September 20, 2013, 11:36 AM —
Image credit: flickr/Nicole Bratt
Twenty years ago, one of the biggest security concerns was that a colleague would learn your password from the post-it note you put on your screen. The solution was simple: Don’t write your passwords down! That was good advice, and most people could easily remember the two or three passwords that they needed.
Since then, security threats have evolved beyond recognition, but our capacity to remember passwords has remained unchanged. We are still able to remember just two or three passwords, and most people choose relatively short and rather predictable passwords in order to be able to recall them.
Password managers address this problem, but come with their own problems. What if malware breaks in and steals all the passwords? And what do you do – practically speaking – when you have a new or borrowed device?
This begs the question: How can we build a better password?
First of all, we should revisit the advice from the 1990s. Today, the typical adversary is not a colleague looking over your shoulder, but a faceless hacker thousands of miles away. Writing passwords down on pieces of paper may not be such a bad idea – although we still don’t recommend sticking them to your screen. This makes particular sense as the number of passwords grows.
To add an additional layer of security to your password cheat sheet, you can make all passwords be composed of two parts. One that you memorize – this part is the same for all your passwords within a given category – and one that you write down – this is unique. Using this method, anybody can manage hundreds of passwords while still only having to remember two or three things.
Second, we need to make passwords stronger. When users are forced to include both upper case and lower case, as well as numerals and special characters, what do they do? They meet those requirements in the ways that are easiest for them to remember. So instead of using passwords like “password” or “secure,” they use “Password1!” and “Secure1!”.