DIY

Helping users remember their passwords

Passwords: They should be made difficult to guess, you should change them periodically, you shouldn't write them down, and they're hard to remember. What advice should be given to users regarding password management strategy?

Passwords: They should be made difficult to guess, they should be changed periodically, they shouldn't be written down, and they should be hard to remember. What advice should be given to users regarding password management strategy? 

----------------------------------------------------------------------------

This question was actually asked of me recently when I configured a new financial software installation. I strongly suggested that the primary user (the office bookkeeper) create a new and unique user name and password, one that no one could possibly guess, and I advised her to not write it down anywhere. How in the heck am I supposed to remember it, she asked? It got me thinking about how reliant we are on passwords, how often we use them, and how vulnerable we are because of them.

What are the most common passwords? Password, 12345, qwerty, and so on, are pretty common. Your kid's or spouse's name, your pet's name, and such are also pretty common. I suppose that's because these are so easy to remember. However, they're also easy for busybodies, thieves, cheats, and swindlers to guess. Identity theft has become one of the most common crimes in today's technological world, and easy password theft plays a big part in that. And for the sake of corporate security and user privacy, passwords are used for any number of purposes.

E-mail account passwords, a second or third e-mail accounts password, document passwords, server log-in passwords, application management passwords, application user passwords, FTP site passwords, Web site passwords, vendor Web support passwords, e-commerce passwords (such as eBay, PayPal, and on-line banking), and the list goes on and on. One can't possibly use a unique password for each and every case, much less change it periodically -- all without writing it down. Yeah, right.

Here's the advice I gave to the user who asked me how to remember passwords.

For the relatively benign types of uses, I'll use something easy to remember, and one I'll never change. Something like a name or easily remembered number. For example, when Hewlett Packard or some other vendor requires a user name and password to download a driver or access some content, it's always the same one. I couldn't care less if someone else knows what it is. What's the worst that can happen? They download hundreds of drivers in my name? Who cares? For these types of things, I use the same one over and over again, I never change it, and I never will. If I have to go to that vendor Web site only once every couple of years, I don't have to rack my brain remembering its own unique password.

For things that might be of little consequence if someone guessed it, but I wouldn't really want it to happen, I'll use a different password. The worst that can happen is that someone stumbles upon it and causes a mild disruption, but it couldn't really do any significant harm. I might change this password from time to time, but certainly not on a regular basis. My TechRepublic password, for example, is something that's meaningful to me, something that I'll not forget, but it's not unique for only TR; I use the same one for several cases.

For uses that are very personal and private, ones that could have serious repercussions if anyone ever gained access, I do indeed follow the standard advice. This is what I told the user who asked me, because hers was such a case. I do indeed change them from time to time, probably about twice a year, and I never write it down. I make it extremely difficult for anyone to guess (or a program to hack), and I use a combination of numbers, characters, and letters, both upper and lower case. And to make it easy for me to remember, I pick something meaningful to me, but arrange it in such a way to be meaningless to others.

For example, I might remember Central High School class of 1982 and create the password CenHS-co82. (I didn't really attend Central High School, nor did I graduate in 1982.)

Or I'll remember the make and model of my first girlfriend's car -- the one I put a nasty scratch on, and the incident over which her father almost killed me! Remembering that 1965 Chevrolet Impala Super Sport (I scratched the fender) might result in a password, ChevI65SS+Istf. How could I ever forget that car? It was a red convertible with a 327 C.I engine. When it comes time to change my password, I could remember the same thing, but connected differently: 65ChevSS@327CI (I suppose I can never use these, since I just gave it away!)

If you have two kids, Mary and Billy, aged 16 and 12, respectively, you might be able to create a password, 2k-Ma16&Bi12.

Anyway, I advised her to come up with a phrase or a combination of things she could easily recall and condense them into upper and lower case letters, some numbers, and a character or two to connect them. After some time goes by and she might want to change it, simply start remembering something different.

That was my advice. Do you have a method to the madness of remembering passwords that you could divulge? (Without giving anything away, of course.)

25 comments
reisen55
reisen55

All of us have hobbies, interests that are totally unique to our lives and also usually involve terms and names that we never, EVER, forget. These are great reference points for passwords. The associations can be totally unique. One woman spoke Gaelic and used that language. Beautiful. My boss once proposed making your password simply this: ******** Eight asterisks. Who would know otherwise?

lastchip
lastchip

Just for example, if we were to use the word(s) "techrepublic" from TR (and I'm using a QWERTY UK keyboard, so yours may differ slightly), use a key adjacent to the word you remembered. So taking the example above, and moving to a key to the left of the *actual* word, techrepublic would become; rwxgewoyvkux All I've had to do to produce that password, is remember techrepublic and move one key left on the keyboard; that's it and hardly a candidate for easy cracking. If you want to include numbers, as four of the five vowels are on the top row of the alpha keys, moving left (or right) *and* up, will produce passwords that include numbers. In this case, techrepublic becomes; 53dy4307go8d

h2owe2
h2owe2

I favour a meaningful pass-phrase rather than password as it is easier for an end-user to remember while retaining a higher level of security. For example, if they support a football team named the Kings then an easily memorised pass-phrase might be kings42008 (Kings for 2008). I also suggest substituting letters for numbers and visa versa. My examples above might then be re-phrased as k1ng542oo8. It may look hard to remember this form of pass-phrase however if it is [silently] spoken phonetically then is is easy enough to remember.

Neon Samurai
Neon Samurai

Remember one long passphrase to access your uname/passwd lists. My preference is KeepassX since it can open the same password data file across most platforms and from a usb portableapp.

normhaga
normhaga

What I find that works and also produces a relatively secure PW is to pick a sentence that has meaning to them and also has a word or two that can be converted to a number and then use the first or last letter of the sentence for each character, except for the easily converted numbers. i.e. My mother went to the store twice on the even months and three times on the odd months = mmw2tstotema3otom or yrt2eeenensdesneds.

