Changing out the passwords, some tips and ideas from my own time in the trenches

[Contact Me] | [FAQ]

[Some "Dougisms" Defined]

[About Dickens of a Blog]

[Jump to Site Links]

Summary: Passwords are often the number one element of security in the digital age, but from what I've seen: we suck at it. Having spent an hour or two swapping them about today, I have some tips.

Since writing this post, I have tweaked some ideas. This is not to say that the ideas below are all bad, per se, but there are many ways to handle them better. For my current take on safer passwords, you would be bettter off reading a more recent article I've written on the password paradox and use those tips instead, or combine the two together. Notably, I failed to really promote longer passwords and overrely on "unguessability", which is not often a truly secure measure. Now, if you were to combine, say, A + B + D, with some of the tips at the updated article (which is a variation on F), you might get some interesting and easy tricks that allow for very rapid changing out of passwords (the biggest problem being the ACTUAL changing of passwords.

BLOT: (01 Feb 2011 - 01:57:27 AM)

Changing out the passwords, some tips and ideas from my own time in the trenches

When is the last time you changed the password to your email account? How about to (or whichever similar site you shop often)? I can tell you when I did it last: today. The reason being a dumb mistake on my part. I was connected to a proxy server and I logged into email and a couple of other sites. 90% chance I would be fine. 10% chance that my email and password were sniffed off the server. By the time I realized I had done this, it was not too late to get cracking and so I did.

What is the best way to make safe passwords? Well, there are the three basic tenets I have come to hold central to password creation. (1) Never make them so complicated that you have to carry them around in a wallet or constantly request forgotten passwords from websites. (2) You can use the same password on more than one website, but the trade off for having to remember fewer passwords is that you have to deal with more opportunities for your password to be stolen; with there being an optimization between a fragile homogeneity and an unmanageable set. (3) A password only has to last for as long as you use it.

On to the actual generation. Here are some ways I have done it and they all work fairly well but have their ups and downs.

A. Use a Seed. A "seed" can be a number of things. Take the song "Nostalgia" by Emily Barker. Let's say your seed is to skip the first 20 characters, and then to take 5 groups of 8 letters from that point in time (discarding spaces). "RNESKIES", "CUTMYRED", "HEARTINT", "WOMYKNUC", and "KLESBLEE". Two of those are pretty plain-text, however unlikely to be guessed, but the other three are not bad as far as "random" collections of characters go. As long as you had access to those lyrics, you could regenerate those passwords any time you needed without having to use the "forgotten password" features. And just about anything can be a seed. A favorite novel (starting with third paragraph of the third chapter, skipping every third letter...or taking the first letter of certain lines in a certain edition) or the pictures from a particular catalog ("purplestapler", "bluerubberband", etc).

B. Use a Theme. Themes are similar to seeds except rather than taking the actual words directly from the seed, I might take a set of words related to a theme. If I were to use the Civil War, I might pick a couple of battles and a couple of generals and a couple of other bits. Themes have the advantage of cracking one does not lead so immediately to the pattern of the others. The first disadvantage is that it is isn't quite so easy to find your own pattern.

C. L33t the Everyday. To combine with the above or other techniques. In the current password-world which requires two lowercase and two uppercase and a symbol followed by a number almost makes it necessary. Even conservatively, it is pretty common to have to have one number, one uppercase, and one lowercase letter*. L33t is that annoying habit some netizens have of substituting numbers and symbols for letters. The letter A might be made with a 4. Likewise, the letter O might be () (open/close parentheses). In this mode, you can "spell" toad with t()4d. Now, l33t is not unguessable (you won't insert the number 3 for the letter A, for instance) and so it has a primary value in adding in those requirements for passwords. Still, if you use it "randomly", where not every A is a 4 and sometimes an O is just an O, it adds complexity.

D. Memorable Mistakes. In the same way that "C" is meant to tweak "A" or "B" (or some other system you choose), you can also make small but easy to memorize mistakes. Misspellings, or wordplays. Malapropisms and typos. That kind of things. Like, instead of puppy, you might make it "puppty". Almost as easy to remember, but a lot harder to dictionary. Toss in some "C", and you get something like lilpu9P+y. Which isn't terribly much harder than "li'l puppy" to remember but is generally more secure.

E. Go Full Random. Which brings us to "E", actually try random passwords. The trick to fully random passwords is to keep them relatively short, and then to try using them a half-dozen times right off the bat and to keep them in check. In other words, don't only use a random password on a single website that you only visit once every six months. You. Will. Not. Remember. It. However, if you visit a website kind of often, and practice, a 6-10 digit random string is not impossible to recall. The good news is, you can use them the same one across several websites because generating a new one requires little forethought and not a huge long time to "relearn" the password so you can alter them on a regular basis.

F. Conjugate the Password. Finally, I'll leave you with conjugating your password. What this means is that you have a stem and a branch. The stem is the core shared between a group of passwords. The branch is unique to a given instance. One variant of this is to give your usual websites a three character code. This can be related to their name (e.g., Twitter = Twt) or it could be randomly generated and just well-used (e.g. Goodreads = bu7). Then you generate a random or non-random stem. Let's use the "Pu9p+y" from above. This would make the Goodreads password Pu9p+ybu7. It would be hard to guess/brute-force but is composed of elements that are relatively easy to recall with some practice. Then, your next password set uses another 6-character stem and you just attach the "bu7" branch to it that you are used to...

None of these are perfect, and with an increased ability for hacker sorts to steal sessions or to trojan up a keystroke recorder, eventually even the best passwords will fail. However, you can at least up the ante and make would be hackers work for it. These will also help you to have a system of password generation on the fly. This means when you sit down at your school's new computer lab, and you get told you have to create a password then-and-there to log into your account, you will have something in place to make a good password, as opposed to a random something that you have to write down.

LABEL(s): Computer Safety

* There are no doubt some of you shaking your fist at this, and wondering why such things are required. It is a matter of geometry. If your house has 26 characters only in all eight dimensions (assuming an 8-character password), that comes out to be 20.9 billion combinations. And many amongst you will notice that really people aren't going to use random (see "E") characters so it actually limits passwords to just the set of all 8 letter words. Which is a lot, but also small in terms of a brute force attack. Just adding the potential of numbers in ups the number of combinations to 2.9 trillion, and by the time you have added in uppercase letters, you have 200+ trillion.


Written by Doug Bolden

For those wishing to get in touch, you can contact me in a number of ways

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

The longer, fuller version of this text can be found on my FAQ: "Can I Use Something I Found on the Site?".

"The hidden is greater than the seen."