How many times do you use a password in a day?
I estimate that I enter a password, passphrase or PIN perhaps 50 times a day with my browser silently passing my password onto sites that I consider to be low risk many more times than that every day. Userid and password combinations are by far the most common forms of authentication we use on a daily basis. Most have a feature that massively increases their effectiveness, our ability to change them yet how often do you exercise that ability?
I am pretty sure out there there are some people who wear little tin foil hats who change all their passwords once a day, possibly some aluminum clad types who sit in a faraday cage they have built in their basements who do it every hour. However if like the majority of people who I quiz it is very infrequently if ever. So when was the last time you changed your password on your email system or primary social media network? within the last month, this year, ever? I am not judging you, but you probably need to do it more often. Frequency of change combined with password complexity provide you with protection and these days we need all of the protection we can get.
I can hear the complaints already, “there are too many systems to remember all the passwords ….” etc. You do not have to have a separate password for every site, yes it would be more secure but it is not necessary. In fact most people can get by having a handfull of passwords that they use for different classes of site or application.
I have five classes of application and except for #5 which is reserved for things that need the extra security that a unique password provides I use one password for all of the sites and apps in the same class. So at any one time I only need to remember four passwords.
Class #1 – For things that really do not need a password.
Sites and applications that store no personal data and probably only ask for a password as someone re-used some code that needed a password or thought they would cover off a few bases just in case in the future they would add functionality that stored personal data. This password I change every few years and it has very low complexity. If I have not been to a site in more than a year I can always remember the previous ones, it is usually an amassing word with some character modifications (see below).
Class #2 – For where the site or application stores some low sensitivity personal data
The kind of information where if you spent 10 minutes in a search engine you could probably find it from public sources. These include the sites that you need to register before they will grant you access to information. I may have given them my postal address but not much more. These I change every year and they follow a pattern, but a pattern with entropy.
One advantage of being brought up in the UK was my exposure to UK Post Codes. These are not numeric strings as they are in the US a but a combination of letters and numbers. They have a two part structure, an inbound code of letter(s) + digit(s) combined with an outbound code of a digit + 2 letters. there are some exceptions but the vast majority follow this pattern and they are very granular often covering less than 10 residential addresses or a single large business. I also find them quite memorable and am able to associate them with a person or a business. As a result they make the bais of excellent passwords. I often just pick one off a piece of correspondence. They are however only suitable for sites that have fairly low password complexity requirements as most are 6 or 7 characters long, so if a site required minimun 8 characters you must append something to pad it out. Sometimes where this is a password I will need to share with someone such as WPA pass phrases I will pre or append the name of the company or building such as rg26uhgreenpark (the post code for our EMEA HQ and what we know it as).
Class #3 – These are the sites and applications where personal data is stored including most retail sites.
Here I use a password that I change every 4 months so I have 3 to remember a year. I combine a word with a special character and another word. To help me remember them I use a common structure. The first part is always an emotion or adjective and the second a noun. pink:starFish or grumpy@cloud.
Class #4 – Reserved for sites and applications that store sensitive information, are associated with my work or where their compromise would cause me serious issues.
They are also ones I visit frequently and always enter the password manually so the repition means I can use and learn relitively complex strings. They get changed usually every 2 months, sometimes more frequently. I extend the on the structure used for Class #3 by adding another special character and one or two digits. As I travel a lot these are generated via using the time offsets from GMT of the place where I changed the password. So an example might be sleepy*india+2 where I had set the password late at night after an indian meal in Munich in the summertime.
Class #5 – These are not really used for access to sites but usually secure applications.
These get changed frequently and are so complex I have to write them down and lock them away. I use a passphrase generator of my own design to create these. They consist of a long string of alpha numerics and special characters.
Just in case you are worried that I have just given away the formulas for most of my common passwords and before you head off to crack my email etc. it is probably fair (add wise) that I tell you about a great little trick that adds enormously to password strength. That is using you own little pad system to modify characters, such as always substituting a certain number for a certain letter and the use of capitals either for fixed positions or specific characters.
Take the class #4 example above and apply the rules that “e” is substituted by “3″ and “a: by “@” (not ones I use but both would be logical as a capital E looks like a mirror image of 3 and the @ symbol is the “at” symbol so first letter). The password is now sl33py*indi@+2. I could event tell you the password and you would struggle to get it “sleepy asterix india plus two”. It becomes even more complex if you compound it with a simple rule such as always replacing a vowel with a capital – sl33py*IndI@+2. Dictionary hits are going to struggle with that one. My personal pad has been developed and refined over the years to the point that when I type a password I very naturally make the modifications without even thinking about them. On the rare occasions I have to tell someone a password they usually see it as a near random string. Whereas to me it is a collection of words, specialis characters and numbers that I can easily remember.
Right time to go change some passwords!