by Carl Anctil
Today, you are all very lucky. I am going to share my secret recipe when it comes to choosing passwords. I have been using this method for several years. It has served me well over the years and at this time, I feel it has passed the test of time (well, over 8 years). The formula is simple, effective and the result is a unique strong password every time you use it. This is how it works.
First, choose a word that contains a minimum of 8 characters. This secret word must not have any meaning, relation, association, etc. that can connect back to you, to a website or to an application. This means no maiden names, pet names, birthdays, etc. Same rules as before for choosing strong passwords. For this example, the secret word will be elephant.
Second, choose a secret 4 digit pin. Again, this secret pin can not have any meaning to you. This is important, we don’t want anything that could be easily guessed. For this example our 4 digit pin will be 1234.
Third, pick one special character such as a punctuation. We will use the @ character.
Let’s say we need to come up with a password for a website. We’ll use www.paypal.com as an example.
- drop the www and the top level domain (.com). We end up with paypal
- pick a letter position in the result word as a key. This must be the same every time. To keep this simple, let’s use the first letter. Match the first letter (key) in the domain (p) with the first corresponding letter in your secret word like so ele(p)hant.
- replace that letter with your secret pin ele1234hant
- capitalize the remaining letters after your secret pin like this ele1234HANT
- add your special character anywhere you want ele1234HANT@
The resulting password is: ele1234HANT@
What you end up with is a 12 character unique strong password that contain letters, numbers, at least one upper-case letter and at least one special character. All you have to do is remember one formula instead of several distinct passwords. Works for me.
In addition, this method will provide you with a password that most likely will not be part of any dictionary or rainbow table. I like that.
Should the letter for the domain or application that you want to create a password for not be part of your secret word, just continue to the next available letter in the alphabet. Instead of paypal let’s use www.bank.com. Since there is no letter b in elephant. I would have to use the first e as the first match when going through the alphabet. The result in this case would be 1234lephant@
I know there are no capital letters but 3 rules out of 4 isn’t bad. Besides, you could easily add a capital letter anywhere should you really want to.
Hope this helps when choosing strong passwords. No more passwords on post it notes!
People also tend to make their passwords as short as allowed (4-6 characters). While this makes their passwords easy to remember it also makes them easy to figure out or hack. Instead of using a single word such as “Astaro01†for example some people believe they are clever and add a symbol into the mix making the password “Ast@ro01â€. This fools no one, and programs designed to figure out passwords are aware of this “techniqueâ€. Instead of using a single word, try using a short memorable phrase, for example you could use “the ASG 425 is a great Security productâ€. Also create an arbitrary rule for yourself. For instance you can replace all as with symbol other than @ and only use the first two letters of each word instead of the entire word s you would have “the%s42is%grSeprâ€
Whew….waay too complicated for me. Phrases seem much easier: “I was married in San Francisco California on Sept 3 => IwmiSF,Co9-3 or similar.
Why not make passwords like: haF31@lGz%11xC#02S9 and then copy paste them from an encrypted text document?
Strong security requires a password of more than 14 characters. A true complex passwords incorporates mixed case letters, numerals and special characters. Many sites require that your email address prefix be used as your logon name. This means half your logon credential is compromised before you can use the account.
(Each time you experience a site that doesn’t support strong, complex passwords, write to the technical contact of the domain you just registered at, demanding to know when they are going to have decent security. Eventually they will come around. )
To create a random password that is moderately secure, secure enough to be used widely, take two uncommon names or words, such as the names of drugs. Take 4 characters from the middle of the first, four from the second, and scramble the order of the 8 characters. Do a Google search and open the first link. Open a command prompt and ping the domain name. You’ll get an IP address. Take 2 digits from that address and insert them into the string of letters.
It’s easy to generate random passwords, but the problem with having many random passwords is that its hard to remember them all. What’s needed is a way to store than that is secure.
Well there are better, more secure method ways to generate secure credentials for web use, ones that doesn’t bog down when you encounter one of the majority of all sites that don’t allow true complex passwords, or passwords of length greater than 8.
Using a password vault with a strong, complex key is part of the solution. A password vault will allow you to use a unique logon name for each domain, and the same reasonably complex password for every site. The combination is a _much_ longer, _more_ complex password.
Solve the username/mailbox name problem by registering a domain and set up minimal webhosting of that domain with a hosting service such as GoDaddy that charges about $1/week or less for hosting service. All such providers offer free catchall mail forwarding. Catchall mail forwarding allows you to create a unique mail address for each site you visit, with no requirement for you to administer email accounts. All mail sent to your domain is then forwarded to your ISP mailbox.
This works well for suites like this where they want just your email address to post. You can make the address sitename@mydomanname, and if validation is needed you’ll get the valuation message.
For better security when you register at a site, create a less predictable logon name for it using any method you choose, once you log on successfully to the site, send an email to logonname@yourdomain.com with the site name as the message. You now have a record of the logonname and site. Your password, which you’ve never written down, is still secure.
There are many ways to generate usernames base on website names, but here’s my favorite.
Use Excel or another program to randomly select two 8-digit numbers as your permanent keys. You should be able to memorize them because they are shorter than a phone number and you won’t have to keep changing them. Use one 8-digit number as the master password for your browser, the second to generate usernames.
Use the first 6 digits of the first 2 digits of the second number 6 characters from the site name. Use the 7th digit count out the corresponding number character in the site name. Take that letter and count its alphabet position. If it is greater than 10, subtract 10. Call the result “X”
Write out the letters you selected, insert the last digit of the second 4-digit number after the X-th character. Insert the first digit of the first 4-digit number after it. Your logon name will then look something like LL##LLLL.
I like the flossing analogy – but passwords are like flossing each tooth differently.
This only works if your “secret word” contains a letter that matches the one from the website.
As in the example, if your “secret word” did not have the letter P in it ( maybe your secret word was lemonade), what would you do ?
Don R;
It’s mentioned in the instructions. Advance thru the alphabet from the chosen letter, and loop around to the start if necessary. For “lemonade” you’d have to go P-Q-R-S-T-U-V-W-X-Y-Z-A. So the match would be “A”.
Right — people have enough trouble remembering simple passwords and now you want them to remember a gimmick for creating a complex password? Sounds like a quick means of getting people to write things down on a post-it note! Any user that can remember the formula or would spend time to work it out is probably already generating strong passwords on their won.
Sure, encourage people to use a password or phrase that others would not readily associated with them (no pet names no birthdays, car models, etc.) — but then why not make it easier and show them quick substitutions for letters / numbers / special symbols, a process that surely would readily encourage and incite them to create a strong passwords more than some formula would.
Why add complexity when you don’t need to?