Joe_R
Joe_R

Please read the original piece. Do you have a method to the madness of remembering passwords that you could divulge? (Without giving anything away, of course.)

rkuhn040172
rkuhn040172

Repeating characters, no matter what they are (letters, numbers, special characters), make cracking passwords exponentially easier. Eight asterisks, while cute, isn't a good password. That would take probably less than 1 minute to crack using brute force.

gbhall
gbhall

What everyone except lastchip seems to miss, is the necessity to often produce memorable passwords related to particular uses, as the original article pointed out. How then, do you remember which of the various hidden clues to use for that particular website/email address. Poster lastchip shows you how - something about the website itself must trigger the password. Unfortunately, lastchip could end up sharing HIS password for Tech republic with several hundred other people !! NO, it's not so easy is it? I have a method, but sorry, I'm not divulging it because it may be reverse-engineered just as lastchip could be.

laforgia
laforgia

This is an idea I like to use frequently. Numbers make great substitutes for letters, in the middle of words and phrases. But what happens when you need a strong password that needs to be changed on periodic basis, like a network password? I usually tell users to come up with a strong password that they like (using many of the same suggestions here) and then add an incremental number each time they need to change it. That way they have a secure password, and don't have to make up a unique one each time. I even tell the users to write down the number they are on so it helps them remember, in case they forget. The number is meaningless to anyone else without the rest of the password.

gpopkey
gpopkey

I believe a Password Safe facility must incorporate the following features: 1. provide an opportunity to identify what a password is used for (access a specific site, computer, facility). Password retrieval must be permitted via the name of the site, computer, facility). 2.encrypt all information stored in the safe so that nobody can view it by accessing the files in which it is saved using some other tool(s). Even then complete passwords should not be saved in the password safe but rather they should be at least encoded. All my passwords have a standard (fixed) set of numbers/characters with prefixes and/or suffixes, e.g. RTPstdRBC where 'std' is replaced by the standard set of digits/characters 3.allow access to data stored in a password safe only via a single password per user.

Joe_R
Joe_R

Let's see, was that three times on the odd months or the even months?

thinkonit
thinkonit

We've used much the same strategy as norm mentions above - suggesting the use of Bible verses or favorite song lyrics to provide a series of letters and numbers for passwords. Using the first letter of each word for John 3:16 can result in 4Gsltw316 or something similar. Need to change your password? Use the next verse... We've also set up each of our computers with KeePass password database software and been proactive in training the entire staff on how to use it. This has been a huge help! We did the training two months ago and already I'm encountering far fewer passwords in Outlook and Word documents. I've also suggested to a few especially challenged staff that while they can't write down their password, they can write down something to remind them of their password. For example, they could have a scripture verse written out as part of their cubicle decorations. What are other people's thoughts on this? Is this a secure suggestion?

zookeeperz
zookeeperz

Then in every instance where a letter resembles a number, replace it. So 8udw3153r. 1=L or I 2=Z 3=E 4=A 5=S 6=G 7=L 8=B 9=g 0=O

alex.kashko
alex.kashko

I carry a mobile phone. The phone is locked after two minutes disuse and needs a code to unlock it. That is about a secure as it gets, especially as I seldom leave the phone unattended. on the phone I have a notebook app. I keep hints for all passwords in the notebook. I have a stable of password and occasionally add a new candidate to the stable. I seldom change a password I also follow the rules about using stable passwords for non critical stuff and changing passwords for critical stuff fairly regularly. Generally they include numbers. Having said that, most of the time the passwords are in my head not on paper.

RFink
RFink

I use FCC call signs (TV, radio stations, ham radio friends), cryptic EDS*NET IDs (now that I don't work for them), ZIP codes of favorite cities and car license plates. Those make great passwords.

nightmare150cc
nightmare150cc

erm... i really like some my password just using number form cellphone... like this one word = 4(four) soo = 33388777 or word = love soo = 55566688833 erm...hope it will work...also don forget u all must insert some unix word..

ozi Eagle
ozi Eagle

Hi, What I do is start with a "secure" number like my visa pin and then write down something like +234, which added to my pin gives the actual password. Unless someone knows my visa pin the written down numbers are meaningless. Herb

Neon Samurai
Neon Samurai

They store the data in an encrypted file which any of the various platform front ends can open. (Keepass on Windows, KeepassX on *nix systems.) The password generator is great and each entry is kept in a catagorized tree with it's own description and related attributes. It may meet your requirements but if you do find a reason why it doesn't I'd be interested to hear it for my own considerations.

alex.kashko
alex.kashko

My passwords are not English words, and as afar as possible archaic words or ones not in standard dictionaries. If I really need to my password will hold words from three languages, some transliterated from another alphabet. Sometimes I invent words. I Also wrote a password generator program that generates easily pronouncable random passwords of any desired length. I lost the code several times but it never takes me more than an hour to rewrite it.

Joe_R
Joe_R

Thanks for sharing.

Joe_R
Joe_R

Hobbies - like radio - would be a great way to remember something. Thanks. P.S. I've always wanted to get into ham radio. It seems like it would be a lot of fun.

Joe_R
Joe_R

That's the key. Thanks for posting.

alex.kashko
alex.kashko

YOur visa pin is compromised, even if you don't tell them what it is. one other thing: with pin numbers I create a sentence that lets me recreate the pin. The sentence is on my phone, and thephone is locked when not in use. I use a couple of tricks for creating the sentence.

Joe_R
Joe_R

Thanks for sharing.

RFink
RFink

The Amateur Radio Relay League. www.arrl.org Great website to get started and no more morse code requirement. Good luck