The Best Password Is One You Can't Remember.
Some of the most interesting conversations that Seth and I have with clients and fellow IT administrators are all about security; more particularly the challenges that come with balancing strong passwords with passwords you can actually remember, and how to manage those passwords. There are a huge number of ways of facing those challenges, each with it’s own attendant benefits and problems. In the broadest sense, I’m going to look at three of the more common approaches – insecurity, obscurity, and trust.
It’s a commonly accepted idea that a good password is a strong mix of numbers and letters, with mixed-capitalization and at least one ASCII character, somewhere between eight and twelve characters in total. There’s a wealth of password-creation software out there (my favorite being the password-creation framework built in to OS X) that will happily churn out a strong password like “9[sQuk_pr1". That's a strong password, and one that isn't going to be easily cracked by a standard dictionary-based automated password attack. It's also horrible to try and remember, which is why very few people in the actual real world use passwords that look like that. We're a deeply-contextual species, and not designed to commit that kind of thing to memory - we do better with something like "[Q]u1rks_9″ which at least resembles a word that we can mnemonically process, and is also a strong password that wouldn’t be easily cracked.
So, fair enough. We have our strong password. Now the thing to do is to remember that you’ll need to use a strong password for each email account, secured website, service (such as twitter, dropbox) and file server. Oh, and preferably you’ll have unique passwords for each of those email accounts, secured websites, services and servers. It could be two or three, or it could be a couple of dozen. Good luck. It’s no wonder, then, that most people reuse the same password in several places, or at least recycle the same two or three passwords for each thing that they touch. Taken on an even basis, it’s not a terribly bad idea – after all, if you’ve come up with one strong credential, it should be good for everywhere, right?
Wrong. This story from last year highlighted what can happen when you use the same password everywhere. Mat Honan managed to get a lot of his digital life put back together, but for every high-profile journalist who suffers this kind of inconvenience, there are probably dozens (if not hundreds) who don’t. Professionally, I’ve seen email account passwords tried (successfully) against file servers, and in one case against an online bank account.
Using the same password everywhere – even a strong password – does not keep you safe.
Second – Obscurity.
One way of getting around the insecurity problem is to offload the task of curating your passwords. The human mind is a fragile, fallible thing, so why put all your eggs in that particular basket? A better option is to keep a central password repository that you can access when needed. There are a good number of ways of going about that, from software solutions like 1Password, Wallet, or the built-in Apple Keychain Access utility to a list of passwords in a word-processing document, and points in-between. Those are reasonable solutions, and allow you to assign long, complex passwords for each service or site, without having to worry about whether they’re something you remember. The program or document remembers them for you, and with all of the options I mentioned, you can protect the list with some kind of encryption in the program or document (and, extrapolating back, more encryption if you use something like FileVault to encrypt your hard drive). So, what can go wrong with having all your passwords saved on your computer?
Well, the answer is right there in that last sentence. The passwords live on your computer, and computers (like people) are not infallible. They require electricity, passwords of their own, physical access, and speaking of that, they’re prone to damage and theft. They’re also inconvenient, which is why it’s not uncommon for users to jot those passwords they most commonly use down on a piece of paper, or put them in an address book, and before you know it you’re writing your password on a sticky note and putting it on your monitor. That has never been a good idea; it didn’t work for the school authorities in the Matthew Broderick’s 1983 seminal classic “WarGames”, and it doesn’t work now.
Thirdly – Trust
Trust and security are a contradictory set of ideas. You can’t have one without the other, and while a computer has no problem trusting another computer, it’s rare for people to have other people that they can trust. Now, that may seem unnecessarily cynical, but ask yourself this; can you absolutely, one hundred percent, with no trace or shadow of a doubt definitively state that you completely trust, say, your significant other not to take a peek at your email? Possibly some of you can, but I have a crisp, pressed dollar bill that says that most people would have to answer in the negative on that one. It’s not an uncommon problem – we see a lot of offices where subordinates know where their bosses keep their passwords (and will happily volunteer that information), and a lot of homes where the kids figure out their parents’ passwords in order to circumvent what they see as draconian restrictions. It’s seldom malicious, but people are fallible.
So, where does that leave us? Well, it leaves us with passwords we need to keep secure, but can’t write down, put on a computer, remember, or trust anyone else to have access to. It’s a dilemma, but not an insurmountable one. There are, I’m sure, finer minds than mine that have figured ways around this problem, but this is my blog, and folks ask me for advice, so here’s my fix: instead of remembering a password, remember a process.
Let me explain. A good, strong password incorporates all the things I mentioned earlier – a mix of capitalization, integers, characters and so forth. It should also be unique, which is very annoying. My fix is to contextualize each password with the service I’m using it with. As “WarGames” was an excellent movie, let’s use the password that Matthew Broderick stole from the school secretary to enable his grade-fixing shenanigans: “Pencil1″.
First, let’s mix that up a little. “Pencil1″ is a mixture of a dictionary word and an integer, and isn’t even remotely secure, so let’s turn that into “P3nc1l_1″ – replacing the vowels with numbers is pretty elementary, but hits the right mnemonic triggers to keep the word memorable.
Next, let’s think about what we’re using the password for. Let’s say it’s Twitter. By cutting in alternate letters of the the name of the domain with the password, we turn “P3nc1l_1″ into “Pt3wnict1tle_r1″. Likewise, using the password with iCloud turns it into “Pi3cnlco1uld_1″ – both those examples are extremely strong passwords. Better yet, you can create usernames for each domain that follow the same process, so your iCloud username could change from “mbroderick” to “mibcrlooduedrick”.
The token/password combination technique I’ve outlined here isn’t flawless. It’s a pain to piece together in the most part, but it’s also something that you can recreate mentally in a few seconds with a little practice – it’s a simple technique for password-protecting your password.