Well written and accessible; you mother would understand it. The best passwords, usability and safety, are three word phrases. Easy to remember and easy to type. To accommodate the rules at my clients, I use <Capitalized-word><punctuation><word>.
I worked with a password fanatic who used a generator to create 8-12 random character passwords, which he stored in his PDA, because he couldn't remember them. I dont think his method was more secure than mine. I didn't have to write mine down.
I read an article from Microsoft advocating passphrases in 2004, and was taken with his rationale. I've been using them since then on everything except low-security accounts.
I now have much more diversity in the hundred or so passwords I actually use than I used to, and worry much less about forgetting them.
(P.S. Without loss of generality, pretend that for whatever reason I was reminded of Gummy Bears when signing up for my Gmail account. (An American TV show from back in the day.) I take a snippet of one line from their themesong, "dashinganddaring", which works fine as a password, optionally substituting a & for the "and" and with arbitrary capitalization. I'm highly unlikely to forget the password because, well, I've had perfect recall of that themesong for twenty years now.
I don't actually use cartoon theme songs, but everybody should have some source of highly entropic data that is evocative and meaningful to them.
Very well done article. One of the best sum up points: "A usable and secure password is then not a complex one. It is one that you can remember - a simple password using 3+ words." I've used that sometimes, and it works well; though I also happen to be someone who can memorize random strings of punctuation and gibberish, which I prefer. :)
I have an encrypted file of my passwords, encrypted with a password of over a dozen characters, containing uppercase and lowercase letters, as well as numbers. It has no meaning whatsoever, and I have no trouble remembering it. The author thinks no one can remember SIX random characters?? How many phone numbers do you know? Zip codes? Addresses? URLs? Email addresses? Really, I think ANYONE can remember 6 random characters, especially if they type them all the time.
Does anyone have a good algorithm for using a password template/seed for different sites? Choosing a template, say 5_h_7_s_9_j, and replacing the _ with characters from the site's name works (and you could increment the characters or whatever), but if anyone gets two of your passwords it's pretty obvious there's a pattern and it's not particularly hard to work out the relationship between the site name and the password.
Seems to me the current "standard" password scheme of about 6-10 random characters, comes from the old Unix limit of 8 characters. But this should pretty much be history today, right?
And yet I am still doing this myself all the time... Next time I need a good password I'm gonna go with three word phrase instead.
- 256 random chars long passwords stored in a bluetooth keyring.
How it works:
pre-session:
- every user registers two passwords, short and long.
session:
- app asks for password
- user does nothing, computer recognizes keyring
- computer sends 256pw to app
- app accepts two kinds of pw, short and long
- if pw.length > 200 treat as keyring pass
post-session:
- if user loses keyring, he can deacativate his 256pw
- user can change 256pw at will, just buy new keyring, update password on app.
That's how I see it, and that's how I would like to do it.
Keyrings can be anything, just a chip and bluetooth, can be carried or placed on a desk, can have buttons to press to send the signals, can be locked, can have many shapes and colors, etc.
The secret is not the keyring, I know there are plenty out there, the secret is in allowing apps to accept two kinds of password: short, user generated, or long, device generated, so convenience is on the user's side.
And when machines fail, there is always old-password at hand.
I worked with a password fanatic who used a generator to create 8-12 random character passwords, which he stored in his PDA, because he couldn't remember them. I dont think his method was more secure than mine. I didn't have to write mine down.