Password on a Post-it.

Passwords can be troublesome beasties, especially if you have a lot of them. Some you need on a daily basis, such as those you use to log onto a computer or network: Some you only use once in a blue moon, such as the one you use to connect to internet, and probably forgot two days after setting up the connection. Some you will guard with your life, such as the access codes for your Swiss bank account: Others, such as your ICanHasCheezburger log-in aren’t quite as critical.

If you spend a lot of time on different systems, you’ll acquire a plethora of passwords, and keeping track of them can be a problem. So what to do? here are a couple of tricks to help.

Firstly, re-use some passwords. If you use your ICanHasCheezburger password as your Flat Earth Society and your Electricity Pylon Appreciation Society passwords, the world is probably not going to end if one of the sites is broken into and your password discovered by pimply-faced hackers. On the other hand, re-using your ICanHasCheezburger password for your HSBC online banking might be inviting trouble: As a rule of thumb, anything that is worth stealing should be kept unique.

Secondly, keep a note of your passwords. The ‘post-it stuck to the keyboard’ approach is universally frowned upon (although, if it means someone can break into your pylons.org account and post disparaging remarks about the Double-circuit PL16 D60 it’s probably not a huge problem), but having them carefully written down and stored in a secure place is a good idea: Most companies with a comprehensive disaster recovery plan will have the key log-ons stored in a safe in case the IT department are suddenly struck down by rabies, and if you have a safe (or a corner of a filing cabinet at work) you can save a lot of aggravation this way.

If you don’t have a particularly safe place available, you can store them on your computer in an encrypted file: Then the only password you have to really worry about is the one you used for the file. I’ll add a how-to on file encryption later in case you want to go down this route. However, as we’ll see, there are limitations to just how secure this is, so use with caution.

Also, do not, let your browser remember important passwords. It’s a (relatively) easy job to nobble the systems log-in and help yourself to everything: At least if your password is on a post-it stuck to the keyboard, there’s a chance it will fall off when the burglar pinches your iMac at 4:00am: The chances of the disk drive falling out are a lot thinner. Again, this isn’t too much of a problem if all they can do is caption a humorous photograph of a cat in a box under your name.

Finally, a note on password strength. Passwords are usually stored as “hashes”: A series of calculations are run over the password to derive a code that doesn’t contain the password itself, but is hopefully unique to that password: The way to find the password itself basically consists of hashing different passwords until you hit the right answer. Most cracking systems start with a long list of words (like the one in your spell-checker), then move on to words plus a few numbers (like “zebra99″) then a brute-force approach starting with “a” and going up to “99999999999″ (with the length decided by the time available): They rarely include symbols like %,^,§ or ¿ since they don’t get used very often and there’s a lot of them to go through.

A popular method has been to use numbers instead of vowels (e.g, “4dm1n1str4t0r” instead of “Administrator”), but modern hacking software has wised up to this and may now include vowel substitution as part of the dictionary attack (in fact, I’ve seen a few hacking dictionaries with “4dm1n1str4t0r” listed as a word in it’s own right, which probably saves a lot of time).

So, if you’re concerned about password strength, here are some pointers:
» Don’t use common names or anything straight from a dictionary, even if you stick a couple of numbers on it.
» Don’t use anything too short. “Ft5Q” takes a lot less time to reach than “Ft5Qr2Lle6″.
» Don’t bother with “4dm1n1str4t0r”, “r00t” or “p4ssw0rd” (or “p455w0rd”). They’re way ahead of you.
» If you must use a word, use one from a foreign language – preferably a weird one. For instance, the Inuit term for an engaged telephone is (apparently) “matuitjaasimajuq”. It would take a pretty comprehensive word list to include that, and it also has the advantage that if it’s sufficiently surreal, it’s easier to remember (so long as you know where to look it up).
» Alternatively, use carefully mistyped words. “rwkwogibw” looks like gibberish, but it’s just “telephone”, using the letters to the left of the proper ones. “enohpelet” won’t be on the list, either.
» Use symbols if the system will let you: Instead of “299971473″ (which, when it’s not engaged, is the phone number of the Qaanaaq Tourist Office), hold down the shift key so it comes out as “@(((&!$&#”.
» better still, use weird symbols. In syllabic Inuktitut, “matuitjaasimajuq” is written as “ᒪᑐᐃᑦᔮᓯᒪᔪᖅ”, and it’ll be a hot day in Qaanaaq before that gets decoded. Sadly, not many systems will allow it…

…which is a shame, because “ᒪᑐᐃᑦᔮᓯᒪᔪᖅ” could safely be left on a post-it stuck to the keyboard: Nobody this side of Nanortalik knows how to type it.

Nanortalik