One of the things I have heard over and over again in my years as a network and systems administrator is the rather common complaint users have about having to deal with password schemes.
Security, while definitely a GOOD thing, leads to people who would much rather focus on their work having to think outside of their normal comfort level and juggle around a lot of passwords and rigamarole that inevitably leads to their coming to me and saying things like “Trent, I FORGOT MY PASSWORD AGAIN. Can you help me?”.
Hopefully I can. Here are a few points of discussion that might aid you in your painful quest for a password you can remember that is (most importantly) still secure, and why it’s important.
Why do we have to do this?
Why? Why indeed! As I have become fond of saying, and as a popular technology columnist coined over the summer, “security is a process… it isn’t a product”.
Just because you have every Windows patch, security update, and service pack installed doesn’t mean that you’re safe. If you are using a weak password, or one that’s been shared with others, or — worse yet — one that hasn’t been changed in YEARS — none of that hard work keeping things patched and up to date matters one bit.
If that’s the case, you’re the big, gaping hole in that ongoing security process, because your private data (in the case of your home computer) and your company data (in the case of your work computer) is only one weak password guess away from a very bad hacking incident if someone malicious were so inclined.
Companies are held responsible for the data that gets stolen… and the more sensitive that data is, the worse things can be for them if there’s a security breach. And, to bring things a little closer to home, consider what you do on your personal computers. Identity theft is growing like a plague, getting worse every day, and one of the ways that happens is weak passwords and weak security processes, particularly among home users.
Think it’ll never happen to you? 9.9 million people just like you became victims of identity theft in 2008 alone.
Ever tried to fix something that got screwed up on a credit card or a bank account? Imagine having to do that with ALL of your accounts and credit cards, all at the same time, and then having to deal with the scars that leaves on your credit rating for YEARS to come. It happens all the time.
Okay, I get it, security’s important. Now what?
If everything’s patched, plugged, service packed and otherwise locked up tight, the easiest point of entry into any system is a weak password. You’d be amazed at how many times I’ve encountered users who use things like “password” or “test”, or even their user names as their passwords. Yes, really.
I can tell you, while it may be easy for you to remember how to get in that way, it’s a disaster waiting to happen.
Reasonably secure passwords should include at least one or two numbers, one or two upper case letters, and a few lower case letters, shouldn’t consist of anything that is part of your name or user name, are at least 6 or 8 characters long, and (ideally) don’t make any kind of words.
I know, I know… that means they’re hard to remember, right?
They don’t have to be.
Here’s a method that I’ve advised regular users to use for years, and with great success.
Step 1: Make up a phrase that you won’t forget
A friend of mine who shall remain nameless once used to categorize certain types of humor as “Stupid Bobby Turner Jokes” if they made a person groan. It was sort of an inside joke reference, because she had worked with someone for years named Bobby Turner that told awful, groan-inducing jokes every morning when he came into work.
Utilizing that phrase as a starting point — something that person could easily remember — is where we begin. But it’s not long enough. Let’s add a couple of words to it:
Stupid Bobby Turner jokes make me groan
Step 2: Add some things to it to make it secure
Remember though, a good password will have at least a number or two in them. So let’s add to this phrase again:
Stupid Bobby Turner jokes make me groan 25 times a day
That’s pretty good, but it needs some emphasis. Let’s make that a little more exclamatory:
Stupid Bobby Turner jokes make me groan 25 times a day!
Step 3: Abbreviate!
How on earth does this make a secure password? By taking the first letter of each word and stringing them together, along with the number and the exclamation point, like this:
STBTjmmg25tad!
Voila! Right there is a secure password! It meets the requirements: it’s longer than 6-8 characters, there are upper case letters, lower case letters, a couple of numbers, it doesn’t make any words, and there’s a special character in there to boot!
And as long as you use a phrase as a starting point that’s meaningful to you in some way, it’s not hard to remember. Give it a try!
Conclusion
I talked a bit preachy above about security processes being of dire importance, particularly when it comes to user passwords. However, as I had mentioned, that doesn’t mean it has to be hard or impossible for you to figure out a password scheme that works for you.
Using this simple method for devising a password makes it easy for you to come up with things, easy to remember them, and most of all, lets you get on with your work, play, or whatever else for which you’re using technology.
So the next time your system administrator makes you reset your password, rather than throw up your hands and say “I can’t do this!”, add a couple of numbers to that phrase… “I can’t DO this 10 more times!” then becomes your new password!
IcDt10mt!
See how easy it is?
Stay secure out there!
– Trent
Trent
jasonkallevig
You know me, I try to game the system. At work they let me use Pa$5w0rd That was an easy one to remember. I also 1337-ified my login. Silly IT people for allowing that.
You should consider something a little stronger than that, Peter.
Here’s my problem. I have a large number of passwords and PINs to memorize, some of which I have no control over (i.e. random chars generated by the systems office). And they usually have different requirements for strength (length of key and composition of upper/lower/number/symbol). And like university professors, system administrators tend to assume that their application is the only one you ever need a password for and ignore the existence of all others. I can’t come up with one I can use everywhere, nor would I really want to, that is in of itself insecure. The obvious thing is some kind of simple software tool that uses some good crypto to store a library of your passwords in all their variety, accessed by one very-resistant-to-guessing passphrase. I know there are some out there, do you know of any good multiplatform (open source) ones to use? I know a while back Microsoft did one, but that would not be multiplatform nor would it be trustworthy imho.
Hiya Norm.
Actually, I’ve only worked at one company that did any kind of “single sign-on”, and the tool they used for it was definitely not a multiplatform/open source one.
And, to be honest, it didn’t work very well. When a user would log into their computer at the beginning of the day, this app would then automatically sign them into everything… a process that made the computer pretty much unusable for 15-20 minutes.
So I’d arrive at work, log into my computer, go downstairs to the coffee shop on the first floor, get some coffee, make a phone call, surf the web a while on one of the internet kiosk machines they had there, take the STAIRS back up to the 3rd floor where my desk was, and sit for a few MORE minutes watching this thing sign me into stuff I might not even use that day.
I don’t know the solution to this dilemma, to be honest. In a lot of organizations, the problem could be solved simply by getting various departments and IT to set a global password policy so that you could at least use the same password for everything, and everything would have a consistent strength requirement.
But since you work for a major university, I know that’s not exactly realistic, is it?
I should mention too that I’m not most system administrators when it comes to this kind of thing.
For one example, a current client of ours has a 3rd party application into which they log in that requires all of their inputs to be in ALL CAPS.
Because these people spend 80% of their time in this application, to make life easier on them, I allowed them to set network passwords that are all caps (that way most of these users can just leave their caps lock keys on all the time) as long as the passwords were a minimum of 8 characters and included a number and a special character.
Are these passwords as strong as if they were a mix of upper and lower?
No, of course not. But they’re still reasonably strong because of the other requirements.
And that’s the point. One has to be reasonable.