CYBEREYE—Commentary

Can't remember all your passwords? Try these tricks

There is no perfect way to make passwords both convenient and safe, but there are some tricks and techniques that can help.

A recent column on the relative security of complex passwords and simpler — but possibly safer — pass phrases caught the attention of a number of readers. Apparently, quite a few people struggle with the challenge of keeping their portfolio of passwords secure and manageable at the same time.

The problem with passwords is that managing secure ones becomes difficult when you have more than one or two, and most people have many more than that.

A typical complex password runs to eight characters and contains letters, numerals and special characters. A pass phrase, as the word implies, is much longer. But because the phrase can mean something to the user, it can be easier to remember, and its length can make it strong without arbitrary characters. Mushegh Hakhinian, security architect at IntraLinks, pointed out in a recent blog posting that a pass phrase that contains 16 letters — all lower case with no numerals or special characters — can provide in the neighborhood of 10 million more possible combinations than an eight-character complex password that uses upper and lower case, numerals and other characters.

One reader agreed with the math but not necessarily the conclusion.

“While there is a 26-character set in our alphabet, the fact is that most words only use a subset of those characters and follow predictable patterns (how many all-consonant words can you think of?),” he wrote. “I think longer pass phrases are useful and easier to remember, but I don’t think we’ll be getting rid of mixed case and special characters by making longer pass phrases.”

Dave Simpson, technology director for the Frederick County, Md., Sheriff’s Office, offered a pattern-based technique to keep passwords pseudo-random yet memorable — starting with a letter and then adding letters according to a pattern on the keyboard.

“Then you only need to remember one letter: the beginning letter,” he wrote. “The secure part is the pattern you choose on the keyboard.” If you have a QWERTY keyboard in front of you, you can refer to it to see the patterns he suggests. “You could go ‘asdfghjk’ (too easy). Or you could go ‘qazwsxed’ (harder). Or you could go ‘qpwoeiru’ (still harder).”

Unfortunately, I imagine that such patterns probably have been anticipated and that password-cracking programs know to search for them. Still, the resulting passwords are probably at least as secure as the average passwords most of us use and can be easily changed.

Another writer pointed out that sentences used as pass phrases can contain quotation marks, numerals and other characters, making them even more secure than the average password while remaining memorable. “I have tried to crack pass phrases such as this but gave up after a month,” he wrote.

If you are of a linguistic or literary bent, you can take this technique to the extreme. “If your system, as mine does, accepts foreign characters, you can mix in a quote in Hebrew characters among the English, French, Spanish, German,” he wrote. “My PGP pass phrase is an original poem of mine — never written down any place — in German. Easy for me to remember since I wrote it. I will publish it when I change pass phrases.”

We’ll be waiting for it.

Reader Comments

Tue, Aug 2, 2011 Allen VA

12 charector acronym works great for me. For example Iwaf%rnoe translates to "I want a 40% raise now or else" Easy to remember, comples, not keyboard pattern based and longer than eight charectors. We also include some system names so each server/system has a different password - all 43 of them. PeopleSoft gets the longest most interesting ones :)

Tue, Aug 2, 2011 Mark Jaeger Michigan

I recall the old Compuserve passwords being two words with a punctuation separator. Seems this 1980's approach may be harder to crack than most of the "modern" attempts other than those which just use a random sequence.

Thu, Jul 30, 2009

Try CybreScrub KeyChain program. You can download it free from cyberscrub.com and it has worked great for me. It has a rendom password generator inbuilt. You just need 1 password to remember and it fights phising too.

Tue, Jul 28, 2009 Tara Kelly http://www.passpack.com

It really is just easier to use a password manager [smile]. They invent passwords for you, store them securely and even fill in the login form. http://www.passpack.com That's my company, and of course personal favorite. But there's plenty out there to choose from.

Tue, Jul 28, 2009 guy

For the past several years I have used a variation on the pass phrase / password. I'm required to use a password. However it consists of the first letters of my easily remembered pass phrase. Then to meet security requirements I swap some letters for numbers or symbols. This has worked well for me, giving strong but easily remembered passwords.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above