Make Your P@55w0rd Secure

The Danger

Every time you connect to any website you are accepting a certain risk. The techniques to compromise the security of popular websites are numerous. There are constant efforts, by many groups and individuals to steal the login credentials of major sites. We need to be very, very diligent about our personal credentials when accessing resources on the Internet.

To faithfully adhere to the most stringent password pattern is an impossible task. Every password would look like this: l33tfouR*($k#n@t_0806

The Challenge

How can you be assured your choice of password is not an easy target for hacking?

Simply using common words (fido) or simple sequences (12345) is equivalent to using no password at all. It is important to apply some rules to your method of generating personal passwords.
For example, password requirements set by the US Department Of Defense include specifics on the exact nature and construction of a password

Defense Information Systems Agency (DISA) – the U.S. Department of Defense – password requirements

  • A minimum of 15 characters
  • Include at least one uppercase alphabetic character
  • Include at least one lowercase alphabetic character
  • Include at least one non-alphanumeric (special) character
  • No single character may be repeated more than twice

It is quite a challenge to devise a password that meets these criteria and is still practical for everyday use (in other words, still memorable).

In addition to that, every account you access really should have a different password.

Regardless of how secure your password may be there is a real danger in using the same password on multiple sites.
Stop and think for a moment. If your username AND password on one of the sites you visit frequently (Sitepoint, Facebook, Twitter, for example) was revealed to someone, how many OTHER sites would they have easy access to?

The real danger is not any one person gaining access to your email or posting embarrassing information on your behalf on Facebook.
The real danger is exploiting the fact that we tend to use the same username/password combination on multiple commonly accessed websites.

You may believe your username and password are safe from detection. But, think about this:

  • Do you allow the browser to ‘remember’ any passwords for you?
  • Have you ever had your computer to a service shop for repair or upgrade?
  • When was the last time you CHANGED a password on any website to which you have access?

There are tools that can deduce passwords by brute force being applied everyday to very large sites; many of which you and I use regularly.

We all are at constant risk of compromise and every single site where you log in is a point of penetration for exploitation. I think there is no Perfect Solution to this. But ignoring the danger is not an appropriate defense.

My Solution

I have developed a system I use regularly that allows me to devise secure passwords (adhering to these restrictive requirements) that I can easily recall when needed.
I apply this to all my passwords used online and in other applications.

The fundamental concept is to use a phrase or word that is significant to you and thus very easy for you to remember. You then build on this, applying the DISA requirements. Finally, you ‘customize’ the password for each place it is used.

The System

If you begin with a ‘base’ word; this can be the city where you were raised, last name of your favorite author or the name of your favorite musician or group.
Now make at least one of the characters a capital letter. I prefer to make it one that would NOT be expected, like the last letter in the word.

Next, modify the ‘base’ word with some leet speek. This is where you substitute some of the letters with non-alpha symbols (those symbols that appear above the number keys). Some examples of ‘leet speek’ are:

  • $ for S
  • 1 (the numeral one) for lowercase L
  • 5 for S
  • @ for a
  • 0 (zero) for the letter O
  • 3 for the letter E

Add a seperator (I use underscore, for example).

Then follow this with an easy-to-remember word that is unique to each site. I simply add the site’s top level domain name (all in lowercase).

Here’s an example

  • Base word: FordPrefect
  • Modified to become: F0rdpr3fecT
  • Add a seperator (caret): F0rdpr3fecT^
  • Append the site you are logging into and we have the result : F0rdpr3fecT^twitter

We have easily satisfied ALL the DISA password requirements, this password is unique to this site and it is not very difficult to remember!

The Other Half

Of course, a password that meets the DISA requirements and is unique for each site offers a new measure of security.
We can take this to another level if each site also had a unique username!

Intended for filtering your email, there is a feature GMail offers that allows us to create unique email addresses which still point to your original GMail address. The technique is simple. You add a plus(+) and a string after your username and before the @gmail.com

Like this:
anyuser@gmail.com becomes anyuser+sitepoint@gmail.com
And that modified email address will still receive messages – delivered in the same mailbox!

This ensures the username is unique for that site. So, in the event there is a breach of the user database at a site on which you are registered, the attempt to use all the username/password combinations, en masse, on other sites is guaranteed to fail.

A simple change in your habit and you can feel much more secure about your personal data.

Here is a great introduction to How passwords are cracked.

Related Post: Fight Phishing: The Perfect Plan