April 23, 2008
Impossible passwords
I wrote about the dilemma of passwords here: they must be impossible to remember, change frequently and never be written down. Now a kind fellow called Sean Gilbertson has sent me a pamphlet on his “Cryptogic” system. He suggests combining a fixed password section (eg TimFT) with a variable password. For instance an Amazon password might be 3TimFT3 because Amazon has three syllables and three vowels, while an eBay password would be 2TimFT2 because eBay has two syllables and two vowels. Pick your own simple rule for deriving a variable password.
It’s a nice enough system, and does deal with the important problem of using different passwords for different sites - which was the original question! Still doesn’t help much with the requirement to change passwords constantly, alas…
You can write passwords down. Just make sure it isn’t obvious what they’re the password for (e.g. don’t write your PC login on a post-it stuck to the monitor).
I’d recommend that for low-value things like amazon or ebay, just write the passwords down on a piece of paper and put it in your wallet. Maybe obfuscate them a bit by adding extra letters, leaving a couple of letters off, and not writing “amazon: ” next to it.
Even if someone steals your wallet, they can’t automatically cash in. And in any case they’ll probably be too busy ripping off your credit card to spend time figuring out which letters they need to change to hijack your ebay login.
For high-value passwords such as online banking, try to thoroughly obfuscate the password (e.g. disguising part of it as a phone number and another part as the username of some other login. Or something).
For high-value passwords used frequently (e.g. the logins for my work accounts on various machines), I’ve found that I have no trouble remembering them even where they’re randomly generated. Your mileage may vary.
There are also software products you can get such as password-safe, which store your passwords encrypted with a master-password. This reduces the problem to remembering one password, which you don’t even have to change frequently.
Posted by: SteveJ | April 23rd, 2008 at 2:59 pm | Report this commentsupergenpass is great. Its like a really good implementation of your corespondent’s algorithm.
Posted by: pushmedia1 | April 23rd, 2008 at 6:45 pm | Report this commentOf course, his method isn’t exactly new, being a variation of a method already suggested to you in the comments to your previous posting on this topic.
I’ve been using that method for about 20 years now…
Posted by: Sharper | April 23rd, 2008 at 9:54 pm | Report this commentI already do this, although the constant word is just a random word and not one related to me. When it comes to changing passwords I just change the numbers.
Posted by: Nick M. | April 24th, 2008 at 7:17 am | Report this commentPasswords safes really are the solution to this problem. I use Keepass — it’s free, and open source (which is critical to verify that there are no backdoors).
I have one memorable yet uncrackable password (e.g. “72iwasbornunderabluesky9145hello”) which allows me to access all of my other auto-generated passwords, something like “AxHTSc8d3y5GsQ4E”.
The only downside is, if I need access to my passwords when I’m away from home, I need the password safe file (which I can safely store online) and the keepass application (which I can hopefully download and install if needed).
An even better solution would be to have the safe running on a mobile device that I carry with me (eg phone).
Posted by: Mark | April 25th, 2008 at 4:26 pm | Report this comment