How to Choose Good Passwords
With our continued reliance on passwords, it is still a good idea to select good, secure, and memorable passwords. It’s also very important to change them periodically. We’ll cover some suggestions on selecting good passwords that naturally expire, and we’ll cover a bit about password safety.
There is no such thing as the perfect password, and there are many different ways that passwords can become compromised. This does not mean that we should simply give up and use “Password” or “Excalibur” for all of our passwords. It does mean that we should all choose passwords that are appropriate for the assets that they’re protecting, and we should all change our passwords periodically.
First of all, we should not have one password for everything. If your password is compromised you do not want that to allow an attacker to gain access to every single account that you have. A simply way to have different passwords for every account is to separate your passwords into two halves. One half is a good password perhaps 6 to 8 characters. The other half is unique to the account of that particular password. For example, if your good half is “ILFit5!” and you are choosing passwords for your email and for your mobile phone online account then those two passwords might be “ILFit5!gmail” and “ILFit5!tmobile“. Now you have two different passwords, but they are easy to remember (more about remembering that first half in a bit.) While there might be some concern that a person who gets one password might see the pattern and use it for other accounts, this is not a risk we’re mitigating with this strategy. What we are preventing is keyboard loggers, network sniffers, and stolen password hashes – all attacks that can be connected to automation – where the attacker wrote a program that grabs the username and the password and then tries it against as many other web sites as it can find. In these cases there’s never any person reading the password. It’s a program. It just tries the same username and password all over the place. You’ve now secured your account against these.
Now, for the “good” half of the password. Let’s take a six word (or more) seasonal sentence. For this example “I like flowers in the spring.” We’ll take the first letters which gives us “I Like Flowers In The Spring”, or ILFITS. Now let’s change the case. I suggest using capitalization to emphasize the words that are important. So let’s make it “I Like Flowers in the spring”, or ILFits. Now let’s add a number or change something to be a number. Since the s and the number 5 have similar shapes, let’s make that a 5. Now we have “ILFit5“. Finally we need a special character in the password. Let’s add an exclamation point for emphasis. This gives us a final password of “ILFit5!“. This is too short to be the whole password, so it will need to be followed by a unique identifier. As describe above, using as different identifier per account is a good way to keep passwords different. There are some web sites and other accounts that have very poor password requirements, and which don’t allow some special characters. This is very frustrating, particularly for those of us in the security industry. When you run across one of these I suggest having a different sentence. Perhaps “Some websites don’t value my security”, or “SWdvm5“.
Passwords that are tied to the seasons automatically remind you to change them. Each time I’m logging into my tmobile account I’m repeating the words (in my head of course) “I like flowers in the spring.” If I’m still using that password during the summer, this password method reminds me when it’s time to change my passwords. It’s a good idea to have a list of your accounts and their passwords either electronically or on paper, but that’s a topic for another time.
Remember. Give your passwords two parts, and for the password part use a Six word Seasonal Sentence to remind you to change that part of the password at least four times a year.