This topic is important and people need to her the lecture at least once a year. So here goes. Take a little time to improve your personal password strategy, there are easy ways to be safe and secure. Anyone using a single password for everything they do online should make this top priority; you have a problem that needs to be fixed ASAP. I’ll show one strategy for doing so here.
Why should you care? In case you haven’t realized yet, there are sites built every day where the authors irresponsibly choose to store user passwords in their database as plaintext. There is no excuse for this, yet it continues to be commonplace despite easy-to-use encryption libraries and openID. If you want to combat this practice, then simply refuse to use any site which allows you to have your password emailed to you, because of course the only way they can do this is if it is stored on their system. Odds are some of these same sites are not too careful about adhering to other security best practices, like sanitizing form input data before using it. So they’re likely an easy target for an attacker and have an unencrypted booty waiting to reward anyone who finds a way in.
I never recommend this strategy, but I know people who use it. They use one password for everyday use signing up to sites (like to become a user of this site and post comment), another password for important sites (their hosting control panel, admin area for their website, etc.) and a third password for critical use like bank and brokerage accounts. Using the same password for many sites means that if someone gets your password they can do damage in many places. Does it sound smart to have your whole financial stake in life depending on a single password?
Algorithms are a step-by-step method for accomplishing something. Learn to use one for your personal passwords. The important thing is to choose something that you can do in your head, so you don’t need to write down passwords. I think you want a three step process, four at most, to keep it easy. I also recommend basing it on info specific to the website in question using both the domain and extension, so foo.com and foo.org get distinct passwords. Here’s a simple example.
1. split the string as follows:
- if 2 words, split the words
- if more than 2 words use only last 2 words and split on word boundary
- if only one word, acronym, etc. then split after 3rd character
- if string < 4 chars, use it twice or use extension (foo.com => “foofoo”)
Insert arbitrary character (like dollar sign) between the two tokens (period, number 3, etc.)
- this might always be the same, or can be based on extension or type of site
- ex: “foobar.com => “foo$bar”
2. reverse characters in domain w/out extension (foo$bar => “rab$oof”)
3. replace the first vowel with a number
- a common strategy for doing this would be a=4, e=3, i=1, o=0
- map u to whatever you like {u, v, uu, blank space, whatever}
4. do something crazy, like append the letter Q onto the string
- or change the last character to something instead of appending
Using this algorithm, your password for the site foobar.com would be:
foobar => foo$bar => rab$oof => r4b$oof => r4b$oofQ
Try changing the details so it makes sense to you. Change the order of the steps. Add you own unique twist. It’s pretty easy to create passwords unique to each site that you can always figure out and never need to write down. Just pick a strategy and stick to it.
OK if you’re really into this, here’s the punch line. Create a 5-step algorithm that seems easy to remember. Then make yourself a couple of variants by removing one and then two of the steps. Now you have three (similar) algorithms. Use the hardest one for your online banking and such. Use the middle one for your ssh / control panel / FTP passwords, and use the easy one for other websites.
I wasn’t sure I’d have a car last this long, but my 1997 saturn has now gone over the 100k mark. It’s looking old, but never has any problems. That and the fact that it gets pretty good gas mileage (manual transmission) means it’s a very cheap car to operate. So sexy new cars be damned, I plan to keep driving this around for a while.
