How To Fix Your Memory for Passwords
This is not about replacing a stick of RAM in your computer, but rather a How To Fix Your brain kind of article.
One of the biggest problems that Network Administrators face, is dealing with user passwords. Actually, getting users to
use a complex password, rotate it on a regular basis, and remember their passwords. The challenge is that in order to conform
to network security policies in most companies with any sizeable network, password usage rules must be enforced
on users. Rules like:
- Using complex passwords with a minimum length
- Changing passwords on regular basis (like at least every 90 days)
- Protecting passwords with rules like don't tell anyone, don't write it down
Here are a few ways of creating passwords that you can remember, will meet the complexity rules and will be easy to rotate.
1) Dont use passwords, use pass phrases!
See Wikipedia for Passphrase
This can be something like:
The network guy is a butthead! sum6
The sum6 is simply the first three letters of the season + the last digit of the year.
In the above example passphrase, you get to express your true feelings about the guy enforcing the rules :),
it meets complexity rules, it can be rotated for 10 years!, you can remember it easily and it certainly
meets the length requirement. In fact the negative side of this is if you have to type it 10 times per day,
it will get old very fast, even though you get to tell the network guy what you think of him many times per day!
2) Use a password construction scheme.
This is a formula in which a few easy to remember parts create your password. For example:
My spouses initials + My birthyear + Month (2 digit) + Year (2 digit)
The result would be something like xyz19720806
This is simple and would be good for 100 years of rotation, although, I would hope you would get sick of it and
change your scheme after a year or so.
Let's try another:
my Favorite Beer + the first three of my zip code + the first three of current month
Again, easy to remember, however, only good for a year of rotation every month.
The above examples may or may not meet the complexity requirements of your network or application.
Tip! Most corporate network password policies do not allow you to write passwords down, however, most do not
keep you from writing down your password scheme to help you remember. If the parts of your password scheme
are very personal, then it is still secure even if someone finds your postit with the scheme written on it.
What NOT To Do
1) Don't use password generators.
Password generators are best for creating cryptic passwords that no one can remember. The only saving grace can
be that most password generators will provide a Phonetic Pronunciation for the password. For example:
b3Ef8afR - (bravo - Three - ECHO - foxtrot - Eight - alpha - foxtrot - ROMEO)
n7ayiuko - (november - Seven - alpha - yankee - india - uniform - kilo - oscar)
If you like program generated passwords, these were generated at: Winguides.com
(Side comment: I find it interesting that the above site, WinGuides.com is running on Linux/Apache/PHP. Quite ironic!)
Tip to Net Admins!: The worst thing you can do to users, is force generated passwords on them like the above. Network/System admins
that do this are just asking for trouble. Most any user is going to write this down on a postit and stick it in
his/her desk drawer, or, create a Word doc or text file on their file system somewhere with passwords in it. A
disaster waiting to happen.
2) Don't use Hackereze
Many supergeeks will recommend that users utilize hackereze for passwords. Problem is that unless you use this
in your daily communications, it may not be very easy for a user to remember. Plus, there are a number of hacker
language variants such as from the Warez and Crackerz subcultures. But, the biggest problem is that it is not secure
because most brute force password crackers include the hacker version of words in their dictionary.
My recommendation is to use password construction schemes. These are very flexible to meet the needs of any corporate
password policies and still easy to remember. Using parts of your scheme that no one else would know, makes it quite
secure, kind of like those password reminder questions that many web sites will ask you for. Of course, you will need to
ask your network administrator or refer to the password policy of your company to create a scheme that works for you,
meets the complexity requirements, and will meet the rotation requirements.
Article Date: 08/25/2006