(This is a guest post by my long time client Tom Campbell. I recommend working towards using a password manager and will create a post about how to deal with the downsides of one, but for a lot of people you just need a better method of storing/remembering passwords that doesn’t leave you open to being hacked because it is too simple or you use the same password on multiple sites. For this reason Tom’s method below is really great.)
We all have too many passwords to remember. There are dozens of major news stories every year about big companies losing our passwords to hackers, who promptly put them up in public forums or simply sell databases to each other. So here’s what you need to know:
1. At least one of your passwords is already well known to the rest of the planet. Want proof? Visit Have I Been Pwned, or do a Web search for an old password you used to use in quotes.
2. If your passwords are getting leaked, then you have to set priorities. The password you use to visit a badly dressed cat website is more disposable than then one for your bank account.
3. The longer the password, the less chance you have of it being guessed. Surprisingly, most attacks on servers consist of programs that try a few thousand common passwords (that’s called a dictionary attack), then start methodically generating lists of passwords to guess. It takes 40 or 50 times longer to guess a password for each additional character you add to a password, so the longer your password, the better.
4. Many feel the best solution is to use a password manager. I recommend and use [insert affiliate link here]. They automatically generate long passwords for each site you use. The main problem is… you need a complex password for the password, but if you don’t remember it, you’re toast! A secondary problem is, if you need to use someone else’s computer not running your password manager, you won’t have the foggiest idea what to do.
5. So here’s how to balance between simplicity and your fallible memory. For the 4 or 5 most important accounts you use you should write them down on a piece of paper and share them with your significant other (more on this later). The rest of your passwords should be based on a core password you create, then a few additional details based on each site you use it on, and how much of a problem it would be if that password were leaked.
Creating your core password should be thought through between you and your SO, if you have one. Don’t make it your pet names, your kids’ names, or any family members’ birthdays, because you already gave that stuff to Facebook for the whole world to see. So make the core password something that means a lot to you. Maybe you’re a huge Linkin Park fan (I knew you had good taste). Since you already let that out to the world on Facebook too, modify your core password. So make it lincolnpark or L1inconprk.
Next, add characters to your password based on the name of the site. Use the same rule every time. Let’s say it’s the last 4 characters of the site name, so if you decide to join Reddit, or change your password, you’d make it “L1inconprkddit” . FInally, add a few characters (also the same every time) if it’s a low importance site. I love Reddit but it’s not as important as my credit card password. Therefore I would add “Lis” for “Low Importance Site” to all such passwords. My example Reddit password is now “L1inconprkdditLis”. If I sign up to a new low-importance site, say, Hacker News (which is news.ycombinator.com) my password would be “L1inconprkatorLis”
For a site that’s more mission critical but not my bank, I add a different string signifying high priority. This is based (for example) on a place that my wife and I love to visit but that we don’t take about much. Let’s say it’s Ashland, Oregon. My high priority password now becomes “L1inconprkdditAOR2016((“. “AOR” for Ashland, Oregon, and 2016 because we actually visited it in 2017 and that’s on my Facebook account. Only she and I know the modified date. I ended it with “((” because non-number, non-letter characters are always good, but not all sites accept them. So I put those at the end. Easier to deal with when you’re signing up for a new site and discover it’s picky about special characters.
6. Now what about those few mission-critical bank, government, or credit card passwords? Make them long and complicated with numbers, letters, and special characters. Write them down on a sticky note and decide on a place for this sticky note with your SO. You aren’t allowed to put it in any of these places, because bad guys check them first when they have access to your house: nightstand, dresser drawers (any of them), refrigerator, cookie jar, desk (anywhere), or in plain site. So maybe a diaper bag, or an old pair of mud-covered shoes in the back of your closet, something like that. Once a month review this location with your SO. We live in a state that requires monthly safety meetings of its businesses, so we review it at that time.
Now the truth is, I take this even further. We have agreed on a base high-priority password. It’s short but weird. We make this the start of our password, then what goes on the paper is what follows that base password. Which means you could see my precious sticky note and it wouldn’t do you a damn bit of good.
Really? Isn’t there anything easier?
No, there’s no way around this system if you aren’t going to use a password manager but have an average memory. In practice we have found this to be easy to remember and our kids use the same system for their own passwords, so even impatient teenagers can get used to it quickly. And I have never, ever had a public password dump cause a serious problem.
Spent the hour or so now to get this system going in your house before your personal information gets leaked, again, by a giant multinational corporation that should know better. It’s boring, but way cheaper than dealing with identity theft and a hit to your credit rating.