Creating a password "system"

Your strong password doesn't have to be this complicated.

Ok – this blogpost has just about nothing to do with positive psychology or building positive organizations, but it might be a helpful tip for someone out there, and it’s come up in conversation a few times over the past few months, so please allow me the digression. Thanks. 

Passwords. On your websites. All of them. Big blech or easy-peasy? 

As I understand it, many people have “weak” passwords and/or use the same password for all of their sites. I don’t know how many password-protected sites the average internet user accesses on a regular basis, but I’m willing to bet it’s in the dozens. Let me know if you have any statistics. But I’m thinking here of banking sites, any sites where you want to buy something online, social networking sites, emails, and the list goes on and on and on. 

How are you supposed to come up with a strong, unique password for each site? 

Some people apparently have installed a password-remembering system on their computer. Personally, I distrust any extra application that says it will remember all of my passwords. Two problems: 1. how do I trust the code and 2. what happens if the system crashes? I want to be able to access any site from any computer anytime I want. Don’t you? 

So here, free for your use, is The Password System (TPS). The beauty is that each reader of this blog, and each reader’s full array of family and friends, can use this system and STILL come up with a unique strong password for each of their sites – no duplications. Honest. 

Three easy steps. And you can do these steps in any order you want – 1,2,3 or 3,1,2 or 2,3,1 – it doesn’t matter. (But pick one and stick with it – you’ll see why later.) 

1. Pick a number. 

2. Pick a keyword. 

3. Pick a word based on each site you visit. 

Here’s an example. Let’s say I want to log on to an online newspaper that I have a subscription with. My number might be 99 (because of Wayne Gretzsky, for example) and my keyword might be “daisy” because it’s my favourite flower. My site-specific word might be “news” because I’m logging on to a newspaper site. My password for that site, then, would be 99daisynews. Or news99daisy. Or daisynews99 – depending on which order I did the steps. 

So now I want to log onto a site where I buy books. My number is still 99. My keyword is still “daisy”. But I have a new site-specific word – based on that site. When I think of books, I think of John Irving, a favourite author, so my site-specific word for that book buying site would be “irving”. My password for that site, then, would be 99daisyirving, or irving99daisy, or daisyirving99. Keeping the same order of the steps ensures that you only have one pattern to remember, and every website has a unique password. 

Get it? 

Of course, you can make things more complicated. You can add in symbols like $ * # but beware – not every website allows them in the password. You can also add in capitals to mix things up a little bit: your keyword might be Daisy or dAisy or daIsY, for example. But again, I suggest making it the same each time, unless you have memory brain cells to spare. 

And my favourite way of shaking things up – make the number change based on an operation involving the length of the password itself. So, in the first example above, my password (without the number) was “daisynews” – a total of 9 characters. So I might make my number 9, or else 18 (9 x 2) or else 81 (9 squared). Then, in the second example, my password (without the number) was “daisyirving” – a total of 11 characters. So now the number might be 11, or else 22, or else 121. This introduces another element of strength – the number changes from password to password, but you are still using the same system – just do the same operator each time. 

A few tips: 

  • Keep your words short – if your keyword is ANTIDISESTABLISHMENTARIANISM, you will probably run out of room in your password text, not to mention that it will take forever to type and you’ll probably make lots of spelling mistakes and the site will think you’re a hacker for using up all of your chances to log in.
  • Keep your words to something you will remember – this is why I recommend words instead of a character string, but if you can remember a character string (like ANKEOOFNE, or whatever) then go for it – it’s another layer of strength. Words in foreign languages are completely game as well.
  • Never never never NEVER choose words that identify you or are associated with you – don’t pick your name, the name of anyone in your family, social insurance numbers, phone numbers, birthdates, pet names, etc. These are too easy to guess, even with The Password System.
  • Your site-specific word for each separate website (such as “news” and “Irving” in the examples above) should also be short and memorable – there should be something about the site itself that triggers the memory of your site-specific word. So if you consider the Twitter site, for example, your site-specific word might be “bird” or “tweet” or “blue” or “twit” or something like that. If you pick “ambidextrous”, then you’d better have a good mental association in order to remember that.
  • Consider creating a short form of TPS – some archaic sites still restrict the length of your password to between 6-12 characters. I don’t know why. But if you encounter one, you may wish to forgo the keyword and just make your password a combination of your site-specific word and number (e.g. news99). Clearly, this is not as strong, so I’d also suggest emailing the Webmaster of those sites and getting them to remove the restriction. Honestly.

Ok – that’s it for the digression. Post any questions / comments below, and please share any other password best practices (of course, without revealing your own passwords.) 

Positive psychology and building positive organizations will return next time. 

*post updated June 22, 2010

UPDATE: I just came across a site that did not allow for “repeated characters” in its password. So if your keyword was, for example, “pass” (which you shouldn’t pick, but it’s just an example), then the site would disallow it because of the double S. IMHO this is going too far. I mean, look at how many words I’ve just used with double letters! In this regular paragraph!! Let me also add that this particular site was for job applications, and I had to quit because the interface kept giving me obtuse error messages (like: “The start and end date of the qualification fall outside the start and end date of the institution”), and not indicating which field was causing the error (most sites will highlight the offending field in red, or put a red asterix by it, so you can easily identify it – this one did not).

So while I think that particular job site has overall difficulties, and it seems to be an outlier, consider choosing keywords and site-specific words that do not have repeating characters. Sheesh.

Posted in

Lisa Sansom

Lisa Sansom has her MBA from the Rotman School of Management, and over two decades of experience in teaching and training. Her years of work in the organizational development field have included projects on change management, employee engagement, leadership development, team coaching and employer of choice strategies.

Reader Interactions

Comments

  1. Dana says

    Passwords provide a fun challenge in the usability world because security is important, but making it usable sometimes goes against what makes it most secure. Restrictions are dumb, and that last one where you can’t use the same letter again is dumb. Some corporations won’t let you have the same password again for X times (they make you change it every few months)…something like 5 or 8 times not repeated is reasonable, but 24 is not (this latter is the restriction where I work now).

    A suggestion for creating a strong password I’ve gotten in the past is to think of a sentence that means something to you so it’s easy for you to remember. Pretend that sentence is: “John Dow likes eating oranges for breakfast.” Then use the first letter of each word to make your password out of. You could substitute some words with numbers. So this sentence would end up being JDleo4b. You can throw a number on the end if you want to add more complexity if you want. Also, this is helpful if you need to change your password a lot — then you don’t need to change your sentence, just the number, eg, JDleo4b10.

Trackbacks

Leave a Reply