Wednesday, December 4, 2013

Passwords on Paper

In a previous post, I said I would show you a way to safely write passwords down...

You should never write passwords down, right? There are few things worse than leaving your password on a sticky note attached to your monitor , or under your keyboard.

Let me show you a way around this....

First, you need to create one good password of length of 8-10 characters, which you will commit to memory. This needs to be a good password. It should not contain a dictionary word, it should ideally have letters, numbers, and symbols. But it needs to be easy to remember. Since it is the only one you are going to have to commit to memory, that shouldn't be too difficult.

For this example, I am going to use M2bh@fn4. 
I built that from the phrase "My bologna has a first name". Using the first letters of every word gives Mbhafn. I then counted the letters in the first and last word(My=2, Name=4), and put that number after the respective letter (M2bhafn4). Finally, to get a symbol in there I replace the 'a' with '@'.

Now, as a matter of good security practice, you would write this password down on a piece of paper, seal it in an envelope, and put it in a locked file. That way it is recoverable in the event of a tragedy (memory loss, or an incapacitating illness or accident, requiring a close relative or friend to access your systems for one reason or another). But apart from that, this password DOES NOT GET WRITTEN DOWN ANYWHERE!


Okay now we get to the individual systems. For each individual account, create a 8-10 character password, which you will write down on a slip of paper. You will keep this slip of paper in your purse, wallet, or planner...  Something that you already carry with you and protect because it contains credit cards, cash, and other important items which you don't want stolen. This slip of paper will look something like this...

Chase bank - 1whD6&fk
gmail - rej8(fhkl
facebook - weh903Ldm


Again, for reason of security, you should make a copy of this, and lock in in a file. Now here is the trick. What you have written down is only half of the password. The part you have memorized is the other half. SO your password for Chase bank would actually be:

M2bh@fn41whD6&fk

and gmail would be

M2bh@fn4rej8(fhkl

Those are 16-20 character random passwords. They are unique for each account due to the part you have written down, and easy to remember due to the part you have committed to memory.

What if someone steals your slip of paper? They will only have one half of your password. They will still have to brute-force guess the other half. And since you will quickly become aware that your password slip is missing, you will be able to go home, get your backup copy,  log in and change all your passwords within a day or so, rendering the old list useless.

Pretty cool huh? There is still one point of risk to consider. What if someone were to steal your password slip, copy it, and return it without your knowing? Then they gain more time to try cracking your password. The ways to reduce that risk are as follows:

1. Take extra special care of that piece of paper. Never let it out of your site.
2. Make the memorized part longer, say... twelve to twenty characters long (the longer the password, the longer it takes to guess).
3. Continue to follow the best practice of changing your passwords frequently (every 90 to 360 days. This isn't so painful, since little to no memorization is involved).

And there you have it, your passwords: unique, complex, safely written down... managed.

1 comment: