08 August 2011

Rise of the Use of the Pathetic Password

Since I do a lot of light tech support for friends, I'm privy to many of their passwords. As a general rule, their choices are terrible. Like really really terrible. These are smart people who should be aware of the consequences of weak cyber security but they invariably have stuff like "password444" or "lastnameBIRTHYEAR." If I can guess your password within ten tries, it's pathetic. Please don't use the site name in the password either. "gmail1234" is never a good idea.

Sometimes people think capitalizing things will make a difference. Um, not really. You'll just confuse yourself. Spelling stuff backwards is no good either. A handy skill for that one category in Cranium but bad for passwords. The number one whine I hear when I call out people's crappy passwords? "I have to make it easy because otherwise I can't remember them."

I could rant for a long time about this but I'll let it go. Basically, if your best reason for having a six year old's password is that you can't remember them, you have a brain problem. "I named my child Nine because it was just easier. I can't remember which one she is otherwise." If you can remember all the first and last names of every 1990's sitcom character, you can remember your passwords. Don't undersell your human intelligence.

Passwords are the key to the most important portal of your life: the Internet. If things get lost or misremembered, you're screwed. In order to avoid this catastrophe, what you need is a password system, or matrix, that allows you to recreate your passwords without draining your memory reserves. Let me help you by suggesting one. First, you need three passwords. Actually, screw that, you need five. The modern man needs at least five passwords.

  1. Throwaway (for sign ups to random things, spam email accounts)
  2. Generic (social networks, Dropbox, frequent flier accounts, Wifi router)
  3. Sites that require credit cards (Netflix, Paypal, Amazon, eBay)
  4. Personal (personal email, FTP, blogs)
  5. Top Level (secret journals, bank accounts, emails to your other lover)
The throwaway password, you can make that whatever you want. Hang onto the password you've used since 1999, for old time's sake if you want, I don't care. The other four, you need to pick things that are related to one another. One of my friend's picks movie quotes to create an acronym. I support that. It makes for long text strings that make no sense but are still easy to remember. You have to add some numbers to your password too. Use a sequence that can flow nicely into the next password. Multiples of something, prime numbers, digits of pi, whatever.
Example: "My name is Inigo Montoya. You killed my father. Prepare to die." would become "mniimykmfptd314159." The next password on the chain would be "ybmdad2653589" "You've been mostly dead all day" plus more pi digits. Or just use part of a long quote for each password, and continue the sentences on through.
The actual passwords don't matter, as long as you can quickly recreate the matrix when needed. Famous phrases, song verses, things people say about you behind your back, anything like that works. Maybe you don't remember the password to your Tumblr but a quick Google search for Princess Bride quotes and the sequence of prime numbers and voila, all your passwords recreated, ready for use. Then you crumple up the note and stuff it down your throat, because you don't want anyone else to see it.

While I can't guarantee that you won't be hacked or have your accounts stolen with this method, I can guarantee that you won't have dumb passwords that you forget in moments of crisis. My take home points are these: (1) Have more than one password and re-use them on similarly themed sites. (2) Create passwords that are loosely connected and easily re-creatable once the decoder ring is applied. (3) Hand me your computer so I can hack my way through it and find out if your passwords are lame. It's a service, not a violation.

In addition, I nominate October 10th as national (change your) password day. Everyone gets the day off from work in order to change their passwords. The 10/10 will be a nice reference to binary code and remind us that cyber security is just as important as Memorial Day or Labor Day or Presidents' Day. More important actually, Encryption Day should be two days, 1010 through 1011. Clear your calendars.