Creating Safe Online Passwords
Posted on August 31, 2011
Passwords on the internet are tricky business. You want your accounts to be secure - especially things that can get you in trouble if they get out of your control. But how secure is secure? Chances are, nobody's going to collect your password, if you're surfing with realistic vigilance against phishing scams or using a browser that can detect malware within a website (hooray for modern times!) Sometimes though, even while being perfectly safe, we can unwittingly provide sensitive information to people who will use it to compromise us (i.e. they have that social security card you lost, or a username that they came up with randomly or with spyware.) Still, there are thousands upon thousands of databases out there full of descrambled passwords and there is no way to know if you are included in one of these until it's too late. These two possibilities though, can happen to anyone, and bring a certain set of demands on your password, including:
- It needs to be able to survive a descrambler. "Cats" as a password will not survive, but "mh@11" might, because it's not a word.
- You need to be able to remember it despite websites' different parameters that require any specific combination of: numbers, letters, capital letters, and symbols.
- You need to be able to change it on the fly , to something else you'll remember, that will also survive a descrambler, in case it gets compromised or (oops!) you forget it.
Seems like a recipe for losing memory of your own password, right? Like, under what circumstances would you ever remember a password like "mh@11"?
Recently, NPR published an article about how to create online passwords that stay safer, yet none of the examples they gave were fail-safe. I've decided to reveal my technique taught to me by the great Scott Granneman in my web certificate class in 2003. It beats NPR's technique and it should be used by everyone.
First, a bit on what happens after your password is intercepted. Descramblers work by instantly searching language dictionaries for a combination of letters found in your scrambled or not-scrambled password, and testing what they come up with, in a massive thousands-of-hits-per-minute attack. Is your password "LittleLamb"? It will probably test "LambLittle" and "LittleLamb" and then you're toast. Chances are better if you go with "Litt1eL@mb" but don't count on it, as password descramblers are actually powered by (mal-intented) humans who will adjust their programming in their systems to beat these techniques as they arise. Its best if your password appear completely scrambled in its password state, and so if any significant phrases come from it at the time, they will be false, and the descrambler will move on.
Scrambling your password
The best technique I have ever learned for using and remembering a scrambled password is the following:
- Think of your favorite song, or the first song that comes to mind. Use a song that has words that you understand and letters from your language, no piano concertos or old Norse.
- Think of your favorite line from that song. I will use "Mary had a little lamb".
- Take the first letters from each of these first words. You have "mhall." You now have a password that appears to be scrambled, that you can easily remember, because you can repeat that line of the song to yourself in case you forget.
- Adjust this password to meet the password demands of the site you are using. For example, "mh@LL" or "MH@11" will work at sites where the password needs numbers, symbols, caps you name it.
- If you do ever lose security over this password, you can simply move to the next line, "Its fleece was white as snow." Rinse, repeat.
Using this technique enables anyone to use a much more secure web password without forgetting it, ever. For maximum security, always check the address bar of the site you are entering your password into for extended urls. The last two segments of a url "[anything].[this-segment].com" are the actual root domain of the website you are at. Don't trust email renderings of internet addresses, because they can easily http://write.anything.com and send you somewhere else. Keychain access for mac users also provides a memory-proof storage bank for your passwords - just make sure your administrator password is easily remembered. Make sure a "Https://" is used when you are issuing credit card numbers, and that the site is what you want. Most of all, trust a hunch!!