Have You Gone Password Loco?
Web sites typically build their own specialized password requirements, dressed out with their own particular (and complex?) character scheme, spelling out rules like:
- Must include between 8 and 24 characters
- One uppercase letter, one or more lowercase
- At least one number, and
- At least one “special character” (@#$&%, etc.).
People want to skip all that noise and use something simple, but many sites no longer let us! (On the other hand, I was somewhat shocked to find that Apple’s rules actually limit the text string to 32 characters. I actually had to abbreviate part of my AppleID password!)
We’ve all heard that it’s dangerous to use the same password for everything, because if some malicious person or “script bot” guesses it right for the first function, the assumption is that they’ll try the same one at other sites too – possibly doing major damage to your identity, credit report, IRS filings, a bank account, doctor’s office records, insurance, etc.
Ideally, we would all use really, really long passwords with many characters. But sometimes we can’t remember ONE password, let alone a LONG password whether it’s for one specific site or many.
Makes sense right? The longer your password is, the longer you can stall a hacker. A 4-digit password is terribly short (weak) and will be parsed out and discovered quickly. But increasing the complexity by using a 24-character password (stronger) might take several hours.
But here’s the bad news…
You could have the best, longest, strangest, and most convoluted password in history – but still lose your account security when the store itself has a security breach! Professional hackers find a weak spot in the corporate system and then walk away with the userIDs and passwords of 100 million people. Your marvelous, custom password that’s hard to guess by normal people is basically nullified, simply because it was found and copied to a hacker’s external database. UGH!!
Lots of people use sticky notes and tag their computer monitor with their login information, literally spelled out for anyone to find. Others use an unprotected, insecure note-taking or address apps on their smartphone. Personally, I use a password/vault app to help keep track of about 400 logins.
But many account logins saved within this secure app use the same format or convention I suggest below. (I like to keep a record anyway, as I end up making variable characters and other tweaks depending on the site.)
To overhaul the nightmare of multiple logins, what you need is a kind of cross between…
- The dangerous, lazy but easy practice of using the same password for everything.
- A completely unique password for each site (ideal, but impossible to keep straight).
Let’s call this method a “Password Recipe”…
- Pick a “root” word that you’re familiar with, and reuse it within each custom password.
- Decide which special characters you’ll add at the beginning and end of your root word.
- For the identifying business, pick its initials, literal name, or another acronym at each of the sites or functions you’ll be using.
- Add numerals into your password which reflect and match some aspect of #3, and include them twice.
Let go of separate passwords, just learn a single recipe – your own pattern you can reproduce anywhere!
You don’t have to remember specific passwords for specific sites this way, only the standard convention you created to cobble together each one.
No matter what site you visit in the future, you’ll be able to “remember” the recipe specifics and tap out your password because you’ve used the same method for all, and yet made each of them unique and more unbreakable than crazy-weak “1234” or “Pa$$w0rd” (shudder).
As an example then, using items 1 through 4 above, just assemble your recipe “ingredients”…
- An easy-to-remember root word: “Purple”
- Special characters: I’ll use both “!” and “#”
- If a business is named “First National Bank of Springfield”, and my standard for company names reduces it to simple initials, this entry becomes: “f n b s”
- Since I’m only using the initials, I’ll use a “4” to match the number of characters contained in those initials, but I’ll also duplicate it to become “44”
So, what might this stitched-together, Frankenstein password look like?
Just connect all the pieces section by section…
!# Special characters I use at the beginning of the password.
_fnbs_ The initials of this specific company, surrounded by underscores.
PurPle My root word – extra points if you mix upper and lower case in this as well.
#! Same characters as before but reversed after my root word.
44 Number of company name characters or initials used, repeated once.
End to end, these assembled ingredients become a strange, but pretty strong, 18-character string of text…
According to the free-fun Web site “howsecureismypassword.net“, this fictitious First National example above would take 7 quadrillion years to solve. I’m not sure how accurate their calculation is, but it’s certainly fun to feel like you’re going to win at this game.
Simply: more characters = more complexity. AND special characters certainly help.
Sorry: now the tough part!
Distribute this same recipe throughout ALL your existing logins. But of course, alter each one based on the site, for example…
Sears !#_s_PurPle#!11 (another alternate might be !#sears_PurPle_#!55)
Apple !#_a_PurPle#!11 (alternate might be !#apple_PurPle_#!55)
Panera Bread !#_pb_PurPle#!22 (alternate might be !#panera_PurPle_#!66)
Red Cross !#_rc_PurPle#!22 (alternate might be !#redcross_PurPle_#!88)
With such cryptic characters included in your new password phrase, you might choose to not even bother including your “root” word, but dropping another word in does add more length and complexity for password-guessing scripts to grind through.
I would suggest logging in to each of your accounts and updating the password for as many as you can in one sitting. That way you’re not split between two worlds, with old logins on some sites, and your new method implemented with others.
When I need to log in to a site I haven’t visited for months, I just return to my “recipe” convention, enter my standardized ingredients, and get in to my account just as if I’d been there yesterday.
Summit’s Peak Technology Services
Dave Herriman – 816-744-0020