Password Security – sing a song, save some stress
Posted by Dylan Sachs on Wed, Sep 09, 2009
Like most of you, I've had many different passwords I have had to remember over the years. Some professional (network, servers, applications), and some personal (facebook, twitter, online banking). Up until about a year ago, I thought I had a fairly secure system for managing my passwords for all these different things: I had 3 different passwords memorized, and would pick one at random. Each one was fairly complex (letters and numbers), but none would stand up to a brute-force or dictionary attack. The downside to this method is that when I would go back to a site I haven't visited in a while, I would have to guess which password I used - not so handy, but manageable when there are only 3 options. In some cases, I would have to modify one of them to meet required password complexity rules, such as including a non-alpha character, which would only serve to confuse me more (and often resulted in clicking the "Forgotten Password" link).
That is, until I picked up a little trick on my daily voyage through the tubes of the interweb.
Yes, what I'm about to tell you will allow you to create unique passwords for every site/page/server you use, while meeting even the most stringent password complexity rules. Did I mention that you'll always be able to remember the password? That's an important one, since no one should be keeping sticky-notes with passwords under their keyboard.
Here's the trick: Pick a song (make it one you know the words to). For my example, I'll go with one of my favorites - The Beatles "Strawberry Fields". Next, pick a line from that song that stands out. It doesn't have to be a whole verse, just one line will often do. Using my choice of song, let's take the line "Let me take you down, 'Cos I'm going to Strawberry Fields". The next thing you need to do is abbreviate that line - "lmtydcigtsf". Let's bump up the level of complexity by putting a number and a non-alpha character in there to make it "lmtyd'cig2sf". Whichever way you look at it, this string alone won't be cracked by any dictionary attacks, and brute force will certainly be a challenge! Now for the unique part. For each thing you need a password for, you add some capitalized letters - let's say you want to use it with Facebook; your password becomes "FBlmtyd'cig2sf". Bank Of America login? "BOAlmtyd'cig2sf". BrandProtect portal? "BPlmtyd'cig2sf".
I know, you're thinking - "Dylan, you're crazy - how on earth am I supposed to remember that non-sensical string?" The fact is, as long as you remember the song, you can remember your password. You may be tempted to use one of the many browser-based password storage options ("Do you want Firefox to remember this password?"), but let's be honest - that's just a breach waiting to happen. Type the password daily for a week, and you should be able to pound out that password faster than cover pages for TPS reports.
Do you have any tips for making complex-but-memorable passwords? Drop me a line, and I'll add them to this post.