The trouble with passwords

Recently I’ve been using other people’s computers a lot more often, because I’m working away from my home office most of the time. And because of this I noticed a serious flaw in the strategy I had used for choosing passwords: they were all the same! I had chosen a very strong password that was unguessable and yet memorable to me, but I had used it everywhere. So if anyone did ever guess it I would be screwed.

Time to change to a new strategy, I thought. So I looked at lastpass, 1password et al. But again, it seemed to me that I would ultimately be putting my entire faith in a single password (and a single supplier), which felt almost as unsafe as having the same password everywhere. So what to do? I need passwords that are strong, easy for me to remember, and different on every service I use. Oh, and they have to meet all the different and daft criteria that the various websites impose; some insist on at least 8 characters, some on at least 9; some insist on at least one digit; others require a capital letter; etc etc.

The only scheme I know of that meets all of these criteria is to use a memorable 2-3 word phrase, together with a keyword indicating the site holding the account. So I wrote a random phrase generator, and discovered that every ten refreshes or so I was pretty much assured of generating a phrase that stuck in my brain. (Unfortunately you then also need to sprinkle the password with numbers and punctuation, not to make it stronger but to meet those daft website rules.)

For example, I just ran the generator and got bloody tomato. So I might then use the different passwords Blo0dy-tomato+mates for facebook, Blo0dy-tomato+pic for instagram, etc. As long as the scheme for adding the site-specific key is personal and memorable this should be a better password strategy than I had before.

Feel free to use the generator yourself (but obviously I can’t be held responsible if your passwords are hacked). The current words lists can generate over 750 trillion different passphrases, and I’m adding more words all the time.

One thought on “The trouble with passwords

  1. Use “password composer” – it’s a browser add-on that allows you to double-click a password field and enter a “master password”; it then combines that master password with the site URL and generates a new password. You don’t have to remember it, it will always be generated the same way for the same URL (which is a problem if the site changes their URL – as it sometimes happens).

    Of course, this is not perfect – if you’re using other people’s computers you have a problem :)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s