Monday, 25 May 2009

How to make memorable but secure passwords

Some people, perhaps most, have a system for making passwords. Some systems
involve the use of the same password everywhere - easy to remember but if
discovered their online life is easily accessed. Others have different
passwords and write them down.

My system is to maintain long, virtually unique passwords which I never need
to commit them to paper or electronic note.

My goals are:

* at least 8 characters
* the use uppercase, lowercase, digits and symbols/punctuation
* the discovery of the system should not compromise my passwords
* no need to record any password
* be able to quickly work-out my password for any site

The System

* Make up a memorable code with preferably uppercase, lowercase, numbers and
symbols/punctuation.
* For each site, consistently use some aspect of the site such as 3 or 4
letters/numbers of the site URL - modified in some systematic way - and add
it to your memorable code. Add it using any rule you like.

There is a problem with this system: sometimes sites change their name
which, for me, has happened once. In this case I have not needed to change
my password but since most sites will send your password to you, should you
forget, you can easily have your old password recovered and then you can
change your password - it doesn't happen often.

Examples

Assume your memorable code is Ab19#z.

Example 1: Use the first, second, second-last and last characters of the
site, added in reverse order, first and last capitalized, insert after the
4th character of your memorable code.

So a password for google.com would be Ab19EloG#z.

And for ibm.com it could be Ab19MbbI#z. (You should have some way to handle
site names that 'fail' your system or require longer passwords than that of
your system).

Example 2: Insert the memorable code into the first and last characters of
the site name.

So the password for google.com would be gAb19#ze.

It goes without saying (hopefully) that you should make up your own system
and you should probably not use my examples.

Ideas

* Consider using the organisation type or country code.
* Consider using multiple systems. One for important sites and a simpler
system for ad-hoc, single-use and other sites not containing personal data
* Consider a version of the system for your home PC accounts

Your should assume that your system could be discoverable, so you need to
choose a memorable code that is secure by itself.

If you want to document your system, do so with care. You should not write
it down verbatim - try to obscure it ;-)