A while back, I ran an article in Drive (DRI International’s wildly popular weekly e-newsletter…if you don’t get it, sign up!) about password security. We’d gotten a nifty new phone system at work and were all trained on its use by a very nice lady who walked us through the features and functionality. At the end of the online training session, she gave us our direct dial numbers, her direct dial number (in case we needed help), and the default password, which we were instructed to change upon logging in.
A couple of hours after the training, I figured I’d go in and customize my settings before I forgot everything she told us and because those demos always make it look much easier than it actually is. I typed in my phone number (which acts as the username) and then the default password. And for a minute, I couldn’t figure out why I had so many messages and such a long call log on a brand new number. And that’s when it hit me! I’d mistakenly typed in the trainer’s phone number, and she had never changed the default password on her account! Yikes!
So, here I was in somebody else’s voicemail, hoping I wouldn’t see or hear anything I wasn’t supposed to, and I could not for the life of me figure out how to log out! I tried x’ing out, but I had hit the “remember me” button so that didn’t work. I clicked around, but felt like an even bigger snoop with each passing second, until I finally found the log out button. Whew! Later, I confessed later to a co-worker what I’d done expecting her to laugh at my mistake. But it turns out that she had done the same thing! Two hackers at DRI! What is the world coming to?
Anyway, I shared that story with Drive readers and asked for their solutions to the password problem, which is that we’ve all got so many of them that it’s almost impossible to remember them all without breaking the rules. You’re not supposed to use the same one twice. You’re not supposed to write them down. You’re not supposed to use elements that are easy to guess (kid’s names, birthdays, etc.). So, what to do? Well, read on for advice from your peers and be sure to peruse the list of the 25 most hacked passwords of 2012.
An App for That?
Of course, there’s an app for that. There’s an app for everything. Most often recommended by the readers were KeePass Password Safe, LastPass, and SplashID Safe. These tools can be installed on all the typical devices smartphones, laptops, tables, etc.
Says one reader, “This program is great in that you can store all of your passwords on it and really only need to create and remember one really difficult password to open the program each time… It will even generate difficult passwords for you using specific rules so that you can have a different and HARD password for each website.”
There are even free open-source programs, so we’re not talking about an investment. It might be worth your while to look into these, but it might not be okay with your organization’s IT folks; so, you should check. And there are those among us who still shiver at the thought of putting all of our passwords in one place, no matter how safe or smart it seems. For those of you, plenty of readers wrote in with homegrown solutions.
Many of you have put a lot of thought into generating and safeguarding your passwords in a way that also enables you to remember them. Here’s a list of tactics to consider:
This reader says she uses a system “specific to me and specific to the app.” For instance, using her system, if I needed a password for a DRI account, it would be buffy0924drii. If I needed a password for Amazon, it would be: buffy0924amazon. She says “there are no repeaters, you can easily remember them, and they’re secure. Use your name and birth date or initials and anniversary, whatever, just make it consistent.”
Another reader suggests using “an old hacker technique.” He says “you want at least 10 digits in every password. More is better. Pick an easily remembered root word with two or more occurrences of the same consonant, such as ‘Cancun’ or ‘pigpen’, then append an easy number to remember, such as your mother’s birthday. But, don’t use just that sequence. Alter the root word by systematically changing the ‘doubled’ letter to the next letter in the alphabet and capitalizing it; and change the mm or dd or yy in the birthday number similarly. So Cancun06031942 would START as DanDun01311942 and pigpen06031942 would start as QigQen01311942. Every 90 days or so, you can increment a single shift of the caps letter and the date for the next cycle. Since most systems allow three bad login attempts before you get locked out, you should hopefully be able to get the right ID/PW within that limit. I also use a second root word for more critical websites
If you want to avoid getting away from using birthdays and other no-no’s in passwords, follow this readers lead. She says that “you
can build yourself a complicated password that really is easy to remember for your vital accounts. Just take a phrase and ‘passwordify’ it. For example, “Dyslexia s a built- in word scramble: could become Dxi@b-nwrdscmb1. Slice it or dice it to fit the password requirements for the account in question. There is no way that anyone would be able to guess it without a password cracking tool.”
Tried and True
One reader responded by sharing a password methodology she’s been using for years. If you follow her system, you will never write down actual passwords or use any common values like birthdays or names, and you will always use a capital letter, non-capital letters, and one number.” Sound complicated? She says no; it “is easy to change and track the change, without writing the full password down.”
How to? Pick three or four very short two or three-word phrases. Choose some that pertain to work, and some that pertain to personal matters. These must be phrases that you find enlightening and mean something to you. Every phrase must contain the letter O, and you must not use people names, pet names, street names, etc. Phrases may not begin with the same word. A few sample phrases: Be on time; Care more; Get Done; Smile on.
Next, save these phrases in where no one will know they are passwords. Write the phrases in your note pad somewhere, asinspirations and things you strive to do. Do not write “PASSWORDS” next to them. Choose one of them to use as the base for work passwords, (or two of them if needed) and one to use as your personal passwords base.
Then, create compliant password reminder files. Create one file at work, online, for your reminders. Put it in a folder a name that means nothing at work, like YELLOW. Create one at home, on your computer, or personal phone. Make a list of all of the passwords you will change for work, and a list for home, and add the list to your reminder folder. In the second column of your reminder list, add the first two or three letters of your basis phrase, like “Be” or “Car”. Then put +0. (Be+0) (Car+0)
For your actual password, you will remove spaces, and in place of the first letter O in each phrase, you will use a ZERO (0). Each time you need to change the password, add 1 to the place where the Zero started, and change your reminder file from “Be+0” to “Be+1”, etc. NEVER write the full phrase in your reminder files. All you have to change in the reminder is the number.
“I have used [this system] for years, in a complex corporate environment with all the rules possible, and feel perfectly compliant,” she says.
One out-of-the-box thinker says she doesn’t even try to remember passwords. “If you asked me what my password is on anything that requires a password, I couldn’t tell you. I use a pattern on the keyboard, whether phone, computer, BlackBerry. I have several patterns that I use, and I just rotate them. You need enough patterns to bypass the system’s refusal to accept a recently used password. I don’t even know how many that is, but when I need to change a password I just key in a pattern, like an X for example (no, I don’t use that one!). If the system won’t accept it, I move on to a different pattern. Patterns use letters, numbers and symbols, but even I couldn’t recite my password. I actually have to be keying it on the keyboard to get it right.”
So, what do you think of these tips and tricks from your peers? Send your comments and suggestions to me at firstname.lastname@example.org.