Just to keep my promise (late again here, and again I should actually be in bed) here a quicky on PW creation and structuration, maybe not keeping up with all I promised above, but with the basics (and certainly secure enough for your everyday use), even if not really in depth:
Here a simple system for (almost) perfect but yet rememberable passwords:
1. Think of a sentence, a line of a poem, or a caption you can remember always, for explanation lets use e.g. “Passion is a positive obsession. Obsession is a negative passion.”
2. Form your password from the first letters of each word in the phrase, respecting Capital letters and including the punctuation, for the above case this would be:
"
Piapianp."
3. Add with a connection key (I use "#") a numeric/symbol prefix THAT YOU NEVER CHANGE IN ANY PASSWORD (hence easy to remember), e.g. "3*2=7", your result will now be:
"
3*2=7#Piapianp."
This now is your "Master password" that you can always remember (or at least re-construct, as it follows a system). DONT EVER WRITE THIS MASTER PW down anywhere, if you need a reminder for your base line just write the base phrase (not the prefix) down somewhere, without comment.
(Write down a PW? Big No-No...
*Never* write a PW down, be it on paper or on your machine.
You won´t believe it, but a recent study has shown that
- 36% of users write their PW on a piece of paper. Of those, 57% stick it to their monitor (or its back), and 33% stick it on the bottom of their keyboard. The rest keeps it either with his credit cards or in (or stuck to the bottom) of a drawer of their desk... Go figure how easy everybody is to crack, this not even taking into account that according to the same study, 12% of users use "password" as their password...
- 53% of users keep their PW somewhere on their computer, in clear text - Gosh!
An example on how unsecure you live, if you run FireFox on PC try the following:
One of Firefox's most convenient features is its ability to save the passwords you use to log on to web sites - like your webmail and online banking - so you don't have to type them in every time. Those saved passwords appear as asterisks in the password field.
In Firefox, from the Tools menu, choose Options, and in the Passwords tab hit the "View Saved Passwords" button. Then hit "Show Passwords."
Yup, there they are,
all your high security passwords in plain text and full sight.
Try it. Right now. I'll wait.
Now consider how easy it would be for your Firefox-lovin' housemate to log onto your Gmail, or the computer-sharing apprentice at the office to get into your checking account or your other half to discover all your porn site logins (ok, just kidding about the porn. Maybe
)
Not such a great feature anymore, eh?
Of course you can proof Firefox to secure your saved passwords without requiring you to give up the convenience of those autofilled login details, keep on reading.
- only 11% do not write their PW down ever - I am one of them)
4. As you want different passwords for different sites (e.g. for your Firefox Master-PW that would obscure your passwords in the above mentioned routine), you now decide (and MAY write down somewhere) a rule/system on how to denominate the programs, sites and registrations, I usually have 4 letters prefixes (you might need 5 if you have a large number of sites or functions on those sites), and in order to not forget them I have a list of those written down (they wont help a cracker if he found it as he does not even know what the list serves for), e.g. for "International Military Forums user" my prefix could be "imfu_". For "FireFox Master " my prefix could be be "FiFo_", etc. As said,
you *can write those down safely* in a document e.g. called "sites shortname list", you dont need to remember those (just your master PW that you never write down).
Hence, in the above example, your PW for FireFox would now be: "
FiFo_3*2=7#Piapianp." For you as user here it would be "
imfu_3*2=7#Piapianp."
Check it out in the password safety tester (offline, of course, else *they* would just have read it....
), and you get the following results:
http://rumkin.com/tools/password/passchk.php : "Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records."
http://www.passwordmeter.com/ : "Exceptional: Exceeds minimum standards."
Or, in detail (for PCs, not Crays!)
http://unwrongest.com/projects/password-strength/ : "Your password is forceable in 6.950652247107411e+83 years"
Sometimes sites only accept e.g. 16 or 12 characters, no problem either, you just shorten it (from the RIGHT, of course), test out the results for youself, e.g. with the 12 char version "
imfu_3*2=7#P" :
http://rumkin.com/tools/password/passchk.php : "Strength: Reasonable - This password is fairly secure cryptographically and skilled hackers may need some good computing power to crack it. (Depends greatly on implementation!)"
http://www.passwordmeter.com/ : "Exceptional: Exceeds minimum standards."
http://unwrongest.com/projects/password-strength/ : "Your password is forceable in 5389762 years, 2 months"
Heavy loss in security, definitely, but still "reasonably" safe (for me 16 char is the minimum length, the result grows exponentially: "Your password is forceable in 420805123888006 years, 6 months")
Now, with this system, you have a strong password, at the same time a different one for every site or function or user, and you can always and easily remember or re-construct it.
Remember, though, that however strong you make your PW, it will be sent over the net when you send it, hence it can be captured and read during transfer (if you dont go through https), also, a key logger that someone installed on your comp directly or via virus/trojan will easily read it, etc.
Hence, I recommend to change the master PW for all sites regularily (I know this is hard, you have to change it in all your sites you registered, but if you are just a little paranoid probably a change every 4 weeks should keep you out of major trouble).
FWIW,
Rattler