Passwords Update 1.1

While I am on my password kick, it's hard to get off the topic. Hopefully I will get back to Architekwiki soon. In the meantime... While I have been going through my cache of passwords, I came across an article from late 2011 that I had saved. I had been aspiring to follow the advice that James Fallows outlines in his Atlantic blog. That advice differs from the path I am on now, but I can see that it is pretty well-thought-out. So I am going to paraphrase it here for you.

The challenge with passwords is to over come the Catch 22: “Passwords that are easy to remember can be easy to hack, and passwords that are hard to hack can be impossible to remember.”

One technique that you can use to solve the Catch 22 is phrases. Basically you use a string of words. An example would be: Cold weather isn't tropical! This 28 character long password would be nearly impossible to hack/guess. And you could change the “o”s to “0” and the “a”s to “#”s for good measure. Something like this example beats the Catch 22, but it breaks down when you have 100 of them. You can't remember 100 phrases (I can't anyway), and you can't remember which one is used where.

One solution to this impasse is to duplicate some passwords based on the value of what you are protecting. This is “going against the rules”, but if the risks are minimal...? For example, let's say you list and rank the sites you use like this:

1. Retirement Account
   
2. Investment Account
   
3. Checking Account
   
4. Credit Cards
   
5. Email Account
   
6. Cloud Storage Account
   
7. Project Management Service
   
8. Online Tax Service
   
9. Shopping Sites
   
10. Apple ID
    
11. Social Sites (FB, Twitter, etc.)
    
12. Entertainment Apps (Netflix, Hulu, etc.)
    
13. Tool Apps (Auto 360, Lucidchart, etc.)
    
14. Games

Your list will differ, but we both are rating how costly loss of control of the account would be. If the account has money in it, assume it's gone; same with data - all your email is gone, attachments, too, or all your project files. Once you know the importance to you, protect the most important with its own “hard” password phrase. I would do this for 1 thru 7. Next use one password phrase for several sites (say 8 thru 10). Then one password phrase for a whole class of sites, say entertainment (11 and 12). Finally you will get to services or games that you can always sign up for again, these can all use the same “easy” phrase (13 and 14). This approach might be manageable without too much effort or too many “notes to self”.

There are other worthwhile ideas in the article I referenced above, and you might find they give you the amount of security you want. My desire is to have the security without the “remembering”. In other words I would rather learn a system that does the managing and remembering for me. 


The Final Update can be found here.