Tuesday, June 28, 2016

Creating Great Passwords

It's common knowledge that using the same password across multiple websites is a security problem, but it's one that few people ever take seriously. When LbNA's database was breached, I knew the reused-password problem was so pervasive, that it meant thousands of accounts on Atlas Quest were compromised as well.

I mentioned that I use a different password on every website, which is how I could immediately tell that the file of leaked passwords I stumbled across came from LbNA. It was the one website on the entire Internet that I ever used it--it HAD to have come from LbNA. Nor was it a simple, easy-to-guess password like "letterbox", "letterboxing" or "password" (which 181, 167 and 106 people used respectively on LbNA--please don't use passwords like this!) My password had lowercase letters, uppercase letters, symbols and numbers. All jumbled up into--at a glance--a random bunch of characters.

And a couple of people commented that they don't have my awesome powers of memorization, which is why they use the same password across a lot of websites. But here's the trick--I don't either! I don't memorize my passwords... I memorize patterns!

I use patterns on the keyboard based on the type of website, the name of the website, and password requirements for the website. For instance, on Atlas Quest, I could have a password of "sw2Q!@t5t". (This is NOT my password--this is for sample purposes only.) While my LbNA password could be ";p0NHY^&aq1q".

The passwords look very different--and they're both great passwords. They have lower and upper case letters, numbers and symbols. They aren't words found in a dictionary or names of relatives or friends. A stranger who stumbled onto this password... would be pretty well stuck with hacking into the one website it's good for.

But they're really easy passwords to "remember" as well. No written notes necessary!

They're patterns on the keyboard. Each of them can be broken down into three segments:
  • sw2   Q!@   t5t
  • ;p0   NHY^&   aq1q
It's kind of like.... a secret code that converts website names into passwords. In both cases, I start with the website name:
  • Atlas Quest
  • Letterboxing North America
In the first sequence of characters, I start with the first letter of the website name and find the key on the keyboard immediately to the right of it. Then I click that, followed by every key immediately above it until I reach a number. 
  • sw2 - "s" is just to the right of "A", then "w" is immediately above the "s", then the number "2" is immediately above the "s". s-w-2... Stop.
  • ;p0 - ";" is just to the right of "L", followed by "p" just above it, followed by "0" just above that.  ;-p-0... Stop.
The next sequence in the group works similarly--except this time I start with the first letter of the next word of the website name, and this time I hold the SHIFT key the entire time and, after clicking a symbol on the numbered keys, I follow it up with a second symbol just to the right of the first symbol.
  • Q!@ - "Q" for Quest, then "!" (immediately above the Q) and "@" (immediately to the right of "!").
  • NHY^& "N" for North, then "H" (immediately above the N), "Y" (immediately above the "H"), "^" (immediately above the "Y"), and "&" (immediately to the right of the "^").
The third group in the sequence likewise follows a similar pattern, but without the shift key and, after I hit a number, I back down one row and repeat the letter underneath it. But I've run out of words in "Atlas Quest"... so I just use the last letter of the last word as my starting point. ("t" in this instance.)
  • t5t - "t" for Quest, followed by "5" then bounce down a row back to "t".
  • aq1q - "a" for America, followed by "q" just above it, then "1" just above that, then back down a row to "q" again.
Put them all together, and you wind up with "sw2Q!@t5t" and ";p0NHY^&aq1q"--seemingly impossible to remember passwords that, at first glance, look completely random.

Here's another trick I've sometimes used for passwords... Pick a couple of words that are easy to remember, and instead of typing that exact word or phrase, click the key immediately to the right of the actual key. "letterbox" might be the most commonly used password on LbNA, but I can definitely tell you, nobody uses the password ";ryyrtnpc"! This is the word "letterbox"--but it's a very simple substitution code that replaces every letter with the one next to it on the keyboard. It can help if you're a touch-typist and don't need to look at the keyboard for this type of encoding. I just put my fingers on the keyboard where they usually go, shift my hands over one key, then type the word I'm thinking like normal. o vsm yu[r rmyotr drmyrmvrd ;olr yjod brtu wiovl;u@

You'll probably want to have a few different sequences that you use regularly. Some websites--annoyingly--don't allow symbols, so a sequence that includes symbols won't work on these websites. Other websites require a symbol in your password! So you might need to use two different types of sequences to fit both requirements, which might just be the same sequence except you use the numbers where the symbol you'd normally use would be.

Some websites might have passwords that require a minimum length and your sequence causes it to fall short--so have a plan for extending your sequence as needed, which might be nothing more than repeating the first sequence. In my sample above, I ran out of words in "Atlas Quest" to create three groupings, so my fallback was to use the last letter of the last word. (If the website name only had one word, my fall back might have been to use the last two letters of the name of the website. So my Facebook password might have been "gt5O()ki8i".

If you have multiple accounts on the same website, you might try incorporating your usename into the pattern so you can have a different password for each account on the same website.

A lot of corporate accounts often make you change your password every few weeks, which is annoying and probably causes a lot of people to write down passwords or increase the number at the end of it by 1, neither of which are particularly secure. But you might use the "pattern" trick by including the current month in your password pattern, so the last sequence of characters is the first three letters of the month name, shifted to the left on the keyboard. Or something to that effect....

You might also consider how you'll usually have to type in sequences. I will admit, the sequences I use are frustratingly annoying when I'm trying to type them into a smartphone without a proper keyboard. What symbol is above the 5? I wind up typing stuff like "#*#$&@!" which looks more like a bleeped out cuss word than my actual password, but by the time I get my password correct, I've been locked out and am cussing anyhow. =) So if it's a password you'll use a lot on a smartphone, you might design a pattern that fits your smartphone keyboard.

I also sometimes have trouble logging into my accounts when I travel internationally and am using a non-US keyboard so all of the keys are in different locations on the keyboard. I actually drew myself a "cheat-sheet" when I was hiking through France of a US keyboard layout to help me log into accounts!

I also have a couple of different sequences that I use depending on the "importance" of a website. I use a shorter, easier sequence for websites with nothing particularly valuable on it and more complex sequences for bank accounts and such.

The "pattern trick" works for stuff other than website passwords as well. I use a pattern for PINs on my credit and debit cards, so every card has a unique, random-looking PIN that I don't have to write down or memorize. If you ever find my wallet, I can assure you, "1111" or "1234" will not get any of my money out of an ATM. Nor will knowing my birthday, address, social security number, etc. You just have to start guessing, and if you do manage to get lucky and crack one of the PINs (out of 10,000 possibilities, it's actually quite possible to crack it with brute force given enough time), it won't get you into any other card.

That's the trick to creating solid, all-but-impossible-to-guess passwords that are unique to every website you use. Take a little effort to think of two or three different types of sequences you can use, and the security of your accounts increases enormously.


Becky Rohner said...

Thanks for the lesson, Professor Tortuga! I had problems trying to figure out something that I would remember and the older I get the less easy it is to memorize things. Now I can change the passwords on all my accounts to different things and increase my security a thousand-fold and REMEMBER what the little beggars are! You are appreciated much more than you can know.
Heart Writer

Anonymous said...

What a great idea . . . a bunch of great ideas really. Thanks!
Kurious Jo