Yes, I know.
Another article about passwords.
Someone please shoot me before my head explodes.
Despite Bill Gates predicting the demise of passwords back in 2004, they are still very much in use, but the only people that care about passwords are journalists and SysAdmins. They have to justify their existence so they keep flogging the subject to death, much to the despair of those having to use them.
For the rest of us they are just a necessary pain.
But, fear not, for I will show you the way to password nirvana.
How “they” want you to create passwords
They all want you to use password made up of the 4 food groups.
Numerals – 10 choices
Letters [lower case] – 26 choices
Letters [upper case] – 26 choices
Symbols [special characters] – 32 choices
Not a problem
A password today should have a [theoretical] minimum of 12 characters, and ideally it should consist of 16+. 16 is the new black. If you check your password strength in a password manager then they [nearly] all settle on 16 as the sweet spot.
16 you say. Wow. How am I expected to remember that?
Relax, there’s no to need to panic – 16 is easy, or will be by the time you finish reading this.
Let’s begin by looking at something simple – an 11 character password.
We’ll start by turning a sentence into a very strong password.
My name is Barry Michael Norris and I am 44 years old.
Your sentence converted to a password is shown below.
For the slow people this is what we did.
My name — mn
is — =
Barry Michael Norris — BMN
and — @
I am — ia
44 — 44
years old = redundant, but may help you remember.
OR, you can tack it on the end [mn=BMN@ia44yo.] and make it into an even stronger 14 character password.
Now, really, how easy was that. All 4 food groups, a nice mix and best of all, SECURE.
Here’s one more so that the slow people can get with the programme.
As you can see the first seven characters are the same as the first example.
The change occurs after the @ – “1L@8gsc“
Long story short those characters represent:
My name is Barry Michael Norris and I live at 8 George Crescent Canberra
There it is.
You can generate your password from a very easy to remember sentence, and also use all of the 4 variation choices available to you to manipulate them into a very secure password.
One thing – you should “try not to” use the exact two password phrase examples that I have used as illustrations. As soon as anything like this appears the formula is added to the great big password cracking list in the sky. If you do want to use it, you will just have to make a few adjustments. For example, replace your details with those of a family member. Use information about your place of employment or where you went to school. There are countless variations available for you to use.
Nevertheless, I know some of you are either too lazy or too dumb to think [should I just stop here?] of something original so here’s how you can amend the above examples to suit your needs. This will make your password longer, but a lot safer. The adjustments are not difficult – even for those of you that travel on the short bus.
Let’s use the longer first example: mn=BMN@ia44yo.
You will obviously replace the letters and numerals — mn=SUE@ia33yo.
You will make it longer by adding a character at the beginning and at the end — #mn=SUE@ia33yo.&
You will make it longer by adding a throw away character — #mn=SUE@ia333yo.&
You will make it longer by adding extra throw away characters — #mn==SUE@@ia333yo.&
You have just changed your password into an 19 character vault.
The options are endless. Just find what works for you.
Editors note: When creating a password PLEASE try and avoid starting your password with a capital or finishing it with a number. Also, don’t try and be a know it all and brag about your password – “Yes, I use a 15 digit password”. If I know how many characters I have to crack it makes the job, if at all possible, a lot easier. You can thank me later.
If you use a password manager then [obviously] the examples above are for your master password, and this is an excellent article you should read.
I never use my master password – instead I use variations of my master password that include website identifiers.
For example here’s how I would use a separate password for PayPal.
Let’s say my master password is .ab=CCC@33byo
For my PayPal account I could use .ab=PP@33byo or .ab=OLP@33byo [ON LINE PAYMENTS]
For my “SecureEmailProvider” I could use .ab=SEP@33byo, or again, part of the providers name .ab=TDE@33byo
It’s easily done by finding a sweet spot in your password for each website, then using an abbreviation that you are comfortable with – and can remember. I use this method for 6 or 7 websites.
This is also a great way to remember your corporate password. Sadly many SysAdmins insist on a quarterly password change. The reason is always “security”. This flawed policy has been reversed in many organisations, but not by all. By using the above method you can very easily comply with your employers requirements – I had to. My method was this…
Let’s use this an an example corporate password – mli4Q1@2010
This decrypts to – my log in for Quarter 1, 2010. Then, when required, I just update the Q number and the year. You may prefer just to change a letter or numeral in a password you’re comfortable with, just don’t do it with the first or last character as some programmes pick up on that and will not verify your update.
Passwords stored in your browser
I suspect many of you use your browser as a storage area for many of your login passwords. Me too. For ease of use they’re great. I order my washing powder online, as well as my dog food and a few other bits and pieces. If my password was compromised at any of these website would I care? What’s anyone going to do – send me free dog food.
Discaimer: I NEVER store my credit card details at any of these sites.
I also use the same password in multiple websites. Is it a risk? Maybe, but look at the stats.
In 2019, so far, hacked website included a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords.
These huge numbers are meant to frighten you, but in reality they do the opposite. It’s one thing to hack that many passwords, it’s quite another to weaponise them. If mine was one of 21 million passwords hacked, what have they got. My name, address, phone number – and the type of dog food I order. FYI, it’s Black Hawk Lamb And Rice. All this information is pretty much general knowledge. Would they even bother with a spear phishing attack to try and access my financial or banking details. In most cases it’s a lot of work to find out that the trip has not been worth it.
Or, if you are not comfortable with using multiple passwords,you could use your “other” master password – junior edition – which is something else I use. Your master password is much to cumbersome for everyday use.
Let’s assume my junior password is 666KFCxx. I’ve limited this example to 8 characters because that’s all some websites allow.
Now by using a website identifier I would change this into 666PBxxx, if my supplier was Pet Barn. I had to use an extra character to make up the required 8 inputs but that’s something you will easily adjust.
Again, as an added precaution, I could use 666DFxxx instead, with the DF representing Dog Food.
Just use what works for you.
I know, I know, this means now you have 2 master passwords to remember.
The challenges you have to overcome to stay secure.
Take your time in selecting your passwords. Find something you like and keep repeating them to yourself until it your ready to go “live”.
When you leave your home you close your your windows and roller shutters, set the alarm and lock the doors – 4 independent actions. And, after taking all those precautions, you still pay for home insurance. How much would you pay not to have your life disrupted by being hacked – because of your pathetic [but easy and convenient] password?
Why would you shirk away from protecting your identity or finances by not using a free, easy and valid method – a secure password!
Perhaps you would like a higher tech alternative. This unique algorithm using Python and Shamir’s Secret Sharing protects your master password from hackers and your own forgetfulness.