When have you last changed you password (and is it complex enough)?

I’ve had a policy of changing most of my passwords every 60 days since 2003 or so. This has made generating passwords I can remember an artform. Some people swear on pwgen, while I always brew my own. Here’s how I do mine (but with an imaginary example ;-):

  1. Pick a song of your favorite artist. It has to be a song with lyrics.
  2. Pick a passage you remember by heart, even when drunk, feverish, sleepy

    I don’t wanna be your friend
    I just wanna be your lover

  3. Mangle it with any means you can think of, using a pattern you’ve decided, for example:
    • shorthand words, “love” = <3
    • randomly capitalize words that you think should be emphasised, like Your and Friend
    • pick n-th letter of each word, “IdwbyF,IjwbY<3” (a password generated from the passage picked above)
    • use maths to break repetition, “Your ears should be burning” = Yes2b or quoting The Who – Our love was is: (Our love was famine, frustration We only acted out an imitation) “O<3wf,fW2(oa)i”
    • remember to use punctuation, “Denial, denial” = D,d
  4. check the resulting password can be typed with all hardware you use and to all applications (for example, if you use mobile phone, use an application that saves your password in xml etc)

Use and enjoy :-)

This entry was posted in ICT, Planet Ubuntu, Saw it in the Intahweb, Tips'n'Tricks. Bookmark the permalink.

10 Responses to When have you last changed you password (and is it complex enough)?

  1. Alberto says:

    Hi:

    I use a method similar to yours but with a little bit more of random. I turn on a radio station and surf until I find a song I know and I use that song.

    Yours.

    Alberto.

  2. Christoph says:

    The song method is definitely a good one. I use of version of this as well. Thanks for the instructions to tell other people.

  3. Mez says:

    Loving the 2(oa) bit!

    Maybe we should also use regex’s in our passwords :D

    (oa){,2}

  4. Mez says:

    Alberto, that’s just an extra source of entropy :P

  5. Dougie says:

    The method we employee for our users is that they need to choose a new password every 30 days. Now this introduces the likelihood they wont learn it and will write it down.

    So we give them the choice of three generated passwords and they pick the most memorable.

    The script generates three sets of three characters all in the format consonant-vowel-consonant. This tends to generate a group of three syllable that people seem to remember.

    Seems to work well.

  6. KC says:

    Every 60 days? That’s impressive. I make really strong passwords for important stuff, but I don’t change them more once every year or two. Especially for my web accounts that have somewhat weaker passwords, there are just too many to change my pass all the time. If only more of them used OpenID…

  7. Andy says:

    My philosophy has been to have one really long password which I remember, which I use only on devices that I’m in complete control of. I don’t see any value in changing it at all – if it gets found out, then I’m already stuffed anyway, and changing the password won’t get me anything.

    For things where I don’t control the password checker (e.g. logins to websites, internet banking passwords, etc), it is a bit tougher. I have two strategies, one for sites I care about (internet banking), one for sites I don’t (most websites). Both strategies are similar, I take a master password, and the domain name of the site, and apply a function to them which spits out a password. The low security one is a simple function (anyone could easily work it out in their head). The high security one involves an md5sum.

    This way, I use different passwords everywhere, and I only have to remember a few easy to remember words or phrases.

  8. John Carlyle-Clarke says:

    Felt motivated to comment because of the great choice of Radiohead song! I’ve used this method in the past, although I do like your enhancements a lot.

    I wanted to mention Keepassx ( http://www.keepassx.org/ ). This is a really *awesome* tool, and I’m trying to get into the habit of using it more. It’s such a well designed piece of free software, it’s cross platform, it’s easy to use and understand and has a bunch of neat security features. You can use it with a master keyfile or passphrase. The only thing it lacks is a CLI.

  9. Eric Duminil says:

    Andy, you might want to check pwdhash : https://www.pwdhash.com/

  10. BUGabundo says:

    I change my passwords 2 or 3 times per here, or more, when some actual leak.
    I have a diff pass for every service.
    I just create an algorithm that somehow relates a master pass and the service, so each pass is unique.