The Password Age
In this age of electronic communications and the Internet we have come to a point where each person needs passwords to access some part of their electronic life. We access data at our bank, at work, at home, and on the web. We have to have a password to read the newspaper on-line. We are asked to create passwords when we shop on-line. We are asked to create passwords to access the network at our workplace and even more passwords to access applications, documents, and provide approvals. Almost everything we do on a machine that has a power plug requires a password. This can lead to a password glut wherein we have so many passwords we have a difficult time keeping track of them.
To create and control these passwords we must be educated on what types of passwords there are and when those password types will be used. We must have a “password system” in place to make password creation and management our friend and not an arduous chore.
How important is a complex password? Using one of the readily available password cracking programs available on the web the following chart shows the time it would take the average program to crack a password based on the number of characters (alpha and numeric.):
As you can see the time difference between cracking a 3-character password (Ac3) and an 8-character password (Acus2007) is 209 years, 364 days, 23 hours, 59 minutes, and 59.14 seconds. And that is if you used and upper-case A instead of a lower-case a.
The Seven Levels of Passwords
- The Super-Secret-Personal-Password (SSPP): This is a password that will only ever be known to you. You would not share it with your spouse, children, parents, siblings, co-workers, employer, bank, or credit card company. This is the password you would use to secure your most-secret or most-private documents (a diary, journal, novel, scans of love-letters, or most-private e-mails, etc.) This password would never be used for any of the lower level functions.
- The Personal Password (PP): This password would be used for on-line banking, on-line shopping, on-line e-mail accounts, or as a password to access your home computer. This password could be shared with a spouse or a child.
- The Family Password (FP): This password would be used for personal websites that may contain family photos you want to share only with family members. I could also be used as a password for a personal FTP site where files would be accessible via the web to family members.
- The Extended Family and Friends Password (EFFP): This password would be used for personal websites that may contain family photos you want to share with family members, extended family members, and friends but not the general public. I could also be used as a password for a personal FTP site where files would be accessible via the web to family members, extended family members or casual friends.
- The Employment Password (EP): This password would be used at our workplace to “login” to the network or to login to our work e-mail remotely. It could also be used for work-related on-line activities. There may be a requirement in place wherein this password would have to be shared with a supervisor or selected co-workers. There may also be a requirement that this password be rotated every few months. These rotating passwords may have a memory wherein you would have to have four or five different passwords to use as your rotating set.
- The Authorization Employment Password (AEP). This password may be created and managed by our employer. It would be used to access shared files amongst co-workers in a department or to access secured pages on an Intranet.
- The Disposable Password (DP). This is a junk password that can be discarded and would not be missed. It would be used for registering at on-line websites were we make very infrequent visits. It could also be used to sign-up for on-line contests that require you create a profile or for creating a profile on a bulletin board we will probably never visit again. If this password was “hacked” it would cause us no trouble because we have not used it anywhere we care about. It is never used to protect data or access to data.
Password Recipe Basics:
Depending on the type of password outlined above you may have restrictions placed on the contents of a password. A password may have to meet one or more of the following criteria as determined by the administrators of the resource you are attempting to access:
- Must be 8 (or more) characters in length.
- Must contain at least one Alpha character.
- Must contain at least one upper-case and one lower-case alpha characters
- Must contain at least one numeric.
- Numerics must not be sequential.
- Must contain one non-alphanumeric character.
Let’s examine these one at a time –
A. Must be 8 (or more) characters in length.
The total length of the password we choose must be 8 or more characters in length. So we will start with the password “mydoghasfleas”.
B. Must contain at least one Alpha character.
The password cannot just contain numbers (e.g. “12345” or “999999”.) Since “mydoghasfleas” has 13 characters we are adhering to the rule.
C. Must contain at least one upper-case and one lower-case alpha characters
The password cannot be all lower-case or all upper-case letters. So “mydoghasfleas” and well as “MYDOGHASFLEAS” are both invalid because of the case restriction. We will have to modify the password to “Mydoghasfleas” to be minimally compliant or to a more compliant “MyDogHasFleas”.
D. Must contain at least one numeric
The password must contain at least one numeric (or number) to be compliant. Since “MyDogHasFleas” contains no numeric we will modify it again to “MyDogHas1Fleas” to be minimally compliant or to a more compliant “MyDogHas12345Fleas”.
E. Numerics must not be sequential
Number sequences used in the password must not contain sequential numbers (e.g. 1234, 09876, or 1111.) We will modify our password from “MyDogHas12345Fleas” to “MyDogHas2Fleas” to be minimally compliant or to a more compliant “My1DogHas2Fleas”.
