NOT your name spelled backwards...
Remember the fantasy stories of wizards and genies with magic words that unlock treasure troves? That's looking more and more like reality these days, as increasing amounts of important information are accessed with a single password. Business networks, Automatic Teller Machines, home security systems and Internet accounts are just a few of the aspects of your identity that can be easily assumed by anyone who knows the right keys to push. And if you haven't chosen a password wisely, you may find yourself usurped by someone who's either persistent or mildly lucky, or both.
The task of this to help you formulate passwords that are easy for you to remember and use, yet all but impossible for other persons to guess or chance upon. Follow these steps and rest assured that the magic word won't be on anyone else's lips or fingertips.
1. Assess the task
Start by learning what your password cannot be. Is there a minimum or maximum length? Is the system case-sensitive (see Keywords)? Are special characters allowed, or must it be limited to numbers and letters?
- Consider the convenience factor. A computer access code you enter several times a day should probably not involve elaborate keyboard gymnastics. On the other hand, a PIN code (Personal Identification Number) for a cash machine shouldn't be so simple that a casual observer could discern the pattern.
- Another factor is the number of applications of the password. It's not a good idea to use the same password in multiple circumstances; instead, build a "mental key chain" of passwords that are thematically linked in a manner known only to you (see Step 6). That means you'll need to start out with a password that supports such linking.
2. Eliminate the obvious
Take a few minutes to think like a password-cracker. If you were trying to break into your account, what combinations would you try? The ideal password is a word, term or phrase that's personally meaningful and therefore memorable, but so far removed from its original context as to place it beyond the reach of the educated guesser.
- Avoid the bumper sticker syndrome. The world is full of opportunities for us to announce our interests and affinities: bumper stickers, custom license plates, our online names. Resist the temptation to make your password a means of self-expression. If you're an avid sailor, stay away from passwords like port or starboard.
- On the other hand, there's nothing wrong with a password that holds a particular connotation for you, but the subject it evokes shouldn't be one that others would associate with you. Your co-workers (or anyone glancing on the pictures in your cubicle) may know you as a sailor, but chances are they don't know the name of the boy who sat in front of you during seventh grade math class.
3. Avoid the old standbys
Here are some of the most common password categories around, and therefore likely to be guessed:
- Common names, such as Jen or Gordon. Also avoid using your middle name, your mother's maiden name, or the name of your children.
- Obscenities, especially of the four-letter variety. Most password crackers will try them early on.
- Science fiction terms: Among the more prevalent are "Data," "Spock," "Worf," "Borg" and "HAL."
- Line-of-sight terms: A lot of people think they're being clever by using a term that's right in front of their face as they sit down at the computer--i.e., they use the word "Sony" because that's the brand of their monitor, or "spider plant" because one's hanging right overhead. But all you're doing is providing contextual clues that others could pick up. To play it safe, avoid any reference to common objects found in households and offices.
- Common phrases: Avoid especially those pertaining to greeting or getting down to work, such as "Good morning," "Wake up, "Hey you" or "Get going."
- If you have both a login identity and a password, keep in mind that it's relatively easy for other people to get your login--it's right there in the email you send, or in a directory of who's online. Don't let your login provide a clue to the password! If your email address is "HueyDewey@aol.com," don't make your password "andlouie."
- In a nutshell: reach for personal, not public significance.
4. Pick a winner
It helps if the end result isn't a word found in the dictionary (see Tips). Some examples:
- Bad choice: the name of the street where you live (Evergreen).
- Good choice: the name of the street where you lived when you were seven (Placer).
- Better choice: the name of the street two blocks over, where your best friend Bobby lived when you were both seven (Blue Gum Avenue).
- Best choice: the same street rendered into a non-dictionary term (bluegumave).
5. Preserve the password
No matter how strong your memory--or how memorable your password--there's too much at stake to trust your recollection. Once decided upon and duly entered, the password should be written down in a safe but unobtrusive place.
This can pose a problem. You might find it easier to remember a password than a set of directions to a secreted piece of paper, and besides, you're relying on the same memory to retain both pieces of information. That's why both password and hiding place are usually products of personality and force of habit, and why most would-be security crackers employ psychology as well as computer expertise.
- Here's a trick that often works: hide the access code in a place that's not hard to find, but in a form or context that makes it all but impossible to identify as the password. For example: let's say your password is "123Buttercup." You could place an entry in your address book listing a Ms. Morgenstern at 123 Buttercup Lane. Most prying persons won't know that Morgenstern was the name of your Computer Science teacher back in high school.
6. Know when to change it
Don't get too attached to your password; be prepared to abandon it in favor of a new one when the need arises. And learn to acknowledge that the need has arisen. Too many people cling to a password either out of sheer force of habit, or because they never learned the procedures for changing it.
- When does the need for a new password arise? Don't wait until someone sniffs out the old one--that's a little like locking the barn door after the cows are gone. If you have a situation where more than one person has had access to a password, follow this policy: change it whenever someone who knows it no longer needs to use it. Even if that person is completely trustworthy, and even if changing is a hassle.
- Why? It's not a sign of mistrust, but a courtesy to the departing. You free them from the burden of having to keep a secret (since the old password is nothing but trivia), and you eliminate even the shadow of suspicion in case unauthorized access does occur.
7. Build a mental key chain
Modern life can present a maze of demands for a password, and the easy temptation is to make one keyword fit all. But the dangers of that are clear: you're maximizing your vulnerability if someone cracks your password. Why make it any easier for them? Or let's say you're sick at home one day and a co-worker needs access to a work file. You might feel better about giving them the password if it doesn't also unlock your bank balance and that encrypted folder of old love letters.
- If you go through random approaches for each new password, you've increased your opportunities to forget or misplace it. So the best solution is to build a "mental key chain" of passwords: a thematically linked series that you apply to multiple uses. From time to time, you may forget which password goes to which machine, but all that means is that you'll have to try another.
- To build a key chain, recognize natural linkages (while steering away, as usual, from the obvious). For example, let's return to when you were seven and your best friend lived two blocks over. If you limit your associations to you memory of that time, you can come up with links that are vivid to you but incomprehensible to others.
- Your home room teacher's name.
- The subject he or she taught.
- Your grade in that subject.
- The color of the shirt you wore when the class photo was taken.
Into all of these you might make a habit of inserting the number 7, (or another single digit)for three reasons: to remind you of which age to recall, to identify the passwords as part of this chain, and to render them non-dictionary words.
Examples of the above: John7son, read7ing, read7b, white7pic.