This has prompted discussions with coworkers and friends about their personal security practices. Being in the IT field over the years I have found that most IT people are only slightly more secure than the general population. Usually the story is that they “rotate 3 or 4 passwords” or “use one password for sites I care about and another one for everything else.”
Both of these methods in my opinion are bad, primarily because a site you do not care about can become a liability later due to the long tentacles of Google and other search engines. People accessing your account might not always be looking for financial or personal data, they could just be out screwing around or attempting to damage your reputation perhaps by posting inflammatory posts to message boards, which may poison Google searches for your name or email address for years to come. You might not know about the compromise for years but Google would be attributing posts to your username the entire time.
Below I address two methods that you could use to create (relatively) secure passwords without having to memorize a ton of different information.
Option 1: Use a Password Database
If you want maximum security I would refer to you a password management tool, which will allow you to have a random password for every website you access. You must keep the password database safe but keeping a single, well controlled database safe is easier than attempting to manage dozens, or if you are like me, hundreds of sites straight. With major tools you can also sync your passwords between your computer and phone so that you are never without your passwords. The major thing you need to assure is that your master password used to lock the database is secure. Applications such as KeePass, SplashID, LastPass and 1Password are examples of these types of tools.
Option 2: Create Reference Passwords that are Customized per Site
If you want an easier, less cumbersome method to create pretty solid passwords without password managers I’m going to propose a few ideas, which should result in significantly more secure passwords but without requiring password management tools. You don’t need to go through this entire gyration but the more you do, the less risk you are exposed to. Customize as you see fit to your paranoia level and needs.
Creating an Easy to Remember Set of Passwords:
- Pick your Words or Phrases. Pick 3-5 words or phrases you can easily remember. The words SHOULD NOT show up in a Google search, even misspelled. This means if you are going to make up words then make up new unique words no one has used before. For phrases you can use poetry, lyrics, book quotes, anything you would like. I would encourage you to stay away from quotes or lyrics that are extremely popular since you are not the only one that would have thought of them.
- Shorten words or phrases into something manageable. If it is a long enough phrase such as “I do not like green eggs and ham said Sam I am.” then shorten it to “IdnlgeahsSIa.” or some variant. There are two reasons for this; first, typing a massive phrase can take people awhile and is prone to typos. Second, many password systems still do not have the ability to handle passwords >16 or >20 characters. Our goal is simplicity without a management system. Note that I left the special character “.”. In password cracking special characters enhance security, although a few password systems will not take them.
- Verify the passwords are >8 and <20 Characters. Now you should have 3-5 solid, non-Googleable words or abbreviated phrases with >8 and <20 characters each.
- Make it Easy to Locate Which Password to Use. The next step is to figure out a trick to identify each website so that you can pick one of your passwords. You could use the first letter or second letter of the domain name to identify the password to use. E.g Letters A-L get one password, M-S get another, etc.
- Figure out a Unique Identifier for Each Website. Figure out something about the domain name or website that will give you something fairly unique. E.g. Logmein.com has 10 characters in the domain name, perhaps you use that. You could also directly steal something from the site, such as its name and use it in the password. E.g. Insert the initials “lmi” or “logmein” into your password.
- Place the Unique Identifier into your Password. Now, take your new unique number and apply it to your password, perhaps with the shift-key applied, which will make the characters special. In the case of the password I reference above: “IdnlgeahsSIa.”, if I used both methods identified in step five I would insert “10” with shift held down and “lmi” into my password. The result might be “IlmidnlgeahsSIa!). Note that I did not insert the shifted “10” or the lmi at the very beginning or end of the passwords to make it a little harder to predict for someone attempting to compromise my accounts. At this point most hackers are probably moving onto easier targets unless you have become the target, in which case they will probably try to find other ways to access your accounts. If they do keep trying to access your accounts using passwords there is a good chance you would receive notices that something was up before they gained access elsewhere.
- Create a cheat sheet to carry with you. Until you have committed your new password methods to memory carry a coded sheet of paper with you, perhaps in your wallet. Do not just write the entire process, just the cliff notes necessary to jog your memory. This way if you lose your wallet your passwords are still safe, all they will find is paper scribbled with unintelligible notes.
After trying a variation of this system if you think your password management method is still too complex mix it up and perhaps simplify the system. The key is to keep passwords long, avoid dictionary words, mix up the letters and numbers, if possible insert some special characters, and keep from using the exact same password on several websites.
Even if this type of strategy does not keep people out of all of your accounts by the time they figure out what sites overlap (should be very few) you will hopefully have received dozens of “Invalid login attempt detected” messages in your inbox, allowing you to take action.