F. Must contain one non-alphanumeric character
The password must contain a non-alphanumeric character:
Numeric characters = 0123456789
Alpha characters = AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvXxYyZz
Non-alphanumeric characters = + _ ) ( * & ^ % $ # @ ! ~ = – / \ | }{ [ ]
**NOTE: Some systems will not accept alphanumeric characters in their passwords. We will discuss this issue in the “Creating Passwords” portion of this document.
Our password “My1DogHas2Fleas” will be modified to “My1DogHas2Fleas!” to be minimally compliant or to a more compliant “!My1DogHas2Fleas!”.
As you can see we have taken a familiar phrase and turned it into a super-secure password that can be easily remembered. Anyone who has ever played a guitar knows “My Dog Has Fleas.” You could modify a “phrase password” like this one to reflect your personality in any of the following ways:
- “!My3DogsHave9Fleas!”. If you actually own three dogs.
- “!My1CatHas2Fleas!”. In case you are a cat person.
- “!My2KidsHave4Fleas!”. In case you have no pets.
- “!My1HusbandHas2Fleas!”. In case you have no children.
- “!My1HusbandHas2Cars!”. In case you do not like fleas.
- “!My1WifeHas2Purses!” In case you are the husband who has no kids or pets.
Please note that when we use a number in two different locations in the example the second number is always double the first number. Using this method we only have to remember that our password starts with My”n” and will always end with “n”(something). We will discuss this in detail in the next section.
Assigning Passwords Categories
There are several ways to create passwords so that they are both meaningful to you and also easy to remember. When you are ready to create a password or to organize all the passwords in your life take a few minutes and create a list of things that are meaningful to you. This list might contain any of the following:
- Hobbies – woodworking, skiing, sailing, painting, etc.
- Pets – current pets, past pets, pets belonging to family members, famous pets, etc.
- Important Street Names – the name of the street on which you were born, grew up, famous streets, etc.
- Memorable Dates – Christmas, New Years, parent’s birthdates, etc.
- Cars – first car, favorite car, worst car, etc.
- People in your life – best friends, bad friends, relatives, etc.
- Memorable Locations – city in which you were born, last vacation destination, etc.
- Food – Favorite, least favorite, foods to which you are allergic, etc.
- Movies – favorite, least favorite, famous, infamous, etc.
- Music – favorite, least favorite, famous, infamous, etc.
- Sports – favorite, least favorite, etc.
- Television – favorite show, least favorite show, famous shows, etc.
Once you have a list, see which category has the most entries. You can use those entries as password keys (since the Super-Secret-Personal-Password is one that you and you alone will know we will not be using it in the examples.) You may also use a different category for each password type. For example:
- Your Personal Passwords are based on foods.
- Your Family Passwords are based on family pets and famous pets.
- The Extended Family and Friends Password is based on people in your life.
- The Employment Password is based on television.
- The Authorization Employment Password is based on sports.
- The Disposable Password is based on music.
Password types that are subsets of each other could be assigned as follows:
- Your Personal Passwords are based on favorite foods.
- Your Family Passwords are based on least favorite foods.
- The Extended Family and Friends Passwords are based on foods to which you are allergic.
- The Employment Password is based on movies.
- The Authorization Employment Password is based on movie actors
- The Disposable Password is based on television.
Password Traps
There are a few basic rules you should follow when creating your passwords. Your password should never contain any of the following:
- Any part of your Social Security number.
- Any part of your current home or office phone number.
- Any part of your current home address.
- Any part of your children’s, parent’s, or spouse’s name.
- Any part of a current bank account number.
- Any part of a current credit card number.
- Any part of your current Drivers License number.
- Your birth date.
- Any of your family’s birth dates (spouse or children.)
- The word “password”!
All of the above information can be easily discovered by a hacker and could lead to easily breakable passwords. You can avoid that that type of information and still have memorable passwords.
Password Tricks
Once you have made some notes regarding what types of passwords you are going to need and selected your password categories to match up to those password types there are some tricks you can use in password creation to make your passwords as strong as possible.
- Intentional Misspelling
- Character Replacement
- “Leet Speak”
- Reverse Words
- Foreign Languages
- Whole Word Replacement
- Capitalization
For examples of the above tricks we will be using the sample password “password2006” but please remember that your password should never contain the word “password” or and derivation of same.
Intentional Misspelling
To make a password more secure you could intentionally misspell all or part of the word to prevent a “dictionary scan” hack. The password “password2006” could become any of the following using intentional misspelling:
- Passwrd2006
- Pasword2006
- Pazzword2006
- Pazzwerd2006
- Passwurd2006
Character Replacement
To make a password more secure you can also replace characters in the password to prevent a “dictionary scan” hack. The password “password2006” could become either of the following using character replacement:
- Passw0rd2006 (the o in word is replaced by a 0 (zero))
- Password2oo6 (the 0’s (zeroes) in 2006 are replaced by o’s (Ohs).
