Your passwords - making them memorable but safe and secure

The complexity surrounding the topic of passwords is something that no "normal" user should need to know although I have tried to articulate those issues in many web pages over many years - my conclusion is that I should write a short article (below) which tells readers WHAT they should DO and NOT WHY! I am also LIMITING my advice here to passwords for web sites rather then PCs, mobile 'phones, Laptops, Routers and other devices which could become physically accessible by thieves - see Passwords for insecure devices if that is also a matter that concerns you.

Consider what threats and in particular the source of them cause the greatest exposure - a physical thief, a youth with a 'hacking' laptop, a co-worker or an acquaintance; through to bored kids at college, hackers in Russia / China / Africa... They all have different 'attack vectors' - physically stealing a laptop, take over your PC or router (locally to begin with!) or simply scraping data, including user names and passwords, off a discarded computer hard drive.

• The most important aspect of managing passwords is to treat them in categories according to their value or risk/consequences to you - the lowest level can be throwaway in almost all respects and that is that every level is distinct from all others and cannot act as a 'set of ladders' for a thief to ascend. If you use the same or similar passwords for banking as you do for small retail stores on the web then you have given the thief an escalator when you thought you were playing "Snakes and Ladders".
• For simplicity, let's refer to them as levels as used in a computer game - Level 0 should be so basic and simple that anyone can play - Level 3 however has to become part of the game where NO-ONE can follow-you, no matter how well they know you - personally, historically, by observation/monitoring and no matter where they attack from or with what weapons.
• Really good passwords need to withstand the variety of attacks that already exist (brute force, dictionaries, rainbow tables etc.) and ideally try to anticipate those that are not yet economic for the thief. However, passwords MUST be EASY ENOUGH! to remember in your head.
• Writing OR just STORING the whole of a password down in one place IS NOT A GOOD IDEA for protecting resources which are high risk/consequences. For example - I would not use a single electronic or software safe to store the whole of a password for any financial (or other important) web site just as I would not store that in my wallet or mobile 'phone.

  That is why our conclusion is that the best building block is based on the first character of words in sentences as that is a very easy and natural way to replay a password, even if being asked for specific characters of it. The extra challenge is that the simplicity of this approach means that it is necessary to choose sentences:

  • where there is more than one (and unrelated!) sentence - if you need to make a record a reminder then record them separately and ideally on separate media / location - paper in your fire-safe at home combined with an obfuscated text on your mobile would be OK for a low-medium risk password. Add a third location (+ maybe media) for high risk passwords.
  • which very, very few people would know - obviously NOT lyrics, quotations etc.. Think laterally - a sentence could be WHAT you WANTED to SAY to your BOSS at the Christmas party LAST YEAR! Don't even THINK of using what you want to say to them THIS YEAR because it will have gone through your mind dozens of time before then and 'accidents do happen'
  • ideally each sentence would not exist anywhere on the Internet! However, when checking this (using "Google with quotes") you must not research more than one sentence at the same PC and certainly not in the same week as your search query strings are logged and it is just conceivable that a hacker could target this data as a source for a new dictionary!
• To add some complexity AND length to the above you also need a SIMPE set of rules - ONE FOR EACH LEVEL and VERY DISTINCT which insert odd characters into the password and IDEALLY make them broadly unique to the web site you are visiting.

  But as stated above, for the latest best practice on this topic visit: http://bb4t.co.uk/Page/bestppp

This page © Business before Technology 2008-9 - see the respective sites of the owners for their copyright as well as terms and conditions

Links and other information last validated on 22nd May 2009. Please use the Contact us page to suggest any additions or revisions. Windows XP Remote Assistance now provides in-work training and assistance, as and when needed to more than a dozen customers

What's Hot

Site Offers: