Choosing The Perfect, Crazy Good Password

Posted in Tips on 04. Feb, 2010

It’s time to talk passwords. First, let’s get some password common sense outta’ the way.

You should:

  • Use at least eight characters.
  • Don’t use passwords you’ve used somewhere else.
  • Use at least one number in your password.

I’m using Gmail’s password suggestions as guide for debunking myths of what you can do and what you don’t need to do. Now let’s go over some password myths, from a non-geek standpoint.

You can:

  • Use words found in the dictionary when combined with a number.
  • Use patterns (asdf) or (1234).
  • Use all lowercase letters when combined with a number.
  • Use repeating characters (aa11).

You DON’T have to:

  • Create an acronym.
  • Include punctuation marks.
  • Use mix capital and lowercase letters.
  • Include similar looking substitutions, such as using “$” for the letter “S”.
  • Include phonetic replacements, such as “Luv 2″ for “Love to”.
  • Use random letters or numbers.

How Your Password Gets Hacked

Sites and services always talk about password security as if there’s ways for people to use “code breakers”, where crooks randomly guess at passwords… and thus, you gotta’ have a crazy stupid complex password in order to be safe. BS… The way people get your password is through one of three methods:

  1. Spyware on a computer steals your password.
  2. You get your password phished.
  3. The company / service you use gets hacked.

The companies / services you use don’t want you to know that last part. They get their servers hacked, their database of their customer’s accounts and passwords are stolen and boom… your account is “compromised”. And when you have spyware on your computer (or a computer you use) that has a keylogger, that keylogger records every keystroke as you type your password. Or you click a link in an email or online which takes you to a web site that looks like Facebook, Bank of America, AOL, etc and records your user name and password on their fake web site (phishing).

But here’s the important thing…  in any scenario, your password is not guessed or “code broken” like you see in the movies. They’re all recorded, copied or stolen. So what’s the difference between a password such as “pineapples” and “1xC4B$n6YmG76″? Absolutely nothing. For spyware, “pineapples” and “1xC4B$n6YmG76″ will both be recorded, “pineapples” and “1xC4B$n6YmG76″ will both be phished and “pineapples” and “1xC4B$n6YmG76″ will both be accessed from a stolen server database.

Complex Passwords Thwart You, Not Thieves

So, let’s follow all the rules that these companies, geeks and so-called security experts recommend for passwords. Our password is “1xC4B$n6YmG76″. Go onto any web site and that crap of a password is what systems consider a “very strong” password. In other words, the “perfect” password. Hah…

Passwords such as these are impossible to remember. What “security expects” recommend is that you write down these passwords. That right there is a security risk. Writing down your passwords is the perfect way to have your sister, son, friend, house guest or even computer technician steal your password without even getting on your computer.

A huge security issue is having the same password for multiple accounts. When someone gets your password for AOL, the first thing they do is head on over to eBay, Paypal, etc to see if that password is the same password you used. So clearly the most important thing when it comes to a password is using different passwords for each different service / site.

So what now then? That goofy “1xC4B$n6YmG76″ password you used for eBay, what are you going to use for Facebook? Clearly you need to use a different password, so your Facebook password will be “Gh3%n58gtR4G3N2n”. Now what about your Gmail password? “h6T5ahD*n5Rv6″. Great. But wait… that gibberish isn’t something you can remember, so your back to writing your passwords down somewhere. Or maybe you could encode them? Write down the passwords, but with the first and last characters swapped. But what if you write something down wrong, or forget how you have it setup? And what about when you want to log on from someone else’s computer and you don’t have your “gibberish password list”? Your screwed. And your doing this, even though you know “1xC4B$n6YmG76″ is no more secure than “pineapples”.

No, the gibberish method is not a more secure method. It doesn’t thwart thieves, it only thwarts you.

Crazy Safe, Crazy Simple, Crazy Good

So let’s choose a password you can remember, a password that’s unique for every different service / site, and a password that also happens to be strong if anyone were to try and guess or codebreak it.

Three rules to follow:

  • Use at least eight characters.
  • Don’t use passwords you’ve used somewhere else.
  • Use at least one number in your password.

Let’s start out by picking a word, phrase or acronym that we can use for every password. Let’s choose “funky”. Now we need to try and add complexity, so let’s add a number, “7″. So far our password is “funky7″. Let’s add another character, “a”, to the end. (It’ll make the password look more random.) So right now our password is “funky7a”. Right on. But the password is only seven characters long, it needs to be eight characters long, and it also needs to be different for every site / service. Here’s how we’re going to do it.

We’re going to add characters from the different sites / service we’re using the password for. So let’s say we use the first and last character of the site / service we’re using. It’s easier to understand when you see it in action.

Examples:

  • eBay: “funky7aey
  • Paypal “funky7apl
  • Bank of America “funky7aba
  • Facebook: “funky7afk
  • Allstate: “funky7aae
  • Twitter: “funky7atr
  • Eve Online: “funky7aee

So, now you understand the pattern. What’s great is that this pattern is extremely easy to remember. All you need to remember is “funky7a” and where ever your using a password for, let’s say Bank of America, the last two characters would be “ba”, so “funky7aba”. Or if you register a new service, let’s say “World of Warcraft”, what would the password be? Simple. “funky7awt”.

But if someone happens to phish you you outta’ your brand new World of Warcraft account, your World of Warcraft password “funky7awt” won’t work for your Paypal password. And looking at the password “funky7awt”, you can’t tell there’s a code hidden in it.

Same User Account Name

It’s perfectly safe with this method to use the same user name for different sites / services.  You can use “thundercatluv” as your user name for Capital One, and also use “thundercatluv” for Mint.com. Having the same user name don’t matter when you got a crazy good password.

Create Your Own Password, Your Way

You understand a simple yet complex system for choosing a new password for all your sites / services. But feel free to do it any way you want. If you wanna’ make it more complex, go ahead. If you wanna’ make it simpler, go ahead. Fact is, as long as your passwords for each site / service are different and you can remember the passwords for each and everyone of them, you’ve meet your goal.

If I’ve helped you, say thanks or follow me at twitter.com/johnBbaird.

Peace, JbB

Related Posts with Thumbnails
blog comments powered by Disqus