Can't remember all your passwords? Try these tricks
There is no perfect way to make passwords both convenient and safe, but there are some tricks and techniques that can help.
A recent column on the relative security of complex passwords and simpler — but possibly safer — pass phrases caught the attention of a number of readers. Apparently, quite a few people struggle with the challenge of keeping their portfolio of passwords secure and manageable at the same time.
The problem with passwords is that managing secure ones becomes difficult when you have more than one or two, and most people have many more than that.
A typical complex password runs to eight characters and contains letters, numerals and special characters. A pass phrase, as the word implies, is much longer. But because the phrase can mean something to the user, it can be easier to remember, and its length can make it strong without arbitrary characters. Mushegh Hakhinian, security architect at IntraLinks, pointed out in a recent blog posting that a pass phrase that contains 16 letters — all lower case with no numerals or special characters — can provide in the neighborhood of 10 million more possible combinations than an eight-character complex password that uses upper and lower case, numerals and other characters.
One reader agreed with the math but not necessarily the conclusion.
“While there is a 26-character set in our alphabet, the fact is that most words only use a subset of those characters and follow predictable patterns (how many all-consonant words can you think of?),” he wrote. “I think longer pass phrases are useful and easier to remember, but I don’t think we’ll be getting rid of mixed case and special characters by making longer pass phrases.”
Dave Simpson, technology director for the Frederick County, Md., Sheriff’s Office, offered a pattern-based technique to keep passwords pseudo-random yet memorable — starting with a letter and then adding letters according to a pattern on the keyboard.
“Then you only need to remember one letter: the beginning letter,” he wrote. “The secure part is the pattern you choose on the keyboard.” If you have a QWERTY keyboard in front of you, you can refer to it to see the patterns he suggests. “You could go ‘asdfghjk’ (too easy). Or you could go ‘qazwsxed’ (harder). Or you could go ‘qpwoeiru’ (still harder).”
Unfortunately, I imagine that such patterns probably have been anticipated and that password-cracking programs know to search for them. Still, the resulting passwords are probably at least as secure as the average passwords most of us use and can be easily changed.
Another writer pointed out that sentences used as pass phrases can contain quotation marks, numerals and other characters, making them even more secure than the average password while remaining memorable. “I have tried to crack pass phrases such as this but gave up after a month,” he wrote.
If you are of a linguistic or literary bent, you can take this technique to the extreme. “If your system, as mine does, accepts foreign characters, you can mix in a quote in Hebrew characters among the English, French, Spanish, German,” he wrote. “My PGP pass phrase is an original poem of mine — never written down any place — in German. Easy for me to remember since I wrote it. I will publish it when I change pass phrases.”
We’ll be waiting for it.