“Leet Speak”
In the on-line world there is a subculture mostly made up of computer gamers who have their own language called “Leet Speak”. The made-up word Leet is derived from the word Elite and “Speak” is a derived from the word “Speech” so. “Leet Speak” is actually “Elite Speech.”
The main characteristic of this language is that character replacement is taken to the extreme. Leet Speak can be a very handy tool to use in password creating because you will not find a single “Leet” word in the dictionary. The very basics of Leet Speak include the following:
The letter “e” or “E” is replaced by the number “3” which looks like a backward capitol “E”.
The letter “l” or “L” is replaced by the number “1” which looks like a lower-case “L”.
The letter “t” or “T” is replaced by the number “7” which looks like a capitol “T”.
Apply these rules to the name “Leet Speak” and the name becomes “1337 Sp3ak”.
Another feature of Leet Speak is non-random character capitalization wherein every other letter is capitalized starting in the second position (e.g. the Leet name “1337 Sp3ak” becomes “1337 sP3Ak”.) It may look like just junk but if you remember the three letter replacement rules and apply the non-random capitalization, you will end up with very strong passwords that are simple to remember.
Reverse Words
To prevent a “dictionary scan” hack you can also use the Reverse Words (or spelling) method. Using this method the password “password2006” would become “drowssap2006”.
Foreign Languages
Most “dictionary scan” hacks use the English dictionary as a base. If you are fluent in a foreign language you could use the foreign language version of a words or words to increase the strength of your password. Since the word “password” is a creation of the English language, we will looks at translations of the word “private.” Using this method our password “Private2006” becomes any of the following:
- Spanish – “soldado2006”
- French – “prive2006”
- Latin – “Privatus2006”
- German – “Privat2006”
Whole Word Replacement
You can replace certain words with numbers to increase the strength of your passwords:
- 4 replaces four or for (or fore)
- 2 replaces two, to, or too
- 8 replaces eight or ate
- 1 replaces one or won
- U replaces you
- Y replaces why
Examples:
- Iwonthecontest becomes I1thecontest
- Anewcarforme becomes Anewcar4me
- Goingbacktocali becomes Goingback2cali
- ThefinestdinnerIeverate becomes ThefinestdinnerIever8
- Iloveuto becomes IloveUto
- Whythelongface becomes Ythelongface
Capitalization
You can consistently capitalize certain consonants or vowels to add security to your password.
You can replace certain words with numbers to increase the strength of your passwords:
Examples:
- Consonants always capitalized – iwonthecontest becomes IWoNTHeCoNTeST
- Vowels always capitalized – - iwonthecontest becomes iwOnthEcOntEst
- First and last letters always capitalized – - iwonthecontest becomes IwonthecontesT
Password Algorithms
Now that we are aware of the password types, categories, basics, traps, and tricks, we can start to assemble our own personal password algorithm (PPA). An algorithm is simply a structured process. By applying an algorithm to our password creation process we can ensure that all of our passwords do not have to be memorized since we can always apply our algorithm and figure out what password we created for which password type. Here are some possible algorithms you could use:
1. Name/Date Assignment Algorithm
Algorithm = (First five characters of name) + (important date) + (2nd character capitalized)
When you create a password of any type you use the first five characters of the function name as part of the password. For example, you are creating a password for your on-line bank “Bank of the West.” Using the first five characters of the bank’s name your password would start with “banko”.
We will add an important date to this password (your wedding date) to make it match the password requirement for the site – “banko041395”
We will then capitalize the second character of the name – “bAnko041395”.
Other examples:
- Online store password for Amazon – aMazo041395
- Network password for a person working at a business called “Waterson Engineering” – wAter041395
- Password to secure data on their Gateway PC – gAtew041395
As you can see, the password does not have to be memorized – only the algorithm has to be remembered to access any of this person’s accounts or secured data. If the password was to ever be compromised, you would only need to change the important date used to have a completely new set of passwords. The important date could also be different for each password type:
- Your Personal Password date = the date you graduated college.
- Your Family Password date = Grandma’s birth date.
- The Extended Family and Friends Password date = the date of the new millennium (010101)
- The Employment Password date = the date of your last or next review (don’t use your hire date as that can be found in your employment records.)
- The Authorization Employment Password date = the date of your last or next review date (don’t use your hire date as that can be found in your employment records.)
- The Disposable Password date = first Independence day for the United States (07041776).
Remember, you do not need to write down your passwords and when you document your “password type key” you do not actually write down the dates, you just writes down the date description. You list might look something like this:
- Personal Password = graduated college
- Family Password = Grandma’s birthday
- Extended Family and Friends Password = millennium
- Employment Password = review
- Authorization Employment Password = review
- Disposable Password = Independence day
Even if someone saw your list, only you would know that all the clues point to dates and depending on who sees the list they may not know your Grandma’s birth date or when you graduated college.
