Today, most folks are members of over 20 websites, and at work folks have 20+ applications that may or may not be single sign-on, and then some websites/apps ask us to change our password every so often… finally, with the push for “strong passwords” and not using the same password for EVERYTHING, how is a person supposed to remember all these passwords?
For some the answer is software – they install a password storage application that lets them keep all their passwords. Sometimes you can install this on your USB thumb-drive or on your cell phone, and you will always have your usernames and passwords when you need them. Handy.
However, if you are like me, and you have been too under-motivated to set-up that software, or hyper paranoid that someone could shoulder-surf your password or crack your master password and have everything, then this article might be for you!
Let’s start with what makes a password strong. Most places say a strong password is 12 characters, contains mixed case letters, numbers and even symbols. In addition, they recommend if your password spells something, that it be two unrelated words at least. In this article, I am exploring the idea of pattern-based passwords that are strong, easier to remember, and the patterns are things only YOU would know about! How does it work? Like this…
Each password would be based on a root. Root passwords would be changed on a less frequent basis.
Enter the game of personal salt. Salt is something that changes for every password. In cryptography it used to add just a little flavor to everything that gets encrypted, and you can use your own personal version of it. Stay tuned.
Lastly, we have this notion that a password can change every so often, and likely places that require you to change your password are not going to synchronize their calendars and you will have different versions of passwords sprinkled about.
Your Personal Algorithm
Here’s where it gets fun (it is even funner because I am trying to create a system without disclosing my exact approach – not that I don’t trust yah or anything). It may not sound like we’ve solved the problem in the sentences above, but we have: the goal is to start with a root password – all your passwords will use this root, then add salt which varies based on where you are using the password, and lastly apply versioning. In this way, all your passwords are related, but they are all strong (as long as they add up to 12 characters), and the only one that knows how they vary over time is YOU. The other benefit is, you can keep a cryptic cheat sheet that lets YOU know how to figure out the password, but nobody else would get it, even if they got their hands on your notes!
Walking the Blue Dog
Let’s start with the strong password… let’s sy you have a dog named Sparky and your favorite color is blue. Well, for starters, although BlueSparky is cool, it could be predictable, so I would mix it up a little more… use the letters but spell something different that is preferably not in the dictionary. I don’t think ElubYarps is in the dictionary, so let’s have an example root password be ElubYarps.
Now it is time for personal salt. Example’s of salt could be the last 2 characters of the website name, the network name, or the application name. Pick a couple characters and sprinkle them in your password along with a number and a symbol. Let’s say you use BankOfBlorg.com and an application at work called SuperAccounting. I am going to pick the second letter of each word, so ‘a’ and ‘f’ for Bank Of Blorg, and ‘u’ and ‘c’ for Super Accounting. I am going to pick 9 as my number and # as my symbol. “Sprinkle” your salt however you want… I like the words “Elub” and “Yarps” so I will sprinkle the salt after each word.
Bank of Blorg: Eluba9Yarpsf#
Super Accounting: Elubu9Yarpsc#
Last, you want to have versioning. Most people will number their passwords like Elubu9Yarpsc#1, Elubu9Yarpsc#2, Elubu9Yarpsc#3…. that’s fine, I suppose, but you can also work your way around the keyboard visually… start at “q” and go to “p”, or start at “f” and go “v” then “g” then “b” – some visual or even tactile pattern based on your input device. You also want to sprinkle your versioning somewhere not predictable. For this example, the 3rd character is versioning. Let’s do that. I am going to start with “z” and work my way to the right:
Bank of Blorg: Eluzba9Yarpsf#
Super Accounting: Eluzbu9Yarpsc#
Bank of Blorg: Eluxba9Yarpsf#
Super Accounting: Eluxbu9Yarpsc#
If you need to take some notes, you can do things cryptic like so:
Root: Blue Sparky (hopefully reminds you of Elub Yarps)
Salt: Movie Hammer (“9” was a movie, hammers “#” things)
Versioning: Fred’s Fish (Maybe I have a friend named Fred who owns a cat fish – the reference to a bottom feeder hopefully reminds me to start at the bottom row)
The notes aren’t perfect – there should be things you remember without writing down, and if you DO have to write them down, write them in a way that forces you to remember something that someone else likely cannot guess.
If you want to keep notes on what version you are on, you can do so by saying BofB 1, Super 4. That way, you know which version of your password to use.
Changing It Up
About once every season, annually, or some extended interval (timing depends on how sensitive the password is), you will want to change your root password, maybe change how you choose or sprinkle your salt, and change how you version your passwords. You can even have a pattern to how you change your pattern, as long as it is something that only you know (or your notes are cryptic enough that other people can’t figure it out).
Good Use for Software
Once you have this in place, you can use some software to keep a list of sites/applications you use, and keep notes on what version of password you are using. But if someone gets that list… you can rest easy because they don’t have your passwords (however it is probably time to change them anyway).
Another use for software is to track those apps/sites that limit your password creativity. I still have some websites that don’t accept symbols, or that require 2 numbers, or other rules that might break your algorithm… you will have to come up with some cryptic way to remember those differences. For example, if you join a website NFFA.org (National Fish Fry Association) and they don’t allow symbols, maybe don’t hit the shift key while entering your password, but take a note that says “Fish – only first gear” (implying you can’t shift).
Keeping Ego At Bay
Security is one of the hottest topics right now, and the more stuff moves online or into the high-tech realm, the hotter it gets. As many people teach it, better security doesn’t STOP a hacker, it simply discourages them from attacking you and focusing on someone easier to hack. Like the old story about being chased by a bear – you don’t have to be the fastest person running from the bear, you just have to be ahead of the slowest person 🙂 Examples of things that could ruin the steps above? If you have malicious software that has made its way on to your system and the happy hackers are running a key logger… they will just record you logging into the site and then they will have your username and password regardless of how strong it is. That’s why keeping you machine clean and free of “netually-transmitted” disease is important! Bottom line, never assume you are immune to being hacked… strong passwords are important, but they are only part of the security picture.
If It Was Easy
Everyone would be hacking you. So, yeah, the passwords are still kinda alien looking, and the notes you leave yourself may not be perfect – but the goal is to keep things secure and not have to remember 40 different strong passwords. Or even worse, having 40 logins that share two or three passwords…if one gets compromised then the hackers have access to a BUNCH of your accounts at one time. Ewww! Hopefully this article helps you achieve the extraordinarily fulfilling goal of remembering many strong passwords! (yes, “extraordinarily fulfilling” is intended as sarcasm here.)
P.S. Examples of Bad Notes
OK, I can’t help myself – I just want to be clear on some bad examples of notes for passwords… these are all not ideal:
Root: My last name (really?)
Root: Wife + Car, spelled backwards (5 minutes on Facebook solves this)
Salt: &3%7 (just stating the salt)
Salt: College year, carrot colon (OK, it isn’t so bad, but again 5min on Facebook, and it isn’t so hard)
Version: top row (really?)
Version: first letter of each month (not a bad idea, but… the reminder is too specific!)