Remember secure passwords: Create a Password Pattern

We all are drowning in passwords.  To combat having to know so many, a lot of us use easy to remember passwords.  Others use a long, hard, random password -- but the same one everywhere.  But, there is a better -- and more secure way.  Patterns.

1) Easy to remember

Easy to remember is good.  What good's a password so complicated even you can't remember it?  But, "easy to remember" is also usually "easy to guess."  And, if it's personal information, like a maiden name or birth date, you probably have that on a forum or blog or facebook profile.  Social profilers are out there. Yup I'm paranoid, but that doesn't mean I'm wrong.

2) Complicated, like @#S?R#+LLS#(E#N<I -- but you use it everywhere.

Many times your password is stored in clear-text (**) in a database.  A lot of developers do this because it's easy to tell people what their password is when they inevitably forget.  Some people have a few different passwords they have used for years and might not remember which one it was.  Problem is, if it's in clear text, anyone with access to that database can find it.  If you use that password everywhere, then they have access to everything -- bank, credit cards, other web sites, your email.

Say you like shade-grown-organic-fair-trade-whole-bean-italian-roast coffee but can only get it from a particular web site.  That's a small site, you don't think too much about it.  You order some, give your credit card, set up an account, give your email, and your standard password (or one of them).  Now, that coffee-site-owner, who has set up the site to store the password in clear text (**), can see your password -- the one you use everywhere -- and access everything you can access if he wants.  Or, maybe he has lax security and someone hacks it and finds it that way?  Why don't you make him a copy of your house-key and mail that to him, too, along with some naked or compromising pictures.  Might as well go all in!

3) Password storage programs

You can use a program to store your passwords encrypted.  I've tried these.  They are always on the computer I'm not using, or I'm on vacation, trying to get into that stupid airline web site to find my confirmation number.  Or, I had to change a password but I was too busy to change it in my password storage program.  Or, all of the above.  They work great, but they don't automatically remember anything with instant recall like our brains do.

4) Patterns.  They are awesome.

Okay, caveat: I've done both 1 & 2 before (that's not a toilet joke!).  Now I use patterns.  I see no flaw in patterns, but if you find one, please leave me a comment and tell me what it is.  Here's an explanation of patterns:

Patterns are a way to create a password by using a pattern on your keyboard or things in your daily life that can link together.  Only you know your pattern, and you should make one up (don't use this one!).   Here's an example.

You want to sign up for Facebook.  You have a single complicated password you use everywhere but this time you want something else.  But, you are afraid you'll forget it, especially since you can stay logged in to Facebook for weeks at a time and never have to use your password.

So, you decide this HA17 guy is pretty smart and you create a pattern.  Your pattern is:

  1. last letter in web site or company name (Facebook: 'k')
  2. On the keyboard, you start with the 'k' -- that's the first letter in your password
  3. Then you repeat the k
  4. Then you hold the shift key down and type the letter to the left of the k ('J')
  5. Then you say "k is the 11th letter in the alphabet" and you type in '11'
  6. Then you hold down shift and type in '11' again.
  7. Now, your password is 'kkJ11!!'

Password security is as much about length as 'hard to guess characters' -- a complicated short password is pretty easy for a computer to break because they have fewer tries to run through all the different possibilities.  In that case, just double or triple the password:

Or, once foward, once backwards, once forward:

That same pattern on myspace (using the last letter: 'e'):

Don't let the four 'e' in a row fool you.  It's not a dictionary word and a cracking program has to do just as much work to crack that as it would if it were 'efgh'. It doesn't know what the letter is, it has to try them all! Don't leave a comment saying "too many repeated characters" -- if it were '00000000' or something I might agree, because a brute-force password cracking program probably tries that kind of stuff first.

Okay, so now you have a pattern with basically 26 possible passwords.  That's still a little bit like flaw 2) Used Everywhere.  It'd be best to have at least two patterns, to mix it up even more.  I actually have several.

And now you can write them down somewhere.  Say:

You just need to be able to remember the pattern, not the password.  And, you can take the pattern to your grave.  Bob might be able to take and analyze your password, and if he goes to that trouble he's just better and smarter than you and he wins.

Is this system unbreakable?  No.  No password you can remember is unbreakable.  But, it's a good compromise between

  1. acceptably complicated and secure
  2. rememberable

If we didn't have problems remembering passwords, a better system would be a 64 character patternless, random password that changed hourly and wasn't duplicated over any system anywhere.  But we're humans.

If you have a password that needs to be changed a lot, this system isn't going to be as effective.  You might have to come up with a floating pattern that can change slightly at intervals.  I'm not going to be very helpful there.

If keyboard patterns aren't enough, try tying into some important date or bible verse based on a letter or number in the pattern.  There are no limits.  You might not even use a keyboard pattern. Just a pattern.  Keep it a secret.

Someday,  OpenID will come riding in and save our skin.

And, keep this in mind.  YOU might be the weak link in the end, anyway.

from the awesome xkcd.org web comic web site (by permission)

from the awesome xkcd.org web comic web site (by permission)

(**) clear-text means that if your password is "ILoveJesus" then it is stored that way.  Some sites encrypt passwords so that "ILoveJesus" might end up looking something like "#*U#XKEJR#(LL#lksdf".  This is a more secure way to handle passwords but it also means they can't retrieve your password if you forget it, they have to go through a longer "reset" process that many users don't like.  Many users actually prefer their passwords are stored insecurely so that if they forget, they can easily get back into that web site.
--- April 25th, 2009 :: Dev ::