2. Movie/Star Initials/Address Number Algorithm
Algorithm = (Movie Title or Movie Title Initials) + (Movie Stars Initials) + (Street Address Number)
When you create a password of any type you use the name of a favorite movie and the initials of that movie’s star actor as part the first part of the password. For example, you are creating a password for your on-line bank “Bank of the West” using the movie “Stagecoach” staring John Wayne. The password would start with “stagecoachJW”.
We will add a memorable street address or zip code to make it match the password requirement for the site – “stagecoachJW90210” 90210 is the zip code for Beverly Hills were many of Hollywood’s stars live. We could also use the street address of the first house in which we lived (1243 Pine Street) – “stagecoachJW1243”.
The capitalize requirement is satisfied by the fact that initials are always capitalized.
Other examples:
- Online store password for Amazon – “africanqueenHB1243”
- Network password for a person working at a business called “Waterson Engineering” – “brigeovertheriverkwaiAG1243”
- Password to secure data on their Gateway PC – “meetmeinstlouisJG1243”
When creating passwords using this algorithm the first film that comes to mind is the one you should use. If you over-think it, you will have problems remembering which film you chose for each site. Also note that the same password could be used for all of the above examples – just select your favorite movie and actor.
3. Hobbies/Age Algorithm
Use your love of your hobby to create passwords. For these examples we will use the hobby of woodworking.
Algorithm = (Hobby Name) + (Hobby Material) + (Spouses Age)
When you create a password of any type you use the name of a favorite hobby and the age of your spouse. Since the spouse’s age will change every year you may select the spouse’s age when you met, when you got marries, etc. If you select your spouse’s current age it will have the benefit of forcing you to update all your passwords every year. For example, you are creating a password for your on-line bank “Bank of the West” using the hobby “woodworking” using “pine” (you would use your most favorite or least favorite wood.) The password would start with “WoodworkingPine”.
We will add the age of our spouse when we first met to make it match the password requirement for the site – “WoodworkingPine19”.
The capitalize requirement needs to be satisfied and you could modify this algorithm to capitalize the third letter or the last three letters – it is up to you.
Other examples:
- Online store password for Amazon – “wOOdworkingTeak19”
- Network password for a person working at a business called “Waterson Engineering” – “WoodworkingbAlsA19”
- Password to secure data on their Gateway PC – “woodWORKINGwalnut19”
When creating passwords using this algorithm the different woods should be assigned to different password classes for consistency. You could consistently use the same wood and assign a different type of woodworking operation to each category:
- Personal Password = Sanding
- Family Password = Planning
- Extended Family and Friends Password = Sawing
- Employment Password = Staining
- Authorization Employment Password = crosscutting
- Disposable Password = laminating
Those are just three example algorithms. There are an unlimited number to be created and used. Find the one that works best for you and comes to mind easiest and start creating password to fit that algorithm.
Storing Passwords
There will be times when you need to store a password or a list of passwords somewhere. While you have complete control over the passwords you create you may be assigned passwords by your employer or sent passwords by family and friends. Since these passwords will not be created using your personal password algorithm they may be more difficult to remember. If you have to write them down, remember that there are a few bad practices when it comes to storing passwords:
- Never write passwords down and store them in plain site. A password written on a post-it note on your monitor is begging to be stolen.
- Do not e-mail that contains a password and the user id (or login name.) Send one e-mail with the user id and then a second e-mail with the password.
- Do not store passwords sent to you via e-mail in your in-box. Copy them to a Word document and save that document with a password or copy the passwords to a document and then encrypt the document.
- Do not save important passwords for secure web sites in your browser. Both Internet Explorer and Firefox have the ability to save the login information for different websites in your browser. If your computer is stolen and has no login password (or the computer’s login password is compromised), the thief will have access to all the on-line stores, banks, and work related web pages which you have accessed.
There are also some good practices in regards to storing passwords:
- If you are going to keep a written list of passwords, keep them on a single sheet of paper and store them in a security envelope. Write your name in pen on the seal of the envelope. Every time you have to open the envelope, replace it with a new one. If you ever find that the envelope has been opened, change your passwords.
- Write all passwords in the document in reverse letter/number.
If you find yourself with numerous passwords you may want to avoid the pitfalls of written passwords completely. There are several freeware “password vault” utilities available via the Internet:
Oubliette – http://www.tranglos.com/free/oubliette.html
Password Safe – http://sourceforge.net/projects/passwordsafe/
KeePass – http://keepass.sourceforge.net/features.php
These programs can be used to encrypt and store all your passwords. Just be sure to place a very secure password on the program to prevent your passwords from being stolen.
While it may seem like a lot of work to create, manager, and secure your passwords it is very little effort when compared to recovering you identity after it is stolen or having to recover funds that were stolen out of your bank account.
Create your personal password algorithm and then keep it safe.
