Sunday, December 08, 2013

My system for creating and remembering secure passwords: Part 2

One of my jobs as a digital media manager for World Vision is to ensure that the passwords our staff uses to access web and social media platforms are sufficiently secure so that hackers are deterred from taking over our resources and using them to their own evil devices. When I arrived in my current department, nearly three years ago, I discovered that some passwords were as basic as "children." That's not a terribly secure password, especially for an organization that focuses on the needs of children.

I mentioned in my last post that a password like "Fido" can easily be hacked by current hacking software, in a matter of seconds. On the other hand, a randomized, 10-character password (including mixed cased numbers, letters, and possibly a symbol or two) might take 6 years or longer for a desktop computer to hack.

We also talked about sites that can help you create totally randomized passwords. But such passwords are obviously more difficult to remember. So in this blog I want to share with you two systems for creating complex passwords that you can more easily remember.

First System: Divide and Conquer

Step 1. Select a series of something you will easily remember. It might be favorite foods, restaurants, cities you have lived in, books of the Bible, names of friends, pets' names, whatever. For instance, let's say you are a big Mexican food fan. Your series might include:
etc. (Note, I am color-coding different components of the password just to make it easier for you to see how it all comes together!)

Step 2. Now think of a series of numbers that you can easily remember. It might be the last X number of digits of your social security number, or a phone number, street address, whatever. Let's say your phone number is 253-555-1212.

Step 3. Next, divide each word as close to the halfway mark as possible. (I divide between syllables.) Start at the top of the list. The word "enchilada" easily divides into "enchi" and "lada."

Step 4. Now insert your selected number between the two halves of the word, like this:


Step 5. Next settle on one or more character positions you are going to capitalize. For instance, in your series of words, the short word is "tacos" which will probably divide like this: ta2535551212cos. The first half of the word is only two letters long, so let's say you decide to capitalize the 2nd letter of each half. So your two passwords now are:


And your next password in the sequence would be:


Step 6. Finally, decide on a special symbol and insert it in a set place, such as the beginning of the second string:




You will always put your symbol in the same position, so you can remember where. (Note: Some websites may not allow some symbols, which can mess up javascript processing. But an exclamation point is usually fairly safe.)

So, now you have a base password to start with (eNchi2535551212!lAdas). That password is 21 characters long, and says it would take 32 sextillion years for a desktop computer to hack this password. Pretty darned secure. But next we're going to make it even MORE secure!

Because, you know that you should NOT use the same password for more than one site, right? You should have different passwords for your Google, Facebook, and Twitter accounts, for instance.

Step 7. How to do this? The easy way is to simply add the specific platform name to the beginning or end of the password, like this:


That password is now 27 characters long and would take 6 decillion years to break. (Yes, that is a real number! A decillion, says Wikipedia, is 10 with 33 zeros after it.)

Now, some of your sites may have password maximum length requirements shorter than 27 characters. (Also, 27 characters may be a little onerous to type each time you need it.) For these two reasons, I recommend shortening either your string of numbers (say, to the last 4 digits of your phone number), and/or abbreviating your platform name (hence Google becomes G, Facebook F, Twitter T, etc.). Doing it this way, the shortest password in the series would become:


only 11 characters ... but even that short of a complex password would still take 4,000 years for a desktop computer to crack. Plenty secure! If you use GtA1212!cOs for Google, you would use FtA1212!cOs for Facebook, etc. (That way if someone ever hacks millions of Google passwords, they won't automatically get your Facebook password too.)

Hence the beauty of this system is that you can use a similar (but not identical) password for all your different platforms ... but then when you have to change a password (and I recommend changing them all at the same time), you simply move to the next phrase in the series ... from "tacos" to "tortillas", for instance. (Therefore your next Google password would become GtOrtil1212!lAs ... assuming the syllable breaks between the Ls? I'm not sure.) Your number stays the same, your sequence stays the same, your symbol remains in the same position ... in short, your system doesn't change. So as long as you have a commonsense system and a sequence of associated words you can recall, and a number you remember easily, it's relatively simple to create and keep track of all those different passwords ... while making each one very, VERY secure.

Second System: Punctuated Phrases

Other people I know use other systems which also make sense to me. For instance, some recommend taking a string of words you will easily remember ... like a portion of a Bible verse or a stanza of a song ... and inserting something (like a sequence of numbers you will remember) in between each word. Like this:


And of course you could combine this with my method of identifying each platform (Google etc.):


That 28-character string would take a desktop computer 525 decillion years to crack. (Better than the 52 seconds it would take to crack the password "children"!)

Or, you could even insert at least a portion of the reference (John 3:16 in this case) in between the words, like this:


Whatever you decide to do ... be consistent! But make sure it's sufficiently complex (at least 10 characters, including mixed case letters, numbers and possibly symbols) to put hackers out of business.

Insert special note here ... while I am giving you the details of a system I use and recommend, I am NOT giving you the details of the components of the system I use for my own passwords! (In other words, I am not revealing specific decisions I have made about the series of words or numbers, cap or symbol position, etc.) All my examples are just that.

So, go ahead and try if you'd like ... and good luck hacking me!

Next up, in the final part of this series, I want to talk about how to memorize truly complex or random passwords, or other difficult strings of letters and/or numbers. I have a terrible memory (I blame genetics) and so I was recently stumbled across a memorization technique that really works for me, much to my delight. I'll share the details in my next post ... so stay tuned!

No comments: