Managing strong passwords: You got a better idea?

Show your colleagues how to avoid password mistakes

Our recent article that listed some real-world bad passwords provoked a flurry of comments on the virtue of complex credentials vs. the difficulty of remembering them without writing them down, as the experts all say is important.

So we're launching a contest. In the comments below, give us your best tips for creating and remembering strong passwords – without writing them down. The GCN editors will judge and the person who submits the best tip will win a prize. (Really!). We'll take entries for one week, ending on Monday, May 24.

The article detailed a security firm's analysis of several million passwords that a hacker had stolen from a Web site. The analysis showed that nearly half of the passwords were exactly the kind security experts say you should never use: sequential numbers, dictionary words and even the word "password."

Bruce Falk noted the other extreme: Policies that require excessively complicated and frequently changed passwords.

"This article fails to account for the disconnect between online security and practical human frailty," Falk wrote. "Yes, these passwords represent rock stupidity, but so do policies and infrastructures which require multiple log-in identifications and passwords, entry of certain arbitrary characters (e.g., caps/lower case mixtures or alphanumeric mixes with symbols), and which then insist on frequent (less than 24 mos.) changes to same."

Such requirements can actually undermine security, Falk added, because they encourage users to "select least-common-denominator IDs or passwords (which are easy to remember), to rely on cookies or workstation keystroke recall, and/or to maintain easily located files or hard-copy cheat sheets with the necessary access information."

What's needed, he said, are password policies that take into account both the need for hard-to-guess passwords and human limitations for memorizing complex strings. "If we could identify a workable middle-ground, we could stop laughing at inadvertent or foolhardy security policy abusers and likely increase genuine security (as opposed to security theater)," Falk wrote.

Not everyone agreed. James Reeves, responding directly to Falk's comments, wrote: "By insisting on upper and lower case, numbers and special characters, we increase exponentially the number of random guesses that an automated process must go through to discover a password. At the same time we eliminate the possibility of common words, simple sequences of numbers or letters, and so forth. The rules about 'strong' passwords are sound."

Carl Andersen then addressed Reeves and Falk, partially agreeing with both, bot not fully endorsing either.

"I have some sites that require password every 60 days, others every 90 days and some that never require a change!" Andersen wrote. "In addition, some sites will not accept certain symbols, such as hyphens, while others accept hyphens but not underscores! Finally, some applications will not let users select their own passwords, but instead create passwords using a random collection of letters, numbers, and symbols. It is this lack of uniformity that makes it so difficult and annoying to maintain security. It is impossible for me to not keep a cheat sheet when I have over 20 work related applications/web sites for which I need to maintain current passwords – with different schedules and rules."

Reader Comments

Wed, May 26, 2010

All too much trouble & complication. I have a few keyboard patterns that my fingers have memorized. Some of the pattern is shifted and some lower case. All I remember is the starting character. My fingers remember the rest. I really don't know what any of my passwords are. When it's time to change to a new password I change the first character and let my fingers do the walking.

Mon, May 24, 2010 Jan Peterson

I use a fairly simple mechanism that is based on dictionary words but doesn't actually use any. Essentially, pick a couple of words that is fairly long (at least six letters long). Select a few characters from the beginning, middle, or end of the word. Group these word fragments together separated with digits and/or punctuation. You can easily remember the words, but a dictionary attach will not match any of them.

Fri, May 21, 2010 Kevin DC

I use a favorite phrase from a movie or tv and take the first letter of each word and replace at least 2 with special characters and capitlize the first letter. The phrase "Go ahead, make my day!" would be Gammd and adding special characters would make: G0@mmyd!. If the password schema doesn't allow the special character at the end, I would move it to: G0@!mmyd

Thu, May 20, 2010 jah Colorado

Similiar to what Annon does, I construct a root sentence "A cluttered desk is 1 sign of laziness" and so acdi1sol, which covers lcase and number reqt, but I add a contextual postfix, so if I'm signing in to Gmail it might be acdi1solGMAIL. If the login requires a special character, then I add it between the 2, thus: acdi1sol!GMAIL. At most I forget whether the site requires a special char, and have to try twice. I haven't forgotten a password in years. I periodically change out the root sentence... KeePassX is now being used at work .Great product, but make sure your master password is strong and don't forget it!

Wed, May 19, 2010 vinur near Portland, OR

First, We use Linux for all of our Company computers. (Given that key-logger software implanted in a computer - tracking for "windows" may not exist in Linux, I take precautions anyway) So Loggers remember keystrokes... not content, I use a copy / paste function with the Keyboard. (alt+c, alt+v) I keep a *non Microsoft* page in an obscure format with secret passwords in it listed. And use a copy paste function to implement them in a field were needed. The Passwords themselves are never English or straight forward dictionary identifiable. Always a combination of numbers, symbols, letters of both cases. complex and meaningless to anyone. The only weakness is the document were I draw upon it for the passwords and it is not titled in a common language or format. I have a lot of passwords and remembering them is not possible. I have used this technique for ten years. It does seem to work It is also very fast if you use Keyboard functions to move between the field of input and the source of the secrets (alt+tab)... not a mouse. The computers themselves are pretty secure with up to date security protocols (almost bleeding edge Linux current) and Microsoft anything is never used in any capacity within our company, ever... not even the keyboards... Also no WiFi all hard wired network. It may be overkill but that is the kind of world people have made. Skill and knowledge of what works is your best defense. "Vinur" is Icelandic for Friend.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above