a password change is required, move the thumb of the character-typing hand to another key and repeat the typing movement sequence."