This is Tech

Photo by: Monstro

It’s not that most people don’t know how they *should* manage their passwords. It’s common knowledge that you shouldn’t write down your passwords in plain site. We’ve heard that you should not reuse the same password for all of the websites you have accounts with. But when you have hundreds of website accounts, many with different password requirements, it’s easy to throw caution to the wind.

However, there are a number of effective, and convenient, methods for creating rock-solid passwords and for keeping them safe.

Creating Strong Passwords

Password Algorithms

Ideally your passwords will be unique to each website or application they’ll be used for. In addition, many websites will have particular requirements for the character composition of the passwords (e.g. at least one special character, a mixture of digits, lowercase and uppercase characters). While remembering a unique string of characters for each account is a monumental task, remembering a formula for creating those characters is easy. An example algorithm:

1. The digits ‘123′
2. The first 3 characters of the domain name ‘goo’ (for google.com)
3. The first 3 uppercase letters in the alphabet ‘ABC’

That leaves you with the password ‘123gooABC’. Not so impressive yet, but it will usually be unique from site to site. From that sample formula, it’s easy to see how you can be quite creative with the process. For example, rather than use fixed digits, you can derive them from the domain name using a simple substitution (’g’ is the 7th character in the alphabet, so start with ‘7′, etc.)

Some websites require that you use a special character in the password (e.g. ‘!’, ‘$’). Unfortunately, some sites disallow these types of non-alphanumeric characters. You can default to having these characters in your password, and if your first attempt fails, fall back to a password without those characters. This same method can be used for sites with incompatible password length requirements.

The Impressively Long ‘Verse’ Password

Sometimes it’s handy to have a single, very long password. We can use our memory’s facility for remembering song lyrics for this task. Pick a few verses from your favorite song. When typing out your password, sing the song in your head and type the first letter of each word.

Blackbird singing in the dead of night
Take these broken wings and learn to fly.
All your life
You were only waiting for this moment to arise.

The first verse in “Blackbird” gives us an easily retrievable 27 character password of 'bsitdonttbwaltfaylywowftmta'.

Safely Storing Passwords (no stickies!)

There are a number of password management applications that will allow you to write out your passwords in plain text, without guilt. The application is installed on your computer, and stores the passwords encrypted on your hard drive. To view all of your usernames and passwords, you supply a single all-access password. This is a perfect use for the verse password described above.

A couple of well-regarded password management programs:

• Password Safe (Windows)
• Steel (Mac)

Autofill and Browsers

While the above options greatly ease the task of creating and retrieving passwords, a browser’s ability to ‘remember’ and autofill password fields is the most convenient method for logging into all of your website accounts. However, these passwords will then be accessible to anyone who gains access to our browser. Helpfully, most browsers provide the option for setting a master password. To enable the password autofill feature for each browsing session, the browser will require the user enter their master password.

To setup this feature in Firefox 2.0:

1. Navigate to Tools -> Options
2. Select the ‘Security’ tab
3. Check the ‘Use Master Password’ option and enter a master password (perfect use for the ‘verse’ password described above)

Firefox also provides a built in password manager you can use to examine all of your passwords in plain text (once you provide the master password)

Long and Random Passwords for the Paranoid

Even unique and closely guarded passwords can be cracked given enough time. A brute force attack is when an intruder attempts to crack a password by trying all possible combinations. With time and opportunity, this approach will always succeed eventually, but you can at least try to make it take the cracker as long as possible. The best way to extend the time needed to crack a password by brute force is to use long and random passwords. The seemingly-random passwords depicted above are probably all you need, but for the paranoid among us, check out Steve Gibson’s Perfect Passwords page.   Steve’s tool creates unique and (pseudo) random 64 character passwords, which are extremely likely to keep a brute force cracker working on your password for the rest of his life. The problem with 64 character passwords is they are not practical to remember. They aren’t even practical to write down and carry around with you. The way this approach works is to keep the passwords on an encrypted thumb drive that you can cut and paste from. TrueCrypt is a great open source free encryption tool that can be used for this purpose. For a simpler but more expensive encrypted thumb drive solution, check out IronKey. IronKey integrates best with Windows-based computers, but on a compatible system will create a portable password vault that saves passwords automatically and encrypts them. In true Mission Impossible fashion, ten failed attempts to unlock the device will cause it to destroy itself.

Be Creative

There are a variety of ways to choose and protect your passwords. The secret is choosing one that is unique to you and works with your routine. If you have a favorite technique or have ways of improving those described in this article, let us know in the comments below.