Here’s an idea, what if you were to create a password that was too embarrassing to share?
We hear endless advice about passwords:
- Make them hard to steal.
- Don’t write them down.
- Upper-case, lower-case, numbers, special characters.
- Longer than seventeen characters.
- Use the initial letters of a pass-phrase.
- Don’t use dictionary words.
- Think about all the hackers and their ability to break any password you’re capable of creating.
- Don’t use your name (or any part of it) or your company name or the inside-leg measurement of your sister’s boyfriend’s Rottweiler.
- When you change it, you can’t use a password remotely related to the previous one.
- Change it every 34 minutes.
- Don’t tell anyone.
So much of this advice is bogus! Many have suggested that onerous password policies make it difficult to remember the passwords and lead to the “Monday problem” where Help Desks are inundated with support calls when passwords are forced to change on a Friday and users cannot recall their new one on the following Monday.
Additionally, any imposition of password selection rules will automatically reduce the available pool of passwords (think about it!).
Also, if you don’t share your password and it conforms to all the ‘obscurity’ rules, why on earth should you change it regularly, anyway!
So, allow me to limit the discussion here. Slightly.
Bearing all the afore-said in mind (and admittedly, some of it is useful), let’s consider what might happen when you’re required to select a password for an ultra-secure access point where the password must remain totally confidential; but it will not be used regularly (think six months or more) and it definitely cannot be shared.
What if you were to choose a personally embarrassing phrase-style password?
How about (and I’m making this up, honest!), “I steal $50 from petty cash every Friday for beer money.”
So, how many password-guessing systems do you think would crack that?
More importantly, when co-workers ask to ‘borrow’ your password, what are the chances you’ll tell them what it is (without blaming it on the previous person in the job role, of course!).
Sometimes, it is important to think outside “the box” and both work with the rules and apply your own slant on things.
Best of all, the phrase above has endless opportunities for rules-adherence: using Leet (http://en.wikipedia.org/wiki/Leet) for instance, we can swap any number of characters for all kinds of equivalents.
Perhaps, “1 st3al $50 fr0m p3tty cash 3v3ry Fr1day for b33r m0n3y” (and that’s only swapping every O for zero, I for 1 and E for 3 – there are plenty more opportunities for change).
I dare *anyone* to share that password!