Note: This is a repost from last year. At the time I was using my tumblr as a single unified blog. That got a bit out of hand. My posts there didn't really fit tumblr all that well and my informal reposting of funny or entertaining things didn't mix well with the types of longer technology and media oriented posts I've always enjoyed making, and now put here. The post isn't really any less valuable than it was when I'm posting it and I've had more than one person mention it to me in the last few days. As such, I'm reposting it in its entirety here.

------

Everyone uses passwords pretty extensively these days. Having passwords to an ever-growing number of accounts on various systems is a by-product of functioning in today’s society. There’s no escaping it. Unfortunately, people are very bad at making good passwords.

This doesn’t seem to be a point that anyone argues. It’s more or less commonly accepted wisdom that people mostly do not make good passwords. Whether we’re looking at a serious analysis of passwords people frequently use (http://www.smartplanet.com/blog/business-brains/top-20-most-common-passwords-of-all-time-revealed-8216123456-8217-8216princess-8217-8216qwerty-8217/4519) or we’re joking about passwords (1995’s hilarious, and awesomely terrible, punk-hacker film “Hackers” jokes that the most common passwords are “Love,” “Sex,” “Secret,” and “God”), we know a lot of people use the same things for passwords. It shouldn’t be very difficult to understand that if many other people use the same password you do, it’s easier to compromise.

This points to the first, and most frequent, problem with most passwords people use: they are too common. By extension, too likely to be guessed. Here I’ll start making a list of requirements for a good password. We already have points one and two.

1. A password should be unique.
2. A password should be difficult to guess.

There’s a reason I’ve separated those two items instead of making them the same point. After all, if I have a one-of-a-kind name (let’s pretend my parents named me “Mykul.”) and use my first name as my password, it is a unique password but not one that is difficult to guess.

So far, I’m fairly sure I’m not telling anyone anything they don’t already know or haven’t already thought of at some point. To continue, let’s talk about another thing most people (myself included, until recently) do in their handling of passwords. Once a person has decided upon one, two, or three passwords, he or she tends to stop making new ones—instead using the same passwords to cover the entirety of their digital identity. Historically this might not have been a hugely immense issue, but recent events have shown how significantly times have changed.

Three recent huge data breaches have compromised immense numbers of user accounts: Gawker media (1.25 million accounts, 500,000 e-mails, 185,000 decrypted passwords), Epsilon (unknown number of e-mail addresses for customers of Walgreens, Citigroup, Best Buy, and many more large corporations), and of course the Sony PlayStation Network and followup Sony Online Entertainment breaches (~77 million accounts compromised, including any stored e-mail addresses, potentially passwords (unknown security there), possible credit card information, and real-world addresses in the former, 12,700 non-US Credit Cards in the latter). With the Gawker and Sony breaches, passwords either WERE compromised, or have the potential to have been (it’s still unclear in the Sony debacle how the passwords were stored—standard practices should make it so the passwords themselves were never stored, but I don’t recall Sony ever leading us to think they did this correctly—while they’ve certainly made statements that imply otherwise).

What this means is that you can’t use the same passwords everywhere. If one website or account doesn’t handle password security correctly and is compromised, someone suddenly has the password you use for huge portions of your life. This gives us a new point on our list of what makes a good password:

1. A password should be unique.
2. A password should be difficult to guess.
3. A password should be unique to the specific account it is for, at least for every account with sensitive information.

Uh-oh. I think you see the snag we’ve just hit. We have so many accounts on the internet, at work, at school, and even on our home computers. To have unique passwords for even a large subset (the most important) of these accounts seems to be asking far too much of our human memories. It’s one thing if we’re using the same odd password for every account. Sheer frequency of use would embed it into muscle memory. When we have to think of the password for every different account to which we connect, though, the familiarity of use is gone.

