Password Management and the Lazy Geek
By Timothy Tibbetts |
I've been rethinking my password management lately... Stay with me on this.
With the recent rash of attacks targeted at nearly every online entity, we, as web users, are always being asked to change our passwords. For me, the minor inconvenience that it takes to reset the password itself is far exceeded by trying to remember what my new passwords are. Now I find myself with multiple collections of similar passwords that I thought of at that moment, and I can't recall any of them 2 or 3 days later when I need them.
Now, I have a LOT of passwords, more than most. Some I need and frequently use, while others may be a once-a-year type thing. When I need to change one, two, or even a group - frankly, it throws me off my game, and I find I'm now hitting the forgot password option more often than not, which of course, makes me change my password again. Yikes! This has me rethinking how to use and remember my passwords better.
First, I started thinking about the rules to avoid using as a password.
1) Do not use something common to you like your pets, spouse, or kids' names.
2) Avoid straight combinations of numbers like 123 or birthdays.
3) Avoid common words like 'Admin' or 'Password' or '123'.
4) Never use the same password at multiple sites.
Then I looked around at what I'm told I should do.
1) Combinations of upper and lower case letters.
2) A few numbers.
3) A random character or so like @,#,% OR &.
4) At least eight letters.
Now, these rules are helpful but will not help you if a database you have subscribed to is compromised, releasing your carefully crafted usernames and passwords to the wild. These rules were meant to make it harder for brute force password crackers to guess your personal password. However, having a password like "383&^%2FR4256#" is hard to guess but tough to remember.
Some sites suggested passphrases like "Every Good Boy Deserves Fudge" would be 'EGBDF.' Easier, but how many of these little phrases like that do you know?
Lastly, since I have so many passwords, I decided to concern myself with only the sites that I want to ensure are secure and often use. We’ll refer to them as tier one.
Ok, so now how to use these rules to make a password that I can remember, but isn't the same for every site, and has the ability to remember the new password if any change if needed? The problem with that premise is I REEEEALY want to use the same password for every site. Why? Because I'm lazy. I also have a human brain that doesn't like remembering hundreds of passwords. But, really, it's more the lazy part. I decided that the only way to do that is to think of an algorithm. So I came up with this as an example:
(1st site letter) +(my lucky number)+(Passphrase)+ (!)+ (Number of letters in the domain name)
In this example, my lucky number will be 13.
The passphrase can be anything you like (be creative). I'll use 'Stupefy.'
And the domain is, of course, 'MajorGeeks' (first letter 'M' with ten letters)
Push that into the equation, and my new password on MajorGeeks would be 'M13Stupefy!10'. Simple enough.
Going further:
Facebook.com would be 'F13Stupefy!8',
Google would be'G13Stupefy!6',
Yahoo would be 'Y13Stupefy!5',
Amazon = 'A13Stupefy!6' etc. and so on.
Voila'! Each password is different, but I only really need to remember one-word 'Stupefy,' for everything. If a major website requires me to change my password, I change the passphrase to something like 'yogurt' across all the tier one sites, and remembering a single change is far easier than multiple common ones.
Perfect? No. If you have a site where the first letter and the number of letters are the same, you would have the same password, but the trade-off is simple and fixed with a more complicated algorithm. Also, this would be decent protection against the hack networks that download a list of previously hacked email and password combinations with the intent to apply the known combination to other sites to gain access to more important accounts. The big drawback is this technique might be easily figured by someone who knew you well and saw 3 or 4 of your passwords.
Now this algorithmic awesomeness is not set in stone. It's just a concept. I do not use the one above, and clearly, you should swap the variables around any way you like or add some new ones to make it original to you. Change the ‘!’ to something like ‘$%’ or use the first two letters of a domain instead of one -- whatever works for you. The concept remains the same, and you only have to remember one word. Here're a few ideas you could try.
(1st 2 site letters) +(Dogs age)+(Passphrase)+ (#!)+ (Number of letters in the domain name+1)
(Number of letters in the domain name) +( lucky number)+(Passphrase)+ (@@)+(1st Site Letter)
(1st site letter) +(last 4 of your social )+(Passphrase)+ ($)+ ( (Number of letters in the domain name)+(birthday) )
(Number of letters in the domain name*10) +(lucky number)+( 1st site letter) +($)+(Passphrase)+ ($)
But what about the sites I rarely use that I do not categorize as urgent or often used? For those, I use my all-time favorite password manager RoboForm. There are excellent, free password managers out there that you should look at but, RoboForm has been on my system for the better part of 15 years - so I'm biased. It has a built-in password generator in it that can make a unique password for whatever site.
So, if I happen to order a widget from BobsWidgetEmporium, I'll generate some random thing like weird like '1H@XV%$q38K'. I don't care to remember it, and RoboForm will do that for me. If BobsWidgetEmporium.com emails me about a breach, I will know it is clearly not one of my personal algorithmic passwords, and I can change it to something else just as random with no fear that I used the password elsewhere. Roboform also encrypts your stored passwords, can be cloud-based and cross-platform and integrates into your browser. This offers another layer of security by not offering you to type or enter your password on a spoofed site. So check it out. 'Nuff said.
So there's my thoughts and a secure(ish), changeable, lazy man's password. If you have any comments or suggestions, drop them below.
