(crosspost from my personal blog http://adamfowlerit.blogspot.com.au)

Hello,

Today's blogpost is about password management. I have (what I think) is a good solution that means you'll only need to remember a few small details for all your online passwords.

An entirely unexciting topic for most - including myself. You've all heard and possibly uttered phrases such as 'the longer the password the better' and 'use complicated passwords' which are of course true. Here's a blurb taken from Intel's Supplier Password rules via https://supplier.intel.com/Auth/PasswordRules.asp :

In order to protect your security, Intel has certain rules for choosing passwords. Please read the following rules so that you will know how to choose a good password.
The following rules apply to all passwords:

• The password must be at least 8 characters long.
• The password must contain at least:
• one alpha character [a-zA-Z];
• one numeric character [0-9];
• one special character from this set:
  ` ! @ $ % ^ & * ( ) - _ = + [ ] ; : ' " , < . > / ?
• The password must not:
• contain spaces;
• begin with an exclamation [!] or a question mark [?];
• contain your login ID.
• The first 3 characters cannot be the same.
• The sequence of the first 3 characters cannot be in your login ID.
• The first 8 characters cannot be the same as in your previous password.
• Passwords are treated as case sensitive.

*yawn* Please don't give up on this post yet, I do have a point to make! Now, the next commonly quoted rule is 'never use the same password on multiple sites'. So, how do you remember the wacky combination? XKCD has half the answer:


Via http://xkcd.com/936/

Great for a single password, but again how do we manage 100's? Many people use databases such as KeePass, or notepad files inside encrypted zip files with another password on top. Cumbersome in my opinion, you don't want to have to go checking for passwords each time you log in somewhere. There's also other solutions that save the websites, usernames and passwords in a centralised location - a big risk in itself I say. So, here's my two layer solution:

1) Have your own email domain, and use a different email address for every single site you sign up to. On top of that, make the email address something that always identifies with the site.

For example, I could buy the domain passwordssuck.com, set up Google Apps with it, and have a catch all. This means I can tell people I like an email address like "[email protected]" but also if I were to sign up for Blogger, I could use "[email protected]".

Why do this? The first reason is spam. If you sign up to a site that gets compromised, or sells off email addresses, the most likely impact to you is getting a bunch of spam. If you no longer use the site, you can blacklist the email address you signed up with (in this example, [email protected]) and you'll never see spam on that address again. If you still use the site, you'll have to either live with the spam that gets by any spamfilters, or change your email address. I don't like the idea of changing it, because for this overall formula (coming up!) to work, you just want to look at a site and immediately know what the login is.

The second reason - again if the site gets compromised, is that your email address and password combination are now useless anywhere else. Even if you used the same password anywhere, the email address to log in is a one off.

2) The password part. You need a formula. Once you remember the formula, you don't need to remember anything else.

You can adjust this how you like, but I'll give an idea of a decent formula (and no, this isn't exactly what I use!). First, come up with two words. Let's go with 'keyboard' and 'mouse'. Now, let's use some special characters. Now we have 'K3yboard' and 'mou5e' - these will never change.

Between our two words, let's go back to the site we're on. Blogger.com. What I'll do is take the first and last letter of the domain. B and R. We're going to put this in between our two chosen words. 'K3yboardBRmou5e' - but let's get even trickier! Instead of B and R, we'll go up two letters in the alphabet. B goes to D, and R goes to T.

Now we have 'K3yboardRTmou5e' as our final password. This means, when I go to blogger.com and think 'hmm what's my username/password' it's going to be "[email protected]" and password "'K3yboardRTmou5e'".

Youtube.com? That'd be "[email protected]" and "'K3yboardAGmou5e'"

If someone obtained your credentials for Youtube, there's no way these details will work anywhere else. If someone targets you specifically for some reason, they're still going to need to know your formula. They have no idea which parts of your password are static, and which change, and even if they thought the AG was the bit that changed, they then need to work out what that means.

In summary, once you remember your formula, that's the last thing you'll need to remember. You don't have to go down the full path of having a different email address for each site, but I'd put a bit more work into varying your password formula.

If you have any feedback on the above, or think it's a terrible idea for any reason please let me know!

Posted in: [Miscellaneous], [IT Pros], [ICT Security], [General Technology]