2.19.2011

my system for managing passwords

The perils of password reuse, though known since time immemorial, have been making headlines lately. I would guess that 99% of everyone I know and likely the same percentage of people reading this are guilty of that sin, as was I till I developed a system that works with all devices, involves no software or hardware, does not require writing anything down, and allows me to easily remember dozens and dozens of passwords even if I haven't used them for years.

It works by combining some random but easily remembered made up word with a description of the service I'm logging into.  How do you easily remember a random made up word?  Originally I chose a poem from a Dr. Seuss book I memorized as a child, but I've since moved to the lyrics of a foreign song that I spelled out using standard characters phonetically.  I'll never forget either and the poem is full of bizarre Seuss-isms not found in a dictionary.  Anything that's non standard English that you can remember will do the trick, from a limerick to Snoop Dogg lyrics.

Once you've memorized a few sentences or stanzas pick out a handful of the oddest words, apply a healthy dose of leet speak and SensiblE CasE mOdIfIcAtIOns that'll be easy to recall and you should have a good set of five or six base passwords.  Now you just need to decide how you're going to describe the service your logging into.

It's a good idea to be as specific as possible, for instance H0ckZ0ckergmail is better than H0ckZ0ckeremail because someday down the line you may decide to open an email account somewhere else. H0ckZ0cker-GM or H0ckZ0cker-GML are even better because if someone suspects you're using a system that incorporates the site name into the password they'll be forced to make more guesses, and the use of a hyphen or other non alphanumeric character to seperate the halves increases the number of required guesses again.

Getting started with this method is just a matter of changing the password for the two or three things you have to log into most, make them things your browser isn't remembering for you like your bank.  Once you're in the habit of doing it, switching back to your old re-used password for other things will start to irritate you and you'll change them too.  Every six months to a year just change your base word, I do mine every year after my birthday.

There are a couple gotchas. If a service you don't use often decides to change names like Farkie did when it became Gazzump you may have to do some googling if you can't recall it's original name.  Also, if your using a service that won't accept the long passwords this method generates I suggest you complain loudly or find a new service.

I hope this helps folks who otherwise wouldn't spend time thinking about this sort of thing.  If you happen to be one of those people who's currently thinking "I have nothing of value, hackers aren't going to come after me", then there's not much I can do to help you with your delusions.  People in low income neighborhoods may not posses much of value but that doesn't stop break ins, crime for the sake of crime happens every day, there's no reason to make yourself an easy target.