I have over 100 passwords that I have to keep track of between work and everything else. If you’re as forgetful as I am, this can be a daunting list! After trying many different password management strategies, I’ve finally landed on one that’s easy for me to work with, and allows for a strong unique password for each web site I visit. Best of all, I only have to remember one single password.
Before we get into the details of password management best practices, I’d like to take a moment to remind you as to why it’s important to have unique and strong passwords. Recently Georgia Tech researchers published a study that shows that with modern computing power, it’s possible to crack 8-character passwords in under two hours. But by adding 4 extra character, the length of time increases to over 17,000 years. That’s because each additional character increases the possibilities (and subsequently the number of passwords to try) by approximately 95 times.
Unique passwords are very important as well. Last week Gawker announced that approximately 1.4 million passwords had been compromised in a hack attack. The list of account usernames and passwords is now circulating on ThePirateBay, available to anyone who downloads the torrent. Anybody who uses the same username and password from Gawker on other websites is now at the risk of having these accounts compromised.
How to Make a Strong and Memorable Password
My favorite method of creating a strong password is to first think of the lyrics of a memorable song. In keeping with the Christmas season, let’s go with Deck the Halls. We only need a couple of verses:
Deck the halls with boughs of holly,
Fa la la la la, la la la la.
Tis the season to be jolly,
Fa la la la la, la la la la.
Now let’s take the first letter of each word. Since there would be a lot of repeated characters with the fa-la-la’s, I’m going to skip those. We’re left with:
Now, let’s modify the case so it’s not all caps or all lower case:
Next, let’s swap out some letters with numbers. To can become the number 2. H’s look a little like the number 4, so that’s easy to replace. O’s can become zeros.
Now, let’s add a symbol. In between the verses is a good, memorable spot:
And we’re done! We have a secure, yet easy to remember (and festive) password, that will take 17,000+ years to crack.
Managing All Those Passwords
Remember when I said I managed over a hundred complex passwords? No, I’m not singing to myself all day trying to remember when I swapped out an “H” for a 4. I actually maintain a spreadsheet with all of my passwords. “But Joey, that’s not secure!” you may claim. You’d be right! Simply storing a spreadsheet with the keys to the castle is a terrible idea. But storing an encrypted spreadsheet is quite safe. By the way - setting a password on your Word or Excel document is not encrypting it. Those passwords are surprisingly easy to crack. A quick Google search shows 7.6 million results for “recover word password“.
With a password encrypted spreadsheet, I only have to remember the encryption password. All of the other passwords for everything I do online are stored on the spreadsheet. This way, I can have long, unique, strong passwords for every single service that requires a password. If one gets hacked, all of my other sites stay secure.
Encrypting and decrypting files doesn’t require expensive software, either. There’s an excellent program called TrueCrypt that’s available for free. It’s very powerful, but also a little different than you might think. It doesn’t encrypt files, but rather creates an encrypted “container”. The container, when unencrypted with TrueCrypt, looks like a USB thumb drive to your computer. You can safely save files on the container, and use TrueCrypt to unload and load it. TrueCrypt has a handy quick-start guide on their website, which I definitely recommend you read if you’re going to go the encrypted spreadsheet route.
But There is Another Way…
While I prefer the hands on method of creating spreadsheets and encrypting files myself, I’ll bet some of you would rather have this process automated. There’s a spectacular program out there called PasswordSafe that will create and manage your password database. It’s encrypted using one of the algorithms available in TrueCrypt. It also features a password generator, as well as the 1-click ability to copy a password to the clipboard. That’s very helpful when you want to login to a website – simply click a button, switch to the web site, and paste the password in the box.
For the true gadget lovers out there, we have yet another solution. There are several USB drives on the market that feature all kinds of hardware-level encryption. Some use biometric inputs (fingerprint) to determine if they should unlock or not. IronKey is one example of a hardware-encrypted device. Be forewarned, prices on cutting edge encrypted storage media can vary widely. Of course it’s not at all necessary to spend a week’s salary in order to keep your passwords secure. With PasswordSafe or an encrypted spreadsheet, your passwords will be securely tucked away from prying eyes, with no out of pocket cost.