Slashdot Mirror
How do you Remember Your Passwords?
Aaron asks: "Like most people reading this, I have more than a few computer accounts. Password maintenance (e.g., changing them regularly, thinking of ones that are hard to crack but possible to recall, remembering what this week's password is on account foo) is nontrivial. What strategies for managing passwords do you have?"
Mnemonics and password schemes are tricks a few people use, but I'm sure some of you out there have better ways. Would any of you care to share?
- Secret! - which is basically a password protected set of memo pages, but it also can do TAN and single use passwords.
- SecureMemo - Similar to Secret! but each memo is encrypted seperately. I was already using Secret! when some of these types of things came out.
- Strip - My current favorite. This is a password protected application that is designed for managing password info. It is a database of records with Username, Password, and Description fields. It can generate a random password of a requested length, and you can use it to send an account to another user (great for a sysadmin when creating people's accounts). Only big negative I've seen is that the password length has a length limit, so storing ssh and pgp passphrases may not fit.
All three of these store their data encrypted both on the pilot and on the backups. You could do something similar with a PGP or otherwise encrypted file on your computer, but I prefer the redundancy of having the data in two places. PalmPilot and backup machine (plus backups of the backup machine.I use my wife's first name for all my accounts. For those sites that does not accept "Amanda" as a password, I use the names of my kids ("Allan" and "Ann"), and also write the password down on a yellow label stuck to my monitor (together with the site/account name of course), as well as in a file named PASSWORDS in my home directory. Just in case the label fall off.
This has worked well until now, I have never had to ask the admins to remind me what my password is.
Nothing says that easy to memorize has to mean easy to guess.
Take a common household phrase..
ash nazg gimbatul
..apply 31337 to it..
@Sh N@5g G!Mb@tU1
..now table it...
@ShN
@5gG
!Mb@
tU1
..and unwind that.
@@!tS5MUhgb1NG@
...that's something that can be memorized in source form as long as the 31337 rules are consistent and the table is near-orthagonal. It can be regenerated on a scrap of paper or, with a smudged-off-afterward marker, on a countertop.
One of the things I have noticed is that humans as a whole tend to remember pictures and symbols far more easily than alphanumeric information. (Simple fact - we have evolved that way). ;-) ). After several years it became hard to achieve unique ones that everybody involved could easily remember. Hence our switch to visual methods.
As one of the system administrators for a medium sized ISP, we are faced with the problem of regulary rotating certain account passwords (I think you can guess which ones
Simple Example:-
Imagine a large smiley face situated on your keyboard (as in certain keys were colored differently to make up the face)
Nasty ASCII Art Bit:-
1234567890-=
qwertyuiop[]
asdfghjkl;'#
zxcvbnm,./
Normal Keyboard layout
1234*6*890-=
qwertyuiop[]
as*f*h*kl;'
\zxc**nm,./
Stars show keys used to draw smiley face
Ok, so I have made a pretty lame job of that, but notice that I have used 5 & 7 to make up the eyes, g for the nose and dvbj for the mouth. That gives us a password of 57gdvbj. Once we have that, we can add features to make it more secure, a Capital G for the nose for example, or using punctuation % and & to give the face "eyebrows".
Personally I find this method a useful way of coming up with passwords that are only suseptable to brute force attacks, whilst maintaining a visual link so that our primate brains can have a stab at remembering them. Other pictures that can be used are symbols, flags, large letters, the list is pretty long.
Good Idea/Bad Idea?
Dave.
Until some time ago, I used the same password as the username. Not kidding. I got a few visits that way, people mailing me from my own account saying "Cool! Hey, your foo script didn't work like it should, I fixed it for you", and the like. People who want to do bad things seems to be lame enough never to just knock on the door and try the handle.
I'd like to still have the same scheme on some systems, but people in general are paranoid enough so that I choose strong passwords so that they will still be friends with me. I must say though that I find it much easier to restore a backup every once in a long while, than to use all the paranoid security that people force upon me. I even secured my own computer and removed the guest/guest, system/manager and login/password accounts, which had been there for, well, forever really.
So either way; how do I remember the passwords these days? Well, it's not only passwords, it's bank account codes and other codes too that goes with all plastic cards you get. I'm sorry to say that there really isn't any great trick to it. The mind can easily store atleast 20-30 more secure passwords (and probably even more), even if you change them regularly. To memorize a new password, I write it down on a piece of paper and try to attach images of the characters to the paper in my mind. If you attach graphical images, sometimes even smell perhaps, you will most probably remember it far longer than you need to.
I just thought of this whilst reading all the posts.. :) because of the registers requiring multiple fingerings....
for keyboardists, try the opening few measures of the theme of a composition, (hmm.Bach's Preludes would be a little too repetative though..) imagining the comp keyboard as a musical keyboard. Yeah Yeah I know, the keys are entirely wrong, BUT,If you know the piece, your fingers should remember at LEAST the theme, and hit the same area everytime..
I started testing this theory with not only keyboard themes, but also guitar licks... BTW, Chords don't work:), violin solos, bass lines.
Trombonists,flautists, and other brass and woodwinds would tend to have problems. Especially trombonists
I dunno, maybe I just need more coffee
and more testing.... please let me know what you think
-- Life: Hate the Game... Love the cereal
When I'm putting a password on something I'm not going to use every day, or at least not often enough that I'll remember it, I generally use CD catalog numbers.
You know, the string of numbers and letters on the label. This has saved my butt many, many times.
I may forget the exact string of letters, numbers, and non-alpha-numerics. But I always, always remember which CD.
If I'm home, I can pull it off the shelf. That's easy enough. But here's the cool part.
If you're away from home, any record store can look it up for you. This has saved me from having to hack into my own systems many times. And when you call a record store at 11:00 in the morning and say "I have a strange request", the lone person managing an empty store in off business hours is generally eager to help, too.
I don't care if they know the password - they don't know who i am or what i'm unlocking.
Sure, you could come to my house and take down a list of my entire cd collection, but it would take you a while. I have a lot of music, and i also mix upper and lower case on the letters.
Of course, if you have a small music collection, or predictable tastes, maybe it's not such a good idea. Personally, 70% of my cds were special-order.
This is just like television, only you can see much further.
Personally, I don't see the need to change them very often. I don't let people see them while I'm typing them (touchtyping has many advantages :) and I usually ssh to other systems. The only ones I don't ssh to are the ones I don't care about anyway (such as slashdot and the various MUCKs I'm on), and for those I just use a common word.
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?