RSS Feed

The perfect password

Posted on Monday, August 23, 2010 in Uncategorized

Creating strong passwords is a delicate balancing act between the right combination of characters which is not easily guessable, but which you can easily remember. It is recommended that a strong password should contain a combination of letters, symbols, numbers and be of minimum 8 characters. It should not be things about you which can be easily guessed, like names, birthdays, either yours or that of someone close to you, etc.

 password_checker

Recently, most sites also allow spaces in passwords which means it is possible to create passphrases instead of just passwords. (With the exception of Windows Live accounts as I recently found out). There are also many sites that offer password generators and will generate random combination of characters. While these may be really strong, they are no good if you cannot remember the what the password was. There are sites like The Password Meter which check password strength.

Add to this the fact that a strong password of itself may not be enough, but you should not repeat your passwords on different sites and you also should change your passwords regularly. Considering the number of sites where the typical user has an account nowadays, the combination of accounts and password changing frequency can be really high.

Hail password managers to the rescue. Most browsers have these built-in and there are also other free encrypted password services which synchronize between your computers. The problem which I have with these services is that they represent a single point of failure. If a malicious person gets access to your password manager, you can kiss your online identity goodbye.

Alas, password managers are more often than not, a risk worth taking for the convenience. The moment you start forgetting passwords because you cannot remember what you last changed it to, or you wrote it on paper and forgot to update it, then you know its time to take the risk.

But there may yet be some middle ground. Since email is commonly used as the de facto primary online identity, it may make sense to store other non-important passwords in the password manager, and then try to keep the password to your primary email account(s) in your head. That way, even if you password manager is compromised, you still retain control over the process of resetting your passwords (through email).

This is also the reason why I love the increasing use of OpenID by several sites. When sites allow you to log in using an existing account, you need to remember just one, instead of two passwords. So developers, when you are building your next site, try to remember that using OpenID reduces the barrier to entry and spares your users from Yet Another Password (YAP).

Share and Enjoy:
  • Twitter
  • Google Bookmarks
  • Digg
  • del.icio.us
  • Facebook

Bring on the comments

  1. Carl says:

    I’m assuming you will get a notification about this comment despite the post being almost 2 years old, so I will comment any way. I don’t really use it any more because it’s Windows only, but on a Windows machine if you have Num Lock On and hit the Alt key and type a number it would stick in the corresponding Unicode Character. For Example hitting Alt 147 inserts this รด. I liked doing this because I could remember a number (typically easier than a random character from a language I’m not familiar with) and insert it into my password, adding some complexity. Also if someone was trying to read your password over your shoulder they might catch the number but were unlikely to see you hitting the alt key with your other hand (I’m assuming a key logger would still catch this but never tried to find out).

    • Ngewi Fet says:

      Yes, I do read every comment on this site.
      That sounds like a good way of generating a password with special characters.

      But I also think it is something that I could easily forget. What I tend to do more often is use passphrases (see http://xkcd.com/936/ ), mostly ones which I can touch-type very fast. So that even if you are standing over my shoulder, you cannot know what the password is.

      But IMO, it is always better when I site allows me to log in with an ID I already have (think OpenID, Oauth).

Leave a Reply