Similar:
The 6 Best Password Managers
How to Disable the Built-in Password Manager in Chrome, Firefox, and Edge
comments powered by Disqus
With the recent rash of attacks targeted at nearly every online entity, we, as web users, are always being asked to change our passwords. For me, the minor inconvenience that it takes to reset the password itself is far exceeded by trying to remember what my new passwords are. Now I find myself with multiple collections of similar passwords that I thought of at that moment, and I can't recall any of them 2 or 3 days later when I need them.
Now, I have a LOT of passwords, more than most. Some I need and frequently use, while others may be a once-a-year type thing. When I need to change one, two, or even a group - frankly, it throws me off my game, and I find I'm now hitting the forgot password option more often than not, which of course, makes me change my password again. Yikes! This has me rethinking how to use and remember my passwords better.
First, I started thinking about the rules to avoid using as a password.
1) Do not use something common to you like your pets, spouse, or kids' names.
2) Avoid straight combinations of numbers like 123 or birthdays.
3) Avoid common words like 'Admin' or 'Password' or '123'.
4) Never use the same password at multiple sites.
Then I looked around at what I'm told I should do.
1) Combinations of upper and lower case letters.
2) A few numbers.
3) A random character or so like @,#,% OR &.
4) At least eight letters.
Now, these rules are helpful but will not help you if a database you have subscribed to is compromised, releasing your carefully crafted usernames and passwords to the wild. These rules were meant to make it harder for brute force password crackers to guess your personal password. However, having a password like "383&^%2FR4256#" is hard to guess but tough to remember.
Some sites suggested passphrases like "Every Good Boy Deserves Fudge" would be 'EGBDF.' Easier, but how many of these little phrases like that do you know?
Lastly, since I have so many passwords, I decided to concern myself with only the sites that I want to ensure are secure and often use. We’ll refer to them as tier one.
Ok, so now how to use these rules to make a password that I can remember, but isn't the same for every site, and has the ability to remember the new password if any change if needed? The problem with that premise is I REEEEALY want to use the same password for every site. Why? Because I'm lazy. I also have a human brain that doesn't like remembering hundreds of passwords. But, really, it's more the lazy part. I decided that the only way to do that is to think of an algorithm. So I came up with this as an example:
(1st site letter) +(my lucky number)+(Passphrase)+ (!)+ (Number of letters in the domain name)
In this example, my lucky number will be 13.
The passphrase can be anything you like (be creative). I'll use 'Stupefy.'
And the domain is, of course, 'MajorGeeks' (first letter 'M' with ten letters)
Push that into the equation, and my new password on MajorGeeks would be 'M13Stupefy!10'. Simple enough.
Going further:
Facebook.com would be 'F13Stupefy!8',
Google would be'G13Stupefy!6',
Yahoo would be 'Y13Stupefy!5',
Amazon = 'A13Stupefy!6' etc. and so on.
Voila'! Each password is different, but I only really need to remember one-word 'Stupefy,' for everything. If a major website requires me to change my password, I change the passphrase to something like 'yogurt' across all the tier one sites, and remembering a single change is far easier than multiple common ones.
Perfect? No. If you have a site where the first letter and the number of letters are the same, you would have the same password, but the trade-off is simple and fixed with a more complicated algorithm. Also, this would be decent protection against the hack networks that download a list of previously hacked email and password combinations with the intent to apply the known combination to other sites to gain access to more important accounts. The big drawback is this technique might be easily figured by someone who knew you well and saw 3 or 4 of your passwords.
Now this algorithmic awesomeness is not set in stone. It's just a concept. I do not use the one above, and clearly, you should swap the variables around any way you like or add some new ones to make it original to you. Change the ‘!’ to something like ‘$%’ or use the first two letters of a domain instead of one -- whatever works for you. The concept remains the same, and you only have to remember one word. Here're a few ideas you could try.
(1st 2 site letters) +(Dogs age)+(Passphrase)+ (#!)+ (Number of letters in the domain name+1)
(Number of letters in the domain name) +( lucky number)+(Passphrase)+ (@@)+(1st Site Letter)
(1st site letter) +(last 4 of your social )+(Passphrase)+ ($)+ ( (Number of letters in the domain name)+(birthday) )
(Number of letters in the domain name*10) +(lucky number)+( 1st site letter) +($)+(Passphrase)+ ($)
But what about the sites I rarely use that I do not categorize as urgent or often used? For those, I use my all-time favorite password manager RoboForm. There are excellent, free password managers out there that you should look at but, RoboForm has been on my system for the better part of 15 years - so I'm biased. It has a built-in password generator in it that can make a unique password for whatever site.
So, if I happen to order a widget from BobsWidgetEmporium, I'll generate some random thing like weird like '1H@XV%$q38K'. I don't care to remember it, and RoboForm will do that for me. If BobsWidgetEmporium.com emails me about a breach, I will know it is clearly not one of my personal algorithmic passwords, and I can change it to something else just as random with no fear that I used the password elsewhere. Roboform also encrypts your stored passwords, can be cloud-based and cross-platform and integrates into your browser. This offers another layer of security by not offering you to type or enter your password on a spoofed site. So check it out. 'Nuff said.
So there's my thoughts and a secure(ish), changeable, lazy man's password. If you have any comments or suggestions, drop them below.
Similar:
comments powered by Disqus
