Groan. Computer passwords are a nuisance. Among my own clients, the typical reaction when the subject comes up is along the lines of “they’re just a nuisance. I use the same one for everything so that I can remember it” or “I put the password in once and asked the system to remember it and now I have no idea what the password is“.
If you start researching, you will find that the advice on passwords includes things like:
- make the password at least 20 characters long and include upper case, lower case, numbers, punctuation marks – as if!
- change your passwords every month (or week) – as if!
- don’t use passwords that are the names of loved one (including cats’ names).
- keep your passwords secret.
Well, pretty well all my clients breach all those recommendations and, I must admit, so do I (but I’d never have a cat, so that bit’s ok).
So, my recommendation is that we should be practical. We are going to have to live with passwords for the foreseeable future, so I have developed a simple strategy for myself that I hope may be of use to others. I aim for a workable compromise between security and practicality. The elements of my own strategy are as follows:
1) As soon as I create or receive a new password that I don’t want to lose I record it in my encrypted and password-protected database. This database is regularly backed up and archived. Copies are stored off-site (ie not in my home).
It has taken me years to learn this simple lesson and make sure that I stick to it. How many times have you written a password down on a tatty piece of paper, assuming that you will be able to magically find said scrap of paper in three years time when you’re in a flap because your router has just locked you out of your wireless connection? The alternative bad approach is to allocate a password that you “are bound to remember” so you don’t need to write it down. Yea, right! Seen that one dozens of times. Something that seems utterly unforgettable today is probably going to be either utterly forgotten in a month or simple to guess by a baddie (who has now probably also got access to everything else of yours that is password-protected.)
Let’s be practical and mercenary about this so that maybe you can appreciate the importance. Suppose that, as a client, you call me in because the wireless networking part of Windows has suddenly forgotten your password (also known as a “network key” or “passkey”). Depending on where you are, my minimum visit charge will be £80-£110. OK, so there’s time in the minimum visit length (1.5-2hrs) to do other jobs that need doing as well, but if I need to get into the router’s settings and re-allocate a password, that could take anywhere from 5 minutes to 1 hour. So, it’s cost from £5 to £55 to re-establish a wireless connection – just because you didn’t know the passkey. To me, that sounds like a hefty bill (or fine!) for not being rigorous in recording the password safely where it can be found without fail and without delay.
2) If the password relates to something I really don’t care about (such as a registration I had to make on a website just to get what I wanted from that site) then I am quite happy to use the same short, memorable, password for all such occasions (yes, a cat’s name if you must). For the sake of the convenience of not engaging my brain, I am prepared to take the risks associated with this strategy.
3) If the password relates to something a bit more important then I try to create a password that consists of something about that site or purpose that I will remember plus something else that fits the criteria of being both very memorable to me and completely unguessable by anyone else. Examples might be “opendoor:waterstones” or “opendoor:sainsbury”.
4) If the password is mega-important and not easily defined using (3) above, then I use or create a password consisting of 2 or 3 elements that are very personal to me, that are not dictionary words, that include punctuation marks and numbers, and that relate to things that are way in the past and will not turn up on any internet search. I’m not going into detail because I’m not writing a handbook for hackers getting into my systems, but some examples of these “elements” could be:
- names or nicknames of memorable teachers, friends, girlfriends – all well in the past
- postcodes or street names that have had significance in the past (but are not connected to me now)
- registration numbers of vehicles owned long ago
- old telephone numbers
- favourite music or musicians from long ago
As a general rule, I do not use anything that is likely to have been entered into a computer in connection with me in the last, say, 20 years.
Just a couple more points. I’m not going into cryptography here and I don’t want to stray across the boundary of paranoia, but let’s remember that someone may try to crack a password by guesswork as they know something about you (your cat again!) or they may try by brute force. This means using a computer to try every combination until one works. The only point I wish to make here is that computing power is increasing so fast that we need longer and longer passwords in order to make “brute force attacks” unlikely to succeed. I’ve seen recommendations that every password should be 50 characters long! That is, of course, completely impractical. However, I am making myself a rule now that my important passwords are at least 14 characters long. Don’t ask me how I arrived at that figure, but if you’re interested in the strength of your passwords have a look at these sites:
And finally – Permissible Characters. One thing that makes creating and remembering passwords even more difficult is that some registration processes allow you to use non-alphabetic characters, some forbid it, and some insist on it. Accepting the compromise between security and practicality, my own method for negotiating this is to start by trying to include specific non-alphabetic characters that I will remember and then taking them out if they are dis-allowed. I use the same approach for including/excluding numbers and including/excluding mixes of case (ie using a mixture of capital letters and normal, lower-case letters). That way, I probably only have two or three possible combinations to try when I enter the password. And if I don’t get it in two or three attempts, I consult the database mentioned in (1) above and smugly congratulate myself for being so organised (at last).