Every week I see a new article about passwords. Articles about how cloud computing makes hacking easier, how dictionary attacks work, how someone got burned by not changing the default. Denard Robinson, quarterback of my beloved Michigan Wolverines, once made the news not for his on-field performance, but because his Twitter account got hacked by his ex-girlfriend. Today, it was the Syrian Ministry of Presidential Affairs using “12345” as the password.
Each time, I think about the scheme I use to create passwords. There’s usually nothing to do because my scheme would not have been vulnerable to whatever I was reading about. I am, after all, a fairly security-conscious guy. Here are the challenges a password scheme needs to address:
- Length. The longer the password, the more difficult it is to hack. I’ll skip the technical explanation and cut to the chase. Passwords become exceedingly difficult to hack once they reach 15 characters.
- Complexity. A password that uses at least one character from each of the four character groups – lowercase, uppercase, numbers and symbols (punctuation and special characters) – introduces the most complexity. Note that while many corporate IT jocks would disagree, length is more important than complexity.
- Age and History. Age refers to how long you go before you change your password. For most applications, once per quarter is fine. History is a related concept that refers to the practice of using passwords that were used before. In other words, it doesn’t do much good to change a password if you change it to something you’ve used recently (say, in the past year).
- Variability. Many people come up with strong passwords, but then use them for most if not all of their logins. Ideally, your passwords should be different for each website.
My Password Scheme
Most people find these challenges to be … too challenging! I can hear my mom now, “I can’t even remember which passwords belong to which websites as it is!” Keep in mind this is someone with less than a dozen passwords. I’ve got over 500. The trick is to have a password scheme. Here’s mine:
Base Phrase + Rotator + Website
- Create a Base Phrase. Think of a phrase that’s easy for you to remember. For example, “To be or not to be.” By the way, this phrase is very common so don’t use it. You can create your base phrase by taking the first letter of each word. In this case, “To be or not to be” becomes “tbontb.”
- Create a Rotator. The rotator is a set of characters that you use to change your password on a regular basis. Significant dates work well here. I’ll use “8/15” in this example.
- Go Website-Specific. The name of the website can be used to ensure your password is unique to that website. For example, you could use “LinkedIn” when logging into LinkedIn.com.
In this simple example, the password is “tbontb8/15LinkedIn.” As long as you create a new rotator next quarter, this scheme addresses all four of the challenges above and is easy to remember. It’s also easy to modify the components for increased strength. For example, the base phrase “tbontb” could easily be “2b0n2b.” The rotator “8/15” could be “*?!%” (the same characters holding the Shift key down). As my right brain is fond of saying, you are limited only by your imagination!
Honestly, that’s not my exact scheme. Did I mention that I’m a security-conscious dude? But it shows how I’m able to create and maintain a lot of very strong passwords. No password is un-crackable, but I’ve made it so difficult for the overwhelming majority of hackers that they will quickly move on to other people. Like Denard Robinson and the lazy folks at the Syrian Ministry of Presidential Affairs. Don’t let it be you!
After you’ve implemented your own scheme, here’s some fun reading: The 25 Worst Passwords of 2011!