On web startups, technology, music and growth
Because not a week seems to go by without a major service being hacked these days, it’s more important than ever to drop that ‘same password for all services’ approach if you are still using it. Make it your 2014 resolution!
I used to use the same password for different services I considered in a certain ‘importance level’ (roughly banks > emails > social networks > tools I plan to only try once), but some tools turned out to change ‘importance level’, while others didn’t fit neatly into one category… So while this felt already quite secure to me, it was not ideal.
I also hate using a desktop app or USB key or something like that to generate and manage your passwords because it defeats the good part about cloud apps being accessible from any computer. I want to remember my passwords myself, especially since I always say no to browsers offering to remember it for me.
There are as many ‘password strategies’ as there are people it seems. So, here’s mine.
Let’s start with a laugh, with the now infamous comic by XKCD on the topic:
I am often annoyed by people taking this approach seriously online, because while entropy + easy to remember is nice, it overlooks the fact that a good password is short (I mean as in 10 characters, not 4 characters, but not 30 either). That is because it is hard to correct / remember where you were in your password when it looks like *************************************** in the input box. All the more for mobile.
So, in my humble opinion, a good password should be:
So here’s how I do it. It satisfies the above criteria, and you don’t have to be a genius to remember it.
First, some ‘special cases’ you may consider, before I divulge my super-duper password strategy that I think everybody and their mom should adopt.
1. Trivial passwords for things you are likely to share
You do require a login to your computer, right? In any case, this is a password very likely to be shared with people (close to you) at some point. They want to change the music at your dinner party while you are cooking in the kitchen, your flatmate needs to look up something that’s on your computer while you are in another country…
So this should be separate from any other password, and can be a simple word with a number after it or something, so you can easily say it over the phone.
Another one for this is your home wifi network. Make this easy to remember and share. For me it’s just a very close variation of the network name, and this has worked well so far.
2. Something similar could apply to some services used at your job, depends what kind of work you’re in.
3. A separate password for banks and e-mail? Because this is really the most important thing of all, I have a totally separate password for my gmail and banks, which are long, impossible to guess, and cannot be deduced from the below strategy.
But I think these exceptions are just because I’m paranoid. If you simply include the above cases in the below strategy rather than memorizing a ‘special case’ for them you’re probably still way better off than whatever you’re doing now.
So, here we have it. My ideal password is a mix between something that depends on, and is easily – but not trivially – deduced from, the app name, plus a string of random ‘typical’ password gibberish. This satisfies all of the good password criteria I listed above, and assures I score ‘very strong’ on about every ‘security level’ meter they put next to passwords. Feels good man.
So, for example: the gibberish string is Bxx12ab!3. Containing an uppercase, number and symbolic character and being over 8 characters, that one satisfies virtually every ‘safe enough’ check on sites, both in length and ‘complexity’.
The second part is the ‘algorithm’ that depends on the app it is for, so that it is unique for the app, to prevent it from being reused should your app be hacked, or should you exceptionally have to give the password to somebody else.
Here, for example, you can use ‘reverse the first 2 characters of the app and attach them at the end’. So your password for github becomes Bxx12ab!3Ig, your password for Facebook becomes Bxx12ab!3Af, etcetera. If somebody gets a hold of more than 1 passwords of you they might spot the pattern, but from just seeing one it’s hard to guess. And that makes it infinitely better than just reusing the same password.
The one thing that isn’t covered yet is the annoying and retarded habit some tools have to force you to change your password every X months, while requiring that it’s different enough from the previous one. This typically leads to people writing the password on a post-it note, defeating the purpose. But for this, you can have a strategy like ‘increase the a by one in the alphabet, and the 3 by one’. So if GitHub were to require a change you could change it into Bxx12bb!4Ig.
So, that’s my password strategy. After Apple pissed me off with the requirements for their Apple ID password and I resolved to fix this mess once and for all, it took me about 30 minutes to go fix this in all the apps that I could think of, and then another month of doing this whenever I logged into an app I hadn’t fixed yet.
It’s reasonably doable to remember this (especially since you’ll be typing your gibberish string over and over again), it never gets complaints from an app that it’s not secure enough (au contraire!) and it feels more secure than any other ‘password habit’ I have tried or seen so far.
To get the same level of satisfaction and improvement in life quality as throwing out all your socks and buying 20 identical pairs of black ones, implement this now and make 2014 the year you once and for all stopped worrying about passwords.
What do you think – I am not at all a security specialist so if you are, please let me know: did I miss something here?