People hate passwords.  Plain and simple, we hate them.  The people tasked with making sure your password is secure hate the fact that you use the same one for everything, and the people tasked with coming up with one that does the job and meets the requirements hate the fact that they can never remember it.  Everyone hates typing them, and no one likes yelling at you for doing it wrong.  The only people who actually like your weak password are the people trying to gain access to your accounts.

What does this mean for your accounts and accesses?  It means there there are no easy ways of getting the point across that you must put some time into passwords and keep doing it periodically.  The average user, when it comes to password best practices, does the opposite of what’s good and / or right for security.  Most commonly people tend to do the following:

  • Have a life password (one password for everything)
  • Have a password that is a simple dictionary word
  • Have a password that is some kind of personally identifiable information (SSN, Birth-date, Shoe size combined with a dog’s name, etc.)
  • Use the same three passwords in rotation forever
  • Develop a system for character substitution (@ for a, ! for I or 1, 0 for o, etc.)
  • Share their passwords with colleagues
  • Write their password down and tape it to the bottom of their keyboard or desk drawer
  • Other equally bad ideas

The problem with these approaches should be obvious, but if you’ve never considered the implications of just what a password is and what it protects, you may never even know that you’re doing it wrong.  Here’s an amusing anecdote about weak passwords.  I worked in a computer store at one point, and the owner gave his wife administrative access to everything.  Spousal privilege is not a good thing, and in this case, it was a very bad thing.  Invariably, myself and another employee were able to guess her password, because she always used the biggest event or thing in her life as a password.  The worst part of it is, it wasn’t the event itself, but the simplest word she could use to describe that event.  When she got a new car, her password was “honda.”  When she got pregnant, her password was “baby.”  When she wanted a puppy, her password was “dog.”  You can see how this is a bad thing, considering she was in charge of the financials for the store.

The most common excuse people use for their weak passwords is something along the lines of, “If they want my data, they’re welcome to it.  The only thing they’re going to get access to is an overdrawn checking account, some pictures of my aunt Betty’s new puppy and my bread recipe collection.”  The great flaw in that thinking is, if they (the bad guys) have access to that checking account, they can move funds through it for whatever reason they want.  They can make it look like you hired a hit-man to kill the prime minister of Micronesia because you didn’t think strong passwords were necessary for your bank account.  Suppose they gain access to your computer because your passwords were weak.  They could use your computer to trade all manner of unsavory files, then add your computer to their bot-net and make you one of the people attacking the pentagon.  You’ll know when DoD agents knock on your door to ask why your IP address was among the ones that was used to gain access to DoD systems.  Won’t that be fun?  Also, now that they know you’re associated with Aunt Betty, they can begin constructing a social map of your life and use that information to steal your identity then set up a bank account in Poughkeepsie, NY that they then use to launder drug money and buy vintage Barry Manilow records.

It’s an unpopular statement to make, but it’s incumbent upon every user of any computer to safeguard passwords and sensitive data.  It’s funny how, philosophically, nearly everyone agrees that an eight-year-old child should not be allowed to drive a tractor-trailer on the basis that he lacks the mental and physical capacity to operate it safely.  The same logic is not applied to computer use, however, and mainly because the danger is only to data.  So it seems, anyway.

So, what do you do?  You need a strong password, but strong ones are too hard to remember.  Weak ones are easy to remember, but also easy to guess or brute force crack (a technical term for allowing a computer to throw passwords at the login until it gets the right one).  There is an answer, and it comes in the form of a web cartoon.  The web comic XKCD is written by a brilliant person, who came up with a password model which has come to be known as the “Correct Horse Battery Staple” model.  The premise is that you select four random dictionary words and separate them with spaces.  If you get one that’s funny to you, you have a winning password.  It’s orders of magnitude harder to guess than just about anything else you could do, and you can still use your favorite character substitution scheme to make it even harder to crack.

Here’s how it works, and it’s easy enough that no one should be able to make any of the typical excuses.  First, visit CHBS and set the tool up the way you want it.  You can change the separator character, capitalize, append numbers, etc.  I tend to make the separator character a space, but you do what you like.  I also eliminate capitalization and don’t append numbers.  If you want to do any of that, you can do it when you use the password.  Click the “Generate password” button until one of them makes you laugh.  You can switch the word order and add your own special characters as you see fit, but when you settle on one it should be unforgettable.  You can make a mnemonic to help with it, such as the one in the cartoon, but I find that if the password makes me laugh it’s in my brain forever.

Sadly, some operators of websites requiring passwords have not adopted the simplicity and security of this model.  For those sites, it’s best to have other inferior passwords in your pocket.  Hopefully, they’ll come around.