Yesterday I wrote about a study that revealed how real users think and act when it comes to passwords and one of the biggest challenges for them was dealing with so many passwords; a problem that led to them using weak passwords and often re-using them to save effort. But there are systems that can make generating and remembering passwords much easier ...
For a few years I’ve used a password system that’s been really successful; the only problem I’ve had has been when entering the passwords but that’s really just because I’m not a very good typist. My system is based on a simple formula and, nope, I can’t tell you what it is exactly but let me give you a similar method:
- Take the first letter of the site’s name in lower case ("gmail.com" gives “g”)
- add the last two digits of, say, your birth year, reverse them ("1963" – not my birth year, alas - becomes "63" which gives “36”)
- Add a “+”
- Add the next four letters of the site’s name in upper case ("gmail.com" gives “MAIL”)
- Add a “-“
- Add the last four digits of your phone number backwards ("888-555-1234" gives “4321”)
- Voila! Your password for http://gmail.com would be “
g36+MAIL-4321”. And for http://networkworld.com it would be “
According to passwordstrengthcalculator.org the strength of these passwords (measured by their information “entropy”) is 85.2 bits and it would take a supercomputer up to 14 years to guess the password while a PC/GPU setup might have to run for 283,717 years to guess it. Not bad at all. Also see Gibson Research’s Password Space Search Calculator which figures that the count of all possible passwords with this alphabet size and up to this password's length is:
… and the site figures the time required for a desktop machine to exhaustively search this password's space, assuming one thousand guesses per second, would be 16.50 trillion centuries while at a supercomputer speed of one hundred trillion guesses per second it would still take up to 1.65 hundred centuries.
And these kinds of formulae are easy to construct and easy to remember.
But what if you’re really lazy or, as many people are, really not very good at these kind of mental gymnastics? You might prefer this tool, the Qwerty Card from Qwertycards ($4.99 with international delivery included):
These are simple plastic cards laid out like a Qwerty keyboard and each one has a unique code; in the above picture it’s “
sh(/J3Hq” to which you add your own secret password, for example, “
catfish”. You then append the encoded version of the site’s name using the character map on the card, for example, “Amazon” becomes “
.u.rqf” which is added to the previous strings to generate the complete password. So, from our examples, your final password would be “
sh(/J3Hqcatfish.u.rqf” which, according to How Secure is My Password could take a desktop PC about 3 septillion years to crack.
While the Qwerty Card might seem to involve a lot of effort in managing passwords it’s really a minimal amount of pain compared to actually remembering scores of passwords and next to no work compared to trying to clean up after your accounts have been breached.
Users plus passwords equals disasterNext Post
Seven killer Linux apps that will change how you work
When reporting on Friday’s DDoS attack, the national media should have warned consumers not to install...
The attacks that overwhelmed the internet-address lookup service provided by Dyn today were well...
By forcing Windows 10 on users, Microsoft has lost the tenuous trust and credibility users had in the...
The massive DDoS attack that disrupted the internet address-lookup service Dyn last week was perhaps...
A Q&A on what caused the Dyn DDoS attacks and what to do to protect yourself and your network.
What every citizen should know about the state of our voting systems and the security of our elections....
Despite concerns about the proposed $85.4 billion merger of AT&T and Time Warner, analysts expect it to...