see nerd blog — passwords

Passwords on the internet are problematic. I need lots of them, I need them to be all different, I need them to be long and complex, and I need to be able to remember them easily without writing them down. If I break any one of those conditions, then it becomes easier for opportunistic hackers to steal my private information, and commit identity theft against me.

Half the problem is that sites that demand information from me do not protect that information sufficiently. This includes passwords. Most will encrypt the passwords, not all. Some will be hacked and have all that information stolen. Any encrypted information can be decrypted, with time, by a hacker. That’s why a long password is important; they need more time to crack, and, when stealing information, it’s more useful to the hacker when it can be more quickly used. That’s not true for information that can’t be cancelled, such as social security numbers, which is why it’s best not to give such information out in the first place.

If I were to use the same identity and password on lots of sites, then, once one of those sites was successfully cracked, my information on all the other sites would be vulnerable too. That’s why it’s essential that no password is the same as another.

All this is a bugger. One solution is to use a password manager. Another is to create a scheme that gives you long memorable and unique passwords. The former, when used correctly, gives you better quality passwords. The latter, when used correctly, means you are not dependent on a piece of software. I use the latter.

The goal with my password technique is to avoid being an easy target, and to offer some protection when a site I use is hacked. What I do is almost certainly unsuitable for people who are likely to be personally targetted, such as the rich, celebrities, stalker victims, and the powerful, because it’s unlikely to be effective against targetted skillful attacks.

Most successful hacks which result in people’s information being stolen and their financial reputation being destroyed are not targetted against the victims in particular, rather the criminals simply grab