new passwords

Dave just posted that he had forgotten the password to his machine.  It is co-incidental that we should both have decided to change our passwords on the same day, but that’s what happens when you work with someone for so long that even your attempts at firing him don’t work ;-)  I have used the same password on most places on the net for a couple of years now.  Actually, apart from some sites, I really only had two passwords; one weak and one strong.  Today I decided that it was time for a change.  There are a couple of strategies I could potentially use for passwords.

The first is to use a separate password for each site or application and store them somewhere in a list. While this method would be secure, it requires the presence of a master list.  That list could be a pen and paper, a piece of software or a web site.  Paper and pen are portable but ephemeral and susceptible to tampering or theft.  I would also need to carry them with me wherever I go in order to access any of the things I wanted.  This isn’t an ideal situation as I would prefer not to be dependent on something that isn’t my own memory.  There is also an issue of compatibility.  While I could potentially carry around my password list on an encrypted USB key, I would be dependant on compatible software being on a target computer in order to decrypt my list.

One of the newer options would be to use a site like VeriSign’s Personal Identity Portal (PIP).  This would offer the advantage of the stability of the VeriSign systems and the longevity of a well established company, but suffers from a typical lack of support on the Internet.  So far, there are about sixty sites that support it, but that isn’t nearly enough. It is close though.  If it had an online generator that was targeted to specifically match the criteria of each site (ie: cases and symbols allowed etc) then I would definitely think about using it.  It has a simplified authentication system too – I could download a managed card and use that or my username and password and that would be enough to authenticate me.  While researching all of these methods, I tried the PIP and signed into a couple of sites with it, and I have to say it has a lot of potential. You can install a browser button that pops up a window showing you the sites you have stored logins for.  Clicking on those sites signs you straight in, provided you have authenticated at the site previously.  Its a pretty neat solution, but needs more support.

The second option is to use a far more limited set of passwords, ie: two or three depending on the situation.  My preferred solution is to use complex but easy to type passwords.  For example, the word qpwoalsk, which is meaningless and therefore not prone to dictionary attacks, is also very easy to type.  It can actually be done very quickly with two fingers if you look at it on a keyboard.  It also doesn’t have to be remembered, as the shapes of the typing are squares.  Look at it again. With the left hand you type Q-W-A-S which is a square, alternating P-O-L-K which is another square. They are simply alternated from left to right to make up the password.  Stronger again would be qPwOaLsK, and then qPwO-aLsK.  Neat eh?  Another method would be to use an online password generator and use the phonetics it comes up with to remember the results.  For example fruT32ya actually reads as foxtrot romeo uniform TANGO Three Two yankee alpha.

As you can see, there are lots of different options available.  The only thing to do is to find the right one.