How to choose (and remember) a secure password

According to this article, I am one of only 5% of computer users who use secure passwords.

What's a secure password? It's at least 8 characters long, mixed letters and numbers, at least one special character, and isn't in the dictionary. Why don't people use them? They don't make any sense. You can't remember random strings of text. What you can do is create functionally-random passwords that actually have meaning to you. Here's one way to do it.
First, think of your favorite pastime, hobby, or other interest - say, for example, wine. Now choose a memorable example of it; here let's work with an old favorite of ours, Markham Merlot. Cut it down (or add to it) to get it to a manageable size at least 8 characters long: MarkhamM or markhamm.
So far, this is progress: it's memorable, the correct length, and it's not in the dictionary. Why is that important? Because automated password-guessing algorithms will try every word in the English language, in addition to common choices like abc123 and phrases that can be connected to you, like your birthdate or your spouse's name. At this point you may feel frustrated, imagining that there's nothing left to use. But what's still available is proper nouns - basically anything capitalized. That's why things like rock band names often work. But we're not done yet.
Lastly we need to add some numbers and/or special characters (!@#$%, etc). My technique is to take the plain-English version of your password and replace letters with lookalikes or soundalikes. Vowels are easy: a=@, e=3, i=!, o=0. There are plenty of consonant replacements too: s=$, c=(, L=7, B=8, et cetera. These replacements are all common examples of leet-speak, the dialect adopted by early hackers to annoy the uninitiated. As a rule of thumb, I prefer to use at least two replacements. If you want to use two that require use of the shift key, put them one after the other and both on the same side of the keyboard so you can type it faster. See how practical this is?

To complete our example, we substitute #=H and @=a, and we get mark#@mm. That's easy to remember, easy to type, and almost impossible to guess--as long as you're not related to anybody named Mark Hamm.
Taken by themselves, these substitutions are inadequate, because a password guessing program can try all of them too, as variations on the dictionary and the names of your family members. But using them on a proper noun that's not associated with you makes it functionally random - at least from the perspective of automated guessers. A person who knows you might guess that you'd tweak the title of your favorite 1972 progressive rock album. Especially if they lived with you and eventually were forced to let candle wax overflow onto that record.

Of course, a greater danger than guessers is that someone will simply find your password written down--on paper, in a file on your computer, or on your PDA. Passwords that only get used once a year do get forgotten, and I confess I do record mine. However, I keep them on my PDA in a program that requires, you guessed it, a password before you can open it. That password I never forget.

No comments:

Post a Comment