In today’s online world, nearly every company, every website, every electronic service, wants to assign you an account consisting of a login account name and a password. The concept seems simple enough, for the first account, but then you sign up for another service, and they assign yet another login account name, and associate yet another password. Before long, you have dozens of account names, and dozens of passwords. How can they be kept straight?
Software makers, such as Microsoft, Firefox, and Mozilla offer solutions such as password key keepers. The idea is if you forget one of your passwords, you can go to your password keeper, enter one master password, and see all your accounts and passwords. The very bad side to this system is, if someone gets your master password, they now have access to ALL your accounts at once. All or nothing is a bad system. The custom-made solution of putting all your information into a password-protected spreadsheet or document is essentially the same bad solution. One password grants access to your entire life’s electronic accounts. Another bad “solution” many people arrive at is to use the same password on all their online accounts. Of course this is worse than the master password file — the file isn’t even needed to get in!
Some of the major online account providers, such as Google, Amazon, and Microsoft, now provide multi-platform authentication. Multi-platform authentication means, for instance, the ability to go to a site such as Yelp.com and instead of creating a new account name and password, it offers that my Google information may be used to login. As long as I remember my Google account information, I can access not only Google, but Yelp as well. This reduces the number accounts I must track, but it also creates a greater dependency on Google. If I lose my Google account information, I also lose my access to Yelp. This can also get very confusing if competing providers allow each-other’s login information to authenticate into their system. For example, logging into Google with a Microsoft account email address and password.
B. A. Computer Services uses many systems itself and would like to share with you what we believe is a best practice regarding maintaining multiple account passwords. Our policy addresses the fact human mental capacity is not flawless, and yet there is a real security need. We cannot disclose exactly the methods we use due to our own security needs, but we can offer similar tactics without giving away our security measures.
To begin with, if you already have quite a few accounts, you should privately list them with pen and ink to get them straightened out. If you have lost access to some accounts or need password resets, the online provider’s “Forgot Password” option may be needed to regain access. B. A. Computer Services can assist you with the process confidentially in our office. We will help you begin a table that will look something like this, and for this example, let’s assume your name is John Doe:
|Google.com||myemailaddress @anywhere.com||Go#JDoe#2022||anotheremailaddress @someplaceelse.com|
|Yelp.com||Select “use Google to login”||see Google||see Google|
|Bank.com||myemailaddress @anywhere.com||Ba#JDoe#2022||my bank account number, DOB, and SSN|
In the above example, even if 1000 random people used this example instance, each and every account password would be different for every online account for each person. The random hacker might gain access to one of the weaker sites, but they would have to start all over again to hack the next site. The strength of this system is: 1) All your passwords can easily be remembered and yet are not exactly the same for each online site; 2) the passwords are using uppercase and lowercase, a symbol, and a number which will generally pass every online site’s minimum password strength criteria. Unfortunately, this suggested system also has some serious weaknesses: 1) it is based on your name, very easily guessable; 2) it uses a rather weak number, the current year, also guessable; and 3) because it is systematic, if you ever give someone one of your passwords, they could guess your system and produce all the other online passwords.
These password-system weaknesses can be addressed as follows:
- Make every password at least two (2) segments separated by at least one symbol character. (XXX#xxxx#xxxx#xxxxx or YYYYYY-YY-YYYYYYY or zzzzzzzzzz%^zzzzz%^zz) The length of the segments, the number of segments, and the special characters used to separate segments is entirely arbitrary, except total password length must be greater than 8 characters.
- NEVER give one of your systematic passwords out to anyone else. (Or even if you do give them one, never hint that you have a system about it.) If you must allow someone access to your account (e.g. computer support people, or family member), CHANGE THE PASSWORD to something else simple like abc-123-456 and give that to them until they no longer need access. Change it back when they are done.
- Do not use personal information in any part of the segment. Especially avoid dates of birth, ages, social security numbers, license numbers, personal names, children’s names, names of pets, street addresses, or anything else that could be guessed by a friend or neighbor who may observe your activities over time day by day. Do use unique phrases that have unique meaning to you alone. Do use unique non-sequential numbers that you can easily remember but not a publicly accessible number like license plate number. For example, you might remember you bought your first car on Feb 28, 1996, so using 960228 would be a perfectly legitimate choice. Unless your neighbor was there with you at the time, it unlikely they will guess this number, in this particular format.
- Finally, in order to make each password unique and yet memorable, one of the segments must be tied to the website. Thus in the table above we used the overly simplified Go for Google.com, Li for Live.com, and Ba for Bank.com. This system can get tricky if the name of a website changes. For example, Angie’s List recently rebranded from angie.com to angi.com. Nonetheless, major websites generally do not change over time. If one does, be sure to go back and update your related passwords for that site. You can use any combination of the website name, respell it, or slice it into parts and create two or more segments. For example, you might take the very common Google.com and place it in a password that would fit one of these schemes: xxxx-elgooG-xxxxx-xxxxx or gle-xxxxx-Go-xxxxx. Your Microsoft.com account password under the same scheme would be similarly: xxx-tfosorciM-xxxxx-xxxxx or oft-xxxxx-Mi-xxxxx.
Let’s put it all together and make a new password table based on the examples used here. Again, these are arbitrary examples. Please be innovative and use your creativity for how you come up with your numbers, your special characters, and your site combination segments. The arrangement of the segments chosen below were entirely randomized.
Segment 1: A memorable number: 960228
Segment 2: The consonants in all caps in the name of the site, except lowercase the .com consonants
Segment 3: Special character separator: () (as many characters as you want can be used)
Does it pass the test of site password checkers? Yes – all passwords have upper and lower case letters, numbers, and special characters. All passwords are longer than 8 characters.
Can I remember it? Yes – all passwords begin with the same prefix and end in a combination of letters I can derive from the website domain. Exceptions are derivative sites, YouTube and Outlook which use the same password as their parent company site. Yelp optionally can use Google login, or you may prefer to create it’s own unique login to stick with your scheme.
|Google.com||myemailaddress @anywhere.com||960228()GGLcm||anotheremailaddress @someplaceelse.com|
|Yelp.com||Select “use Google to login”||see Google||see Google|
|Bank.com||myemailaddress @anywhere.com||960228()BNKcm||my bank account number, DOB, and SSN|
|Youtube.com||Use Google login||Google owns Youtube|
|Outlook.com||Use live.com login||Both are owned by Microsoft.com|
|Roku.tv||myemailaddress @anywhere.com||960228()RKtv|| My phone number; not .com: .tv !|
|Sci.fi||myemailaddress @anywhere.com||960228()SCf||anotheremailaddress @someplaceelse.com|