jump to navigation

Unique and Complex Passwords for Everything 19 August, 2007

Posted by paralleldivergence in Brad & Phil, Internet, Life, passwords, security, technology.
trackback

When we were children, our “world” was a very small place. Everything that I knew was within a five-kilometer radius of my home. From time to time, I would catch a bus or a train that would take me out of my world, and into another. My little circular world was joined by a line to another small, temporary circular world when I went on holidays. While I realised that planet Earth was enormous, my world never got close to any of it.  Then along came the Internet.

…a small world after all 

Despite the existence of the Internet which brings every corner of the Earth within easy reach, many people still live today as if they are safe in their tiny neighborhood. The problem is that not only does the Internet allow you to “visit” people and places anywhere on the planet, but it also allows all of those people to “visit” you. Inside your home.

Ten years ago, I would queue up at the bank and post office to pay my bills. I could never imagine wasting my time doing that ever again. So, instead, I signed up accounts for on-line payments for all my bills. One account for the bank, one for the post office – and through them, I was able to pay everything from home in minutes. I already had accounts for email and for my ISP and at work I had another slew of on-line accounts that I had to deal with and manage.

But things really started to get heavy in the last couple of years with Web 2.0 with a blog account, a Flickr account, a YouTube account and membership of various forums.  All of these accounts needed a username AND a password. For many people, this was not a problem – they just used exactly the same password for everything! For others more careful by nature, it was starting to be a nightmare. The thing that everyone needs to remember is this: “The more you use the Internet, the more you can be used by others”. The weaker and more guessable your password is, the easier you’ll make it for those who want to exploit you. And if that same password is used for everything, then that’s just dumb.

Being in the IT industry, I knew I had to have not only a complex password, but a unique password for every site. But I also didn’t want to be forced into the position where I had to write my passwords down. The number of computer monitors I see everday with Post-It notes stuck to them showing a password continues to stagger me. Every one of my passwords had to be complex, unique AND instantly recallable. Here’s how you can do it too:

Step 1: Think of a password stub. It should be a short, four or five letter word or name that means something to you and that you will NEVER forget. Maybe your mother’s name or pet’s name.

Step 2: Complexerise that stub (is that a word?). Let’s say the stub is “susan“. Turn it into say, “5uS@n” – basically mix upper and lowercase and swap numbers and symbols for letters. Try to have a number in your stub because some sites require a mix of letters and numbers for all passwords. Burn this new stub into your memory.

Step 3: Now you just need to add a suffix to that stub related to the site where the account is held. You can either use the whole site name, or say, just the first three or four letters of the name of the site. Maybe make the second letter of the site name upper case just to add a little more complexity. Stick that suffix on the end of your stub and that’s your password!

For example, here are the complex, unique AND recallable passwords for some sample accounts:

Site Name Password
Yahoo 5uS@nyAho
Citibank 5uS@ncIti
Flickr 5uS@nfLic
YouTube 5uS@nyOut
MySpace 5uS@nmYsp

Finally, if you get any sites that ask you to save a “secret question” and “secret answer” in case you forget your password, DON’T! This represents extremely poor security because anyone that knows your account name will be able to find out your secret question and may be able to use social engineering on you to get into your account. Answer those options with gibberish. You will never need to use them and you shouldn’t give others an opportunity to use them.

If you like this concept, feel free to use it. If you’ve got other good ideas for better password management please share them here.

Brad & Phil #22

About these ads

Comments»

1. Geoff - 19 August, 2007

What a great idea! Thanks for sharing this. It makes a lot of sense and I can see it’s really an excellent method to boost the security of personal data. Well done.

2. Brianna - 19 August, 2007

Cool cartoon! Thanks for the tips. I think I might go change some passwords.

3. Kay at Suicyte - 20 August, 2007

In most instances probably a good idea. However, there are a number of occasions where I would not advise to use this technique. There are some places that don’t think much of password security, Among those are sites of dubious quality or intents (but you don’t have accounts there anyway, don’t you?) but there are also other places that look trustworthy but still do things like sending passwords unencrypted by e-mail. If you use a password that follows the advice in this post, it will be rather easy to guess all your other passwords.
I know this from my own experience. I am a scientist and frequently have to review other people’s manuscripts for scholarly journals. Nowadays, this is done by manuscript handling systems, which (of course) require that you set up an account. I was really surprised that I received more than one e-mail from journals, going like “…for doing this, just log into our manuscript handling system. Your account is XXX and your password is YYY….”. And yes, I had used a password consisting of a stub with the name of the journal appended. I have changed that (and my stub) very quickly after this experience.

4. paralleldivergence - 20 August, 2007

Thanks Geoff and Brianna for the comments. Kay, you are right. It definitely depends where and how you use this technique. For those “untrustworthy” sites, or sites where I know I’ll rarely go back, I use a common, simple password. Certainly, I think unscrupulous people would need two of your passwords to work it out, otherwise, if you mix your stub and suffix up well, they probably won’t bother on first look. A bit like the car with a steering wheel lock vs one without. My biggest concern is people writing passwords down with step by step instructions for what they are for. Staggering. Thanks Kay.

5. jeopardygame - 20 August, 2007

Good advice that I’m sure we should all consider. This blog has such a nice layout. :)

6. Jeff - 20 August, 2007

Really good post. I was talking with some friends recently about this exact thing. I am sure there are plenty of people (me included) who need to rethink our online security and ideas like thing will go a long way in helping to address the problem. btw I was wondering when the next post was coming…..

7. paralleldivergence - 20 August, 2007

Thanks Jeff. I have been a bit slack here. Been too busy making a whole other blog and really cool software to go with it: http://jeopardygame.wordpress.com – I think this whole password security issue is huge and we all need to take a much closer look at it.

8. GreenLantern - 21 August, 2007

This is a great idea. I don’t know how many times I have had to click on the “Forgot your password?” because I didn’t remember what random string of letters and numbers I used when I signed up for whatever it is that I am logging into. However, the only thing that worries me is if someone breaks your scheme. They can now get into everything.

9. paralleldivergence - 21 August, 2007

Hi GreenLantern! But it’s not my scheme. It’s yours. You make up your own stub and define what the suffix looks like. People would need to know two of your passwords for two separate accounts before they’d work it out, and then that occurred because you were slack with your own security or you let a keylogger get installed on your PC or you were using a foreign PC that had a keylogger.

Then they’d also need to know your account names for each service.

10. Becca - 18 February, 2008

Hi there, just accidentally came across your blog whilst looking for pictures of the Earth, I was just wondering if that picture you posted is yours; if so would it be okay if I used it?

11. jeopardygame - 18 February, 2008

Hi Becca, It’s not mine, I found it on a stock photo site. Go for it.

12. Brad Keller - 28 September, 2010

Hello
This comment is more of a request about the picture. I would like to know about the copyright. Is it possible to use this picture for a water marking backing for a book we are writing about cruising around the world and the dream there of.

paralleldivergence - 28 September, 2010

Hi Brad. The image has been used over 7800 times on various websites: http://www.tineye.com/search/1cd64f527b5d0d86ceb1e91841c15e04ba2b2306/

13. Teacher with better passwords soon - 27 October, 2010

Wow, I too just logged on to your site to see about using this image (as a teaching symbol for my fourth grade class). . . I’m glad I did. First of all, I can feel great about downloading it (and apparently being approximately person number 7802 to use it, ha ha!), but ALSO because I read your info about making better passwords. THANK YOU!!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 41 other followers

%d bloggers like this: