How to Choose and Store Secure Passwords
The one thing that every webmaster seems to have in spades is passwords. We have one for our CPanel, FTP, WordPress, email, IM, Google account and every other service that we use.
It can be a huge headache; any one password being defeated is a security nightmare, as no firewall can protect you against someone who has the right password to your account. Protecting your passwords is critical but, at the same time, you need to be able to remember them so you can access your account, no matter where you are.
With passwords playing such a major role in the lives of webmasters, it is worth taking some time to explore how to try to make your collection both as safe and as practical as possible. On that note, every Monday for the next few weeks, we’ll be taking a look at this topic with advice on how to create, store, share and use passwords. This will include guides on how to ensure loved one’s have access to your site, suggestions for remembering passwords and, this week, how to create secure ones that can be easily remembered.
On that note, let’s take a look at the problem of creating passwords that can be easily remembered.
The Standard Method
By now, you have probably already heard this mantra, that passwords need to be eight characters long, contain upper and lower case letters and also at least some punctuation and numbers. That’s a lot to include in a single password, especially if you want to be able to repeat it.
The first thing you want to avoid, however, is using a common name, word, birthdate or anything else that could be easily guessed. The reason is that attackers routinely use lists of such common words to try and guess what one’s password is and, more often than not, have success.
However, that doesn’t mean that you can’t start with such common words and then morph them into a secure password that is also easily remembered. For example, if someone is name Jane and has a birthday 1/9/78, they might be able to use a password such as J1a9N7e8! and be reasonably well protected. That password is simply the letters of her name with alternating caps separated by the numbers from her birthdate and followed by an exclamation point.
The goal is to find a similar system for yourself. You want to take a common word and mash it with numbers and symbols to help make it secure from blind attack and something you can remember.
Another method commonly used is to go to a good password generator, such as the one provided by the Gipson Research Company (Note: You’ll likely only want to use 8-12 characters of any given password string), and then create some method for remembering the password, such as a sentence to represent each letter in the password.
This method does a very good job at creating excellent passwords but doesn’t do very well in making memorable ones that can be easily reentered by hand.
The reason is that these passwords are randomly generated and are devoid of any independent meaning, either to the generator or to the user. As such, it is up to the user to assign meaning to it, something that is much harder than working the other direction.
Still, if you find yourself struggling to come up with good passwords the normal way, this can be a good alternative. Also, generators work well with services that store and remember for you, something we’ll be covering in a later post.
The Unique Password Method
While either of the above systems can be great for creating a single password, if you don’t want to reuse it this can mean remembering dozens of passwords and the sites they belong to. Either system might be easy to remember once, but will be much more difficult to remember twenty times or more.
A way to defeat that is to base your password on the site it is for. For example, if your password is for Google.com, you might make the password G1o2o3!@ or something to the like. For added security, you can shift all of the letters one key to the right on the keyboard, making it H1p2p3!@, thus making it less obvious how it was derived.
If you take this system over to Amazon, it then becomes A1m2a3!@ or S1,2p3!@ with the letter shift.
This system is both easy to remember and can be applied to dozens of sites, creating unique, easy-to-remember passwords for every domain.
The challenge for the system comes when you need several passwords for one domain, such as with Google, or when there isn’t a clear domain to use, such as with several Web services.
Still, for most cases, this system can be a good compromise, a way to use good, secure passwords without sacrificing ease-of-memorization.
If you follow any of these methods well, you should have little trouble producing high-quality, difficult-to-defeat passwords that you can use for your various accounts, hosting-related or otherwise.
The challenge is to find which system, if any, will work best for you and you will actually use.
After all, the best system isn’t necessarily the one that produces the most impossible-to-crack passwords, but rather, the one that you will use without making any additional sacrifices to security.
A weaker password is often times more useful than a stronger one you are reckless with, so it’s important to balance the strength against the human factor and realize that you will have to make sacrifices one direction or another.
In short, find a system that works well for you and use it. If you do that, you’re off to a great start in password security.
How to Store Passwords Safely
Keeping passwords secret is a basic security principle.
But sometimes you do need to share a password; in an emergency, perhaps.
How can you safely prepare for this?
How to Store Passwords
The only way to safely store passwords is with encryption.
But you can also use physical protection. For example, you could put your passwords on a flash drive and lock the drive away. Wherever you store your passwords, make sure only trustworthy people have access.
All of these layers help to keep your data secure.
The Contents Of a Password File
When you store passwords in a file, don’t explicitly write the name of the service next to the password. That way, nobody will know what that password is for.
Use a format that is “future proof” by using a safe file format, rather than a new application that may not be around in few years’ time.
Also, make it easy to keep your file up-to-date once it has been created. Password files are sometimes inconvenient, but you need to find that balance.
How to Remember Secure Passwords
Setting strong passwords is only half the story. You also have to remember them. Here are a few tips to help you recall strong passwords.
What Not to Do
Before we begin, here are a few things we never do:
- Write down passwords: Most environments are not secure enough for this.
- Reuse passwords: If one site is hacked, all of your accounts are fair game.
- Dumb down: Don’t simplify password to the point where they’re easy to guess.
The key is not to sacrifice security for convenience.
Password Repositories and Techniques
There are some very good, secure ways to store passwords and there’s a great way to ‘generate’ your own memorable, unique passwords.
- LastPass is web-based service and browser add-on for Windows, Mac, Linux and most mobile devices. It automatically fills in usernames and passwords. LastPass is free for the basic service and $12 per year to add mobile support and remove ads.
- KeePass and 1Password (for Windows and Mac respectively) make it easy to generate passwords and log into services. They have their own limitations, but are convenient.
- By basing your password on the service that you are using, you only need to remember the method for creating the password, not the password itself. That means it’s easy to create a unique password for every site you visit and remember it.
Finding a Balance
Sadly, the most secure passwords are also the least usable.
The best approach is the one that works to your natural strengths, your own routines and your ability to remember what you’ve come up with.
Last update: March 2015