Some people try to fix this by writing down their passwords. Bad idea. A large proportion of hacking isn’t even done through hugely technical means. Much of it is simple social engineering. Are you endeavoring to make things even easier for assailants by leaving your passwords lying around? You shouldn’t ever tell a person your password, nor should you have it written down. So that gives us our fourth and final requirement for a good password.

1. A password should be unique.
2. A password should be difficult to guess.
3. A password should be unique to the specific account it is for, at least for every account with sensitive information.
4. A password should be easy for its owner to remember.

Hmm. This is a pretty clear set of requirements. It also is a set of requirements that can prove difficult to reconcile. We’re now in a position where we want to make good passwords and know what defines a good password. That doesn’t mean we know how to make one. So, what’s a person to do? That’s what I’m here for.

Here are a few basic steps for making consistently good passwords that I’ll represent by walking you through me coming up with a new hypothetical password. It’s a system I’ve used for some time, recently extending it out to account for point 3 above. I came up with it on my own in my freshman year of college, but in discussions I’ve found that others have come up with the same system (or a similar one). It’s one that works and many people have independently come up with it.

Step 1: Think of a sentence you will not forget. It should be something very specific to you, but easy to remember. Make sure it has a proper noun or two in it. For my example here, I’ll go with the following sentence:

I think Christopher Nolan is the best director ever.

Simple enough, right? It’s easy to remember for me because, well, I think Christopher Nolan is the best director ever.

Step 2: Now take the first letter, respecting capitalization, of each word and place it next to the first letter of the word before it. In my example:

I think Christopher Nolan is the best director ever.

becomes

ItCNitbde

Now we’re getting somewhere.

You might be tempted to stop there. After all, no one is going to guess “ItCNitbde” when trying to get into your account. Still, we’re going to take this a bit further (especially because many systems require numbers or symbols in order to try to force users to make more unique passwords).

Step 3: Think of a number that has some sort of significance to you. It really doesn’t matter what it is, as long as it’s something you can remember it. For my example, I’m going to use the year Christopher Nolan’s The Dark Knight (my personal favorite of his films—though I might argue Memento is his best) was released: 2008. Break the number into two parts. In this case, 20 and 08. Now put one part before the character string we have, and one after. This gives me:

20ItCNitbde08

This is looking promising, isn’t it?

At this point, we’ve fulfilled a few of our requirements.

1. A password should be unique. Check
2. A password should be difficult to guess. Check
3. A password should be unique to the specific account it is for, at least for every account with sensitive information.
4. A password should be easy for its owner to remember. Check. All I have to remember is the phrase and that my favorite movie came out in 2008.

Requirement 3, though, is a problem. Let’s deal with that now.

Step 4: For every account, insert a short one/two/three character string based on the name of the account either after the first numbers or before the last ones. What this means is that my passwords for the following accounts would be:

Google: 20GooItCNitbde08

Amazon: 20AmaItCNitbde08

Apple/iTunes: 20AppItCNitbde08

Yahoo: 20YahItCNitbde08

You get the idea. What this does is give you a common password system you can use across your accounts, rather than a common password, with a simple variable to change based on the website/account itself. In this situation, a single password being compromised through a system on which you have a presence will only compromise that one password. In order for someone to figure out what part of your password you’re changing from one system to the next in order to gain access to your digital identity at large, they would need to gain access to several of your passwords OR get one password and already know what system you’re using.

(You could, of course, complicate matters by changing the “Goo” or “Ama” 3-letter string to something else based on the site’s name. For instance, you could choose to hit the keys one letter before or after the first three letters of a site’s name: “Goo” would become “Fnn” and “Ama” would become “Zlz” for instance. This is probably unnecessary extra obfuscation, but it’s an option if you want it.)

You don’t have to use my exact system. The point is to have a password system that you use that fulfills all 4 requirements. Mine is just a suggestion.

So let’s review the requirements I established before:

1. A password should be unique. Check
2. A password should be difficult to guess. Check
3. A password should be unique to the specific account it is for, at least for every account with sensitive information. Check
4. A password should be easy for its owner to remember. Check

Mission Accomplished.