Revealed: Our picks for the best password strategies
Readers offer hundreds of good ideas. Who's got the best one?
- By Kevin McCaney
- May 25, 2010
If you’re looking for tips on how to create, recall and manage strong passwords, you would do well to listen to our readers. They don’t seem to have the bad habits that lead to the weak, easily guessed passwords that abound on systems and Web sites everywhere.
Earlier this month, we reported that data security company Imperva had analyzed 32 million passwords stolen from an application developer and listed the 10 passwords most commonly used. At the top of the list was “123456,” the network equivalent of “Joe sent me” at an old-time speakeasy. Most of the rest were equally bad, such as the Web site's name used as a password, and, of all things, “password.” If you visit these folks and they're not home, don't worry: The key is right under the mat.
So we asked our readers for their ideas on creating and managing strong passwords, and made it into a contest. The response was impressive. We received a total of 218 comments to our stories on this issue, and every single one of them was better than “123456.” A lot better, in fact. And we don’t think people were in it for the loot – we humbly offered a T-shirt as the prize – but were more interested in spreading the word on secure authentication practices.
Strong password management: You got a better idea?
Strong passwords: You DO have better ideas!
Are password rules just bad magic?
As we count down to our winner, let’s looks at some of the better ideas.
Quite a few readers take an acrostic approach to building their passwords, selecting phrases familiar to them, lines of poetry, song lyrics or recent memories. JCL, an avid golfer, builds passwords based on his most recent good round, something no golfer ever forgets. Another writer bases his on slang words he used in Asia while stationed there in the Army.
Once they have their basic password down, most of our contributors then substitute capital letters and special characters here and there. Using @ for a, and 1 for I, for instance, can keep the substitutions easy to remember.
Some writers stress the importance of password length, pointing out that adding even two added letters makes a password considerably harder to crack. Both BB from Ohio and Michael from Offutt Air Force Base, Neb., recommended using short basic passwords, of three to seven characters, and then repeating them to make a longer password.
And several people, including dmiller of Washington, D.C., recommended using keyboard patterns rather than thinking about specific words or phrases. “I use spatial patterns to create my passwords,” Miller wrote. “The advantage is that all I really have to remember is the starting point, ending point and the pattern. In fact, I probably couldn’t recite the characters of my password from memory if tortured.” Another advantage of this approach is that changing a password requires changing only the starting point, so even if a user wrote down the first character, someone who found the list wouldn’t know what follows.
All solid ideas. But the real trick to password management, as many readers pointed out, is remembering and protecting the passwords for many log-ins. At least one reader mentioned having 128 passwords; several others cited 50. How do they keep them all straight and secure?
Jack Holbrook of Lacey, W.Va., recommended building passwords from a favorite book, based on a combination of page number and line numbers. “You can even keep the page and line number written down and somewhere in plain sight,” he writes. “No one knows your favorite book or where it is located.” (Note to social media mavens: If you use this approach, don’t list your favorite novel on Facebook.)
There also is the more digital approach of using password management tools, recommended by quite a few readers. Ben Walker in Washington, D.C., uses KeePass, a free, open-source tool that was among those reviewed by the GCN Lab (and compared with the old-school, Post-it note method).
Utilities such as KeePass, RoboForm, 1Password and LastPass have the distinct advantage of leaving you with just one strong password to remember – the password to get into the encrypted utility, where the other passwords you need are kept. And you can cut and paste passwords from the list to whatever system or site you’re logging onto, which is a defense against keylogging software.
Of course, no system is perfect, and these tools do create a single point of failure if they’re ever compromised. And if you use multiple computers, you have to have them loaded onto each machine. Still, they do offer a secure, efficient way to keep a long list of passwords.
Which brings us to – drumroll – our winner. Ron from northwest Indiana wrote:
“While all the suggestions above are good, none are as strong as random generated passwords. I work for a business that stores business and medical records that must be kept secure. Also, we use the cloud for document management. Since any information is only as secure as the password needed to access it, I create 16-24 character passwords, encrypt them on a flash drive that I carry with me at all times, and duplicate in a safe spot, e.g., safe or safety deposit box. I need remember only one password to access the list (and like everyone else, it's a long list) if I've forgotten something. Keeping the flash drive safe and accessible is easier than you might think. Like any other system it takes some adjustment, but I know that my information and my clients' information will remain accessible only to those who are authorized to view it. Of course, we take other precautions. Passwords are only the first step in a long line of security procedures, but one of the most important.”
Ron’s approach covers just about every step security experts recommend. The passwords are strong. He keeps them in an encrypted file, but one that is mobile, so it can travel with him and be used on multiple machines. If he loses it, the files are still encrypted – and he has a backup, so he still has his passwords. And, perhaps most important, he and his organization recognize that passwords are only one part of a secure computing environment.
Whether this system would work with a BlackBerry or other smart phone might be problematic, but, as we said, no system is perfect. However, if you have a lot of passwords and a need for security (which covers practically everyone these days), this system is a good one. Congratulations, Ron. Your T-shirt will be on the way soon.
On a final note, several readers questioned the whole idea of offering password tips. “The first rule about passwords is don’t share your rule,” wrote Larry Frank. “If rules are commonly shared, then systems to crack passwords use those rules to limit their search.”
That’s a fair point, but since our readers offered so many different methods, we figure we have safety in their variety. If you’re looking for a new password method, choose the one you like – just don’t tell anyone.
Or, as Christopher, with tongue in cheek (we think), put it: “I've devised a foolproof method for creating easy-to-remember passwords that are impossible to crack. If I describe it, though, I'd have to kill you.”
Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.