Fun With Passwords

Our attitude towards organizing and keeping track of passwords for multiple accounts is schizophrenic. You want them to be as secure as possible, and yet not be bothered with them at all. So, your options are to write them down somewhere, remember them yourself, or have them stored in your browser. You could also just have one password for every account you ever access of course.

While these options might actually do for sites you don’t store all that much private information on (YouTube, Last.fm), it’s not such a good approach when it comes to sites you trust your data and identities with (FB, Google, your blog).

Why?
A while back, I did a big password clean-up on all the accounts I have, and spent a good deal thinking how I could make this work as best I could. I came up with some fun and easy ways to create passwords that are both unique and easy to remember. In fact, most of them are right on the display in front of you as you login.

The solution I eventually turned to is a bit more complex than the ones I initially came up with, but these I thought I’d share with you to get you going.

But how does it work?
First, however, a word about cryptography. Two fundamental elements of encrypting a message are the cipher and the key. I’m not a cryptographer myself, but what these two do is relatively simple.

The cipher encrypts or decrypts. It’s like substituting A with B, or banana with ananab. More important, though, is the key. It’s the secret parameter only you know and the only thing you have to remember. If substituting A leads to B, it’s because you know the key is: “take the next letter in the alphabet”. In the second example, the key would be: “reverse the order of the letters”.

Creating a key is easy, but deciding on a cipher that makes sense to you whenever you visit a site, can be more challenging. You could decide that you’re going to be reversing words, but what word should you choose for Facebook? Banana? This would soon stop making sense and you’d be locked out of all your services in no time. That’s when I came up with using elements of the page you’re visiting, to come up with a password that is unique to every site.

Okay, so let’s try making this a bit more clear by making up some passwords for the three examples I used above, Google, Facebook and, let’s say, WordPress.

Plain Reversal
That’s easy. Google becomes elgoog, Facebook koobecaf, and WordPress turns into sserpdrow. Not too hard.

Personalize and slice
Use something that identifies you, your middle name, or your initials, and then use only a part of the service you’re accessing, e.g. the first two letters. That way, Google could become nggo, Facebook would get ngfa, and for WordPress we’d create ngwo.

Add significant digits
To make the password a bit more challenging, you could add a number that means something to you, like your wedding day or your WRC high-scores. Choose a cipher from the ones above, let’s say reversal, and add the year Bush was re-elected. Google then becomes elgoog2004.

So how is this easy? It’s easy because the source is right on the page; it says Google in big colourful letters. And it’s easy because only you know the cipher (reversal) and the key (take the company name). Okay, let’s get even more colourful.

Colours
You could choose the main colours used in the site’s logo. Granted, this can be debatable, but if you keep it simple, the passwords become ‘brybgb’, ‘b’, and ‘b’. Add your birth date in reverse for added security.

Who did this?
If you’re a bit of a web 2.0 geek, why not use the names of the guys behind the site? You could add a certain catchphrase to make it original. Best explained in an example. Google becomes i<3sergey&larry, for Facebook you type i<3mark, and WordPress gets i<3matt. Again, you could reverse this or add a number.

Speak in tongues
If you speak a second language, why not translate or transliterate the name of the site? If I wrote down the names of these sites the way they would be pronounced in my language, I’d get goegel, feesboek, weurdpres. Let’s see someone try and think of that.

Of course you can add your own ideas to this. Also, always use classic password protection tricks like substituting o with 0, e with 3, etc.

Is this secure?
It’s as secure as any password can be, but in all likelihood more so. While 1980goog may not sound very secure, it will be hard for an outsider to crack it. Of course, a hacker could still get in perhaps, and if you tell everyone how smart you were in creating your passwords, they can too.

The point of this post is to show you what kind of solutions I came up with, and how easy it can be to create a reasonably secure and definitely unique password for every site you visit.

After all, with different parameters, the password for Google may well have become hmf8991hpp, and you would still have followed a variation of these same basic rules. However, use this technique at your own peril and certainly don’t use the examples I offered here.

Oh, and of course, needs it be said? Don’t tell anyone this, okay?

PS I had this post in the wings, but seeing this Note on 9rules, I decided to post today. Check out the solutions everyone is putting forward over there to get some more inspiration.