Passwords On Post-its? You Bet!
Posted Friday, 12 January 2007, 3:36 pm | 88 comments
A not-uncommon IT-to-user conversation:
IT Dude: "The password to log in to your new PC is r4eo1ss89"
User: "Um. Okay. But how will I remember that?"
IT Dude: "Not my problem."
User: "Okay, but there’s no way I can remember that. I’ll have to write it down"
IT Dude: "If you write it down, it’s no longer secure – if someone finds it, they’ll have access to your machine. Do not write it down!"
User: "But…but if I can’t write it down, and I can’t remember it, what can I do?"
IT Dude: "Not my problem."
At this point, IT walks away, and the user will likely change the password for their PC to "letmein". Or "abc123". And tell security ‘Goodbye’.
But there is a way to keep that impossible to remember password always at the ready, in plain view even—and yet foil anyone who tries to use it. I came up with this idea about a year ago, and to my knowledge, nobody has ever suggested the idea. So I claim inventor status!
So, IT stuck you with r4eo1ss89 as your password. You’re a smart cookie, but you know that if you try to memorize it, you’ll forever be transposing the ‘eo’ to ‘oe’ or running out of memorized characters after the ‘1’. So, the reality of that secure password is, you have to write it down.
Well, don’t hesitate, write it down! Use a bold Sharpie® on a Post-it® , write it in big letters—if you’re feeling particularly cheeky, write "Password for my computer" right above it.
The secret—and there’s a pun in there, I promise—is to ‘password protect your password’. How? It’s absurdely easy, mind-numbingly simple, and you’ll wonder why you didn’t think of it yourself first!
Drum-roll, please: Choose a letter or number that will be your "personal" password. One single character. Add that character to whatever password you have, anywhere in the password. The only caveat is that you must ensure that any password you use does not already contain that letter or number.
Here’s an example. I decide that—for every password I will ever write down—my ‘personal password’ character—my ‘secret key’ so to speak—is a lowercase ‘w’. IT gave me the password r4eo1ss89 . so I write down my password like this:
This is, for all practical purposes, completely uncrackable. The only way someone could ever get in with that is if they already know that you are using a bogus character in the password, and already know what the character is. You’re presenting them with a password that cannot work unless they know your secret—and it’s a secret that’s exceedingly easy for you to remember and keep secret—just a solitary character! Obviously, it’s a good idea to not use one of the initials of your name. But again, for someone to even put it to use, they have to know that you’re doing this to the password in the first place. If you want to get even more clever, pick a position and designate that your ‘personal position’ along with your ‘personal character’. With that, you can then have passwords that do contain your secret character – just so long as it’s not in your chosen position. So if I chose the letter ‘w’, and always in the fifth position, I could have a password of
a9are4wp2w1 and simply modify it to
Arguably, this positional technique could be slightly less secure—if for example you were to print out your passwords in a cheatsheet, and have them all aligned to the left—then the pattern of a ‘w’ in the fifth position might become apparent. For the serious IT person who has to maintain his/her own list of many complex passwords, it’s probably best to not use a position parameter.
With this exceedingly simple technique, you can hide your passwords in plain sight. People will wonder why it is that you can get in with your password all the time, but when they try to take a sneak-peek into your computer after you’ve gone home for the day, they can never get in.
Share and enjoy!
Followup: It just occurred to me that there’s another variation on this that can work well: Secret character removal. This one does work best with positional parameters: select a character that you will always have in your password, in a particular position, then remove that character from what you write down. So, for example, your secret character is ‘f’, and your secret position is two. You create and use a password of:
But you write it down as
Since you know there will always be an ‘f’ in that second position, it’s just as easy to remember as the ‘extra’ character method. And since you are not writing down the character, it’s potentially even more secure than the already very secure ‘add a character’ method!
Update: Please read my followup article, which addresses some of the concerns that have been expressed regarding these methods.