Password Requirements: Keeping Your Data Safe by Keeping Your Data Inaccessible
I realize I’m not going to say anything here that xkcd hasn’t already said:
But is it just me, or are we making it even harder on ourselves as we go on?
It’s been a while since I actually had to deal with regularly-changing passwords for the same account (the bane of every office staff, to hear people with real jobs tell it, but I wouldn’t know about that).
I do, however, have to maintain an ever-expanding collection of website accounts as I write for more and more people. A few of them set their own passwords, but far more prefer to generate long, random strings of gibberish alphanumeric characters that I could never, in a million years, commit to memory. And while I’m often able to reset to my own, personal password, the internal requirements have gotten so stringent that I can’t even use the “at least six characters long with some numbers and shit in there somewhere” passwords I’ve been rotating through my brain for the last decade or so.
The end result is, of course, that the passwords just get written down and stored physically, which is the exact opposite of security. Though I suppose a handwritten note somewhere in my office (re: bedroom) is relatively safe unless we’re being targeted by housebreaking data thieves, which seems a little physical for your average hacker. So maybe that was the point all along?
Now that I think about it, “force all of us to store our passwords physically” is a pretty great way to keep our data off the web. If only it didn’t have the unfortunate side-effect of making me not want to use the web, even when I’m being paid to.
You didn’t explicitly solicit other suggestions, but I’ve been rockin’ a pretty good system since I started on the Interwebs in the late 90s. I make the password related to the reason I first went to the site. For example, my Amazon password is associated with the first purchase I ever made there. It works pretty well, especially since when you’re traveling, it’s a total pain to suddenly remember that your post-it with your passwords is at home.
When I worked in an office and we had to change our passwords every six weeks, I always made it the most recent dumb thing my friends said. Once it was “donkeypunch” which still cracks me up.
That’s not a bad mnemonic, though it’s got the same problem everything else does — you’ve still got to remember where you put all the numbers and oddly-placed capitals that most sites are requiring these days.
I’ve got some easily-remembered phrases from my personal life for most of my passwords, but it still generally takes three or four tries to get the right variation if I’m away from my home computer (which remembers them all for me, most of the time).
And, as xkcd points out, none of those stupid substitutions are making it any harder for a computer to guess the password. Just for me to remember it.
I have well over a hundred different passwords to the various sites I use. That number excludes the ‘more secure’ ones I keep written down in a separate location. It also excludes the ‘extremely secure’ ones I keep only in my (sadly over-stuffed) brain.
I know any sense of password security is just an illusion. At this point, I’m just playing the password game so I can comfort myself with “At least I tried” if I get hacked.
You could also use password managers like KeePass and PasswordCard. My friend that’s a bit obsessed with security keeps a flash drive with his password manager software on it. My mother hit upon an equivalent to the PasswordCard all on her own. She has some strange system involving her address book. It seems to work for her, and she always has that little book with her, and the thing is stuffed since she’s had it for 30 years.
When a site lets me, I just use full sentences for passwords…