Celebrating Three Years Online!
Stumbling and Bumbling: Facebook Promises Users More Control Over Data Shared WIth Apps

The Strong Password Conundrum – Usability vs. Security

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She helps others improve their use of technology in their personal or professional life. Today, Michelle tackles a problem we all struggle with: managing our online passwords.]

By R. Michelle Green

There are several lovely columns online reviewing password management programs. This post is not one of them. This is about the journey: deciding whether you need a password program.

In 2005, I read Smart Computing’s article about password algorithms until my eyes glazed over about halfway through. I like codes and math, and even I didn’t want to do what they suggested. While reading Riva Richmond admit on Gagdgetwise to using the same password for everything gladdened my heart. I did fear for the internet’s hoi polloi: the ones with abc123 for a password. (Before you laugh, that’s 10th most common, based on a hacker’s posting of 32 million harvested passwords last December. The data has proven invaluable for research on password creation. Half of the top 10 most common passwords were numbers, ascending in order, starting with one.)

In fact, stop reading right now, go change your passwords if yours is on this list, and then come back.

I was in graduate school in 2005, and they had a cracker jack IT group. We had to change our passwords every 90 days. It was annoying as hell, even as I respected the reasoning. I learned to reuse the same strong password: start in the middle, do it backward or make ‘syllables’ out of it and reorder the syllables. In each case, my fingers still remembered the order, I just had to remember when to start and when to end. This technique uses more than one type of long-term memory. It takes the password problem out of episodic (unique experiences) memory, and puts it in the procedural (muscle memory) part. (See? Watch Castle, learn something.)

I was pretty proud of my techniques -- for a while.

Recently, I hit the tipping point. Five years later, I can no longer keep up with my own usernames and passwords. I thought I had a reasonably good system of usernames and passwords of varying strength. If I couldn’t remember the pairing, I usually had enough tries to hit the right combination. Worse come to worse, I could at least hit the right username and get a reset sent by email. With more and more sites asking for strong passwords longer than my go-to guys (and even strong usernames!), I was generating options faster than I could remember them. Even more annoying, some of the strongest passwords were being requested by sites where I keep no private information, just read published content.

Being Ms. Independent, I created a list using code and free cryptic that would make sense to me but no one else. I remain uneasy, however. I have usernames and passwords for over 35 online accounts now, with 8 e-mail addresses and counting (and I bet that status is nostalgic for some of you). Maybe it’s time for a more robust response. That means one of two things – a password algorithm simple enough to remember but still capable of creating passwords unique to each site; or a password management system.

This is not a trivial issue. In 2004, a young widow thrust her dead partner’s computer at me. “She said you’d know how to find her passwords.” The information was a major hurdle for the widow – their online commerce footprint even then was huge. I found the password list, but the scene nagged me – what if a foe, not a friend, had found the totally unprotected word document on her computer? Is this an issue that a Living Will should address? Where’s the right balance between writing your passwords out clearly (helpful for emergencies), and having an arcane rule in your head that no one could ever deduce (great for around-the-clock protection)?

Though I suspect I may have a password program one day soon, I remain a fan of the personally unique arcane algorithm. A common and robust online suggestion involves a sentence with personal meaning for you, with this root word modified per site. This method follows the line referenced by this blog’s host in an earlier post referencing password salting. Sheldon on "The Big Bang Theory" television show, for example, would probably like Ihb&asbYF.LL&P! as a root word. And you may note, I never told you what my rule actually is. A wise man said, the best-kept secret is the one you don’t tell anyone.


© 2010 R. Michelle Green. Reprinted with permission.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

eema

in sheldon's make believe password, i got the live long and prosper (ll&p) . what does the beginning mean?

Charles Jeter

On secrets: three can keep a secret if two are dead. Wise to cloak your protection scheme

:)

R. Michelle Green

Hello Eema -- thanks for reading my post!

The signature Spock scene (which can still make me tear up to this day) is in Wrath of Khan, when Spock essentially has to 'kick start' the warp drive. Is that enough of a clue?...

R. Michelle Green

R. Michelle Green

Hello Charles, good to see you on the site again!

Ultimately, you are absolutely correct -- the best secret is kept by a single person. I said nothing about my own password scheme, for example...

R. Michelle Green

Thomas Smith

Of course good article, the password management is very important. Even an ordinary person or any IT specialization without secure password it is so risk. We can use special charter or combinations of letter number, some symbol are best for safety. Thanks for well discussion.

The comments to this entry are closed.