Practically Perfect Passwords
By John Bell, April 2015 issue of The Beltsville News
On a regular basis there is news about passwords being stolen and hacked. Since many people use the same password for multiple sites if one password is stolen the thieves have access to many of your accounts. Many large password databases can have most of the passwords in the database revealed in just a few minutes because the passwords are common ones, are short, or are based on words in a dictionary. However some passwords in the database may take months or years to crack. This helps us to establish some rules for what defines a good password.
- A password should be 12 characters or longer
- When possible a password should be a mix of numbers, upper and lowercase letters, and symbols
- Passwords should be unique to each site
- Passwords should be changed on a regular basis
- Passwords must be easily remembered
One good way of creating secure passwords meet these criteria is to use a set of rules for password creation and then combine the rules to create the password. Let’s go over an example of password creation rules that should work for many sites.
We start by picking a phrase of six words or longer. For this example I will use the phrase “We all live in a yellow submarine” from the lyrics of the Beatles tune. You should choose a phrase of your own. I will use a letter from each of the first six words in the phrase. In this case I will use the first letter but you can choose to use the second letter or last letter of each word or for a long phrase skip every other word for example. This leaves me with “waliay”.
Next pick some letters to capitalize. I will use the second and next to last letters making the string “wAliAy”. You could also use a rule like select the first and last or select every second or third letter or just the vowels.
Now we need to pick a number that changes at least annually. This can be an age or an anniversary. I will use the number of years since Columbus sailed for America or 2015-1492=523. I only need two digits so my digits are 23.
Special characters are the characters above the digits and colons, semicolons and braces on the keyboard. Not all sites support using these characters in a password but if the site supports them it is good to use them. One method of selecting the characters is to use the characters above the digits of the number selected previously. Since the number we are using in this example is 23 the special characters we would use are @ and #.
Finally we want the password to be unique or different for each web-site. For this I select characters from the site name. For this example I will use the first two letters and the last letter of that name before the .com. So for amazon. com I would use “amn” and for facebook.com I would use “fak”.
Finally we create a rule to combine these pieces into a single password for a site. I will use the following rule to build the password:
1. Start with the three letters for the site
2. Use the first special character
3. Append the number.
4. Append the second special character
5. Append the phrase letters
Using the example rules given here the password for facebook.com would be: “fak@23#wAliAy” and for Amazon.com it would be “amn@23#wAliAy”. These passwords appear to be random gibberish and are difficult to break but can be reasonably remembered or if not remembered recovered by applying the rules.
You should create your own variant of rules for creating your own passwords. Also I recommend using different phrases for financial sites than for social sites. It is safe to write your rules down so you don’t forget them. This allows you to reconstruct your passwords if you can’t remember them.