Recently I had a bit of a scare, I thought my email password had been changed, which means it had been compromised and I was locked out of my account. It turned out to be a false alarm (the hosting provider had a bit of a disaster and had to move platforms) but afterwards it made me think, “What if?”
I know I shouldn’t, but like many others I do share passwords amongst services, normally based on the level of security I think is required for that account (so I’ll have an 8 character simple-ish password for low security systems like forums, and a 12+ character alphanumeric password with special characters for online banking etc.)
I’m an IT professional (ostensibly) I should be able to do better than that, so I sat down and thought about an alternative password policy (for want of a better word). My criteria are simple;
- Be secure
- Be easy to use
By ‘easy to use’ I mean “doesn’t require the memory of a password savant”, because if I have to rely on memorising entirely random combinations of numbers, letters and special characters I’m going to fail, at which point the security is going to fail (when I write it down, or compromise the password by weakening it).
At this point it occurred to me that someone, somewhere, must have come up with a foolproof mechanism for this already, and sure enough there are one or two which look possible;
- Microsoft’s suggestion, which is to use sentences and complexity mechanisms to create a secure password, however I don’t know how many of these I could remember
- wikiHow suggests the same thing, but with a lot more options including two memorable things separated by a special character, or the more practical (and memorable) option of using phrases linked to the account itself (so an online banking password would be based on the phrase “I want to have 1 million pounds every day” (Iw2h1m£ed).
Both of these sites address the problem of creating complex passwords, and to some extent deal with the challenge of creating AND remembering multiple secure passwords, but the wikiHow page had one sentence which caught my eye, as it was what I was thinking of;
“If possible, try to create an algorithm that is unique for each site. This way all you have to memorize is the algorithm, yet the password will be different for each site. Make sure the algorithm is sufficiently difficult to decipher if someone were to find one of your passwords.”
This seems to hit it on the head for me, it makes creating secure passwords easy, and it gives you a mechanism to remember them. The only flaws are that (a) if the algorithm is too easy to spot it might make your other accounts easier to compromise, and (b) it doesn’t make any mention of making them memorable even when you change them frequently (as you should do, or if you’re logging into a managed network, as you have to).
So we need to add another factor which allows us to (a) maintain the algorithm over multiple iterations, and (b) adds another ingredient which increases complexity for anyone trying to guess your password, but not for you trying to remember it. I came up with various complex options involving significant places and sequences like days of the week, months of the year, but eventually I settled on a variant of an old technique, song lyrics. I picked a song for each account, I replace letters with numbers, and I work my way sequentially through the song. It’s easy to remember, each password is linked to the next so even if you change your password and go on holiday for two weeks you can always remember what was next, and it’ll be practically impossible to guess.
For example, at work I’ll use Alanis Morissette ‘Ironic’, so my first two passwords would be;
Not difficult to type, or remember, and easy to maintain over a long sequence, but almost impossible to guess. All I need to do now is chose a song for each account! At the last count I had over twenty online accounts of various sorts, so I’d better fire up the MP3 player!