As a founder of PassPack, I try and keep up on all conversations about passwords on the internet. In my virtual travels, I’ve realized that the number one reason people don’t feel they need a password manager is because they “have a system.”
One of the more ingenious ideas I’ve come across is David Bradley’s Passwords for Scientists where he proposes using the molecular formula for various pharmaceuticals.
However, most of these home grown formulas, are all some variant on the same theme: take the first letter of every word in a song/title/quote/sentence, mix up the upper and lower case letters, throw in some numbers and perhaps add the a prefix representing the website name.
… folks, this is not as safe as you would think. Really, it’s just not.
The Proof is in the Password Pudding
Roger A Grimes launched this password hacking contest a few months ago. Here’s Roger’s theory:
I proposed that shorter, so-called “complex” passwords were easier to break than less complex, longer passwords. I know this to be true because I frequently password crack for a living, and I know that most people’s “complex” passwords aren’t really that complex. When told to pick complex passwords, 80% of all end-users will use the same complexity tricks. [my emphasis]
Yup. I didn’t run the contest, but I can surely say this is true in my experience from reading blog posts and comments.
The contest gave out three passwords hashes, and guess which one was cracked first?
“S10wDr1v3r” was cracked six months before “myengagingwives“.
Does S10wDr1v3r look like any of your passwords? If so, it might be time to change to something longer.
But why do all that work?
I know everyone hates passwords. I do too. We all do. Passwords are so hated that “password fatigue” is now considered a syndrome!
So, if you hate passwords – why spend so much time making them up? Why apply so much of your creative energy inventing a password that will be no more complex than the ones that 80% of all end-users will use?
Think of all the time and energy you could save by just forgetting about your passwords. Yes, I said forget them. Free up your memory. Take all those password and stick them… ehem… in a password manager.
Choose, and use, a Password Manager
Once you have a password manager, you can pack up your passwords away in there, forget them, and look them up whenever you need them.
See? Isn’t that much easier?
Of course, you’ll need a master Pass (and Packing Key) and you’ll want to pick something nice and strong. I know, I know… but consider it the last and final necessary password evil.
Here’s a tip: pick a sentence and use that. This is called a pass phrase. It’s just a sentence. A plain and simple sentence with spaces and punctuation. As Roger’s password hacking contest has shown, the longer the better.
Hippity Hop, the rabbit ate the carrot.
That’s a pass phrase. It’s easy to remember and 39 characters long (and strong). Some more examples here.
So Get Packing
If you’re ready to start packing up those passwords, follow the instructions for Getting Started with PassPack.
If you have any problems whatsoever, just drop me an email. I’ll do what I can to help.
Technorati Tags: PassPack, password manager, passwords, security, lifehack, web2.0, tips
3 responses so far ↓
Edy // Jan. 11 2008 at 15:39
Password is very important for your digital tools. What Telli’s said about long password is strong is true. But make sure that you remember it and don’t share to anyone.
Password Meter Mania « Passpack Blog // Jul. 22 2008 at 7:55
[...] be creative and that is exactly what password meters are trying to promote. Creativity coupled with password length almost always ensures strength and a high quality rating. Question: what do you do once you’ve [...]
Email Security: Not Limited to Sarah Palin « Passpack Blog // Sep. 19 2008 at 16:53
[...] spared herself the negative public eye if she had followed the basic rules of password security: long is strong. This cannot be stressed enough but in light of the Palin email hack, strong responses to (password [...]