Wednesday 5 October 2005

, ,

Personal Password Policies

With phishing, social engineering scams and hacking on the rise, it has never been more important to give serious thought to how you generate and manage passwords for your online accounts.

The system I use involves using an online gibberish generator to create lengthy alphanumeric character strings and saving these in an Excel spreadsheet, which is subsequently password protected. I've memorised the ludicrously long password for my Gmail account so I can check it from work, but wouldn't dare attempting to commit the rest to memory - there are simply too many of them, and they're all entirely random and therefore difficult to turn into mnemonics. So not an ideal solution by a long stretch then.

Passwords that are easy to recall are also easy for others to guess or hack, while highly secure ones can be so secure you can end up locking yourself out of your own accounts. Using the 'one password to rule them all' technique isn't the solution - if someone managed to get hold of it they'd have the master key to your kingdom and you'd be up the Dry Creek Quarry without your invisibility ring, bank balance and identity.

Security expert Steve Gibson believes the answer could be to devise your own algorithm, which, when applied to web site domain names, can be used to generate unique, easily retrieved passwords.
Don't run away just yet; this sounds more geeky than it really is, trust me. For example, you could take the URL ebay.com, turn the letters into numeric values (using the formula a = 1, b = 2 and so on), shift 3 places up the scale and convert the numbers back to letters. The result is a seemingly random string of letters. You don't have to remember what they are in each case, just make sure you know how they were generated so they can be reproduced at will.

To ramp up the security rating of your passwords you could employ a second algorithm to generate a series of numbers or punctuation marks and intersperse these with your letters.
For a more thorough illustration of the way in which personal password policies can be implemented, listen to episodes 4 and 5 of Steve's Security Now podcast.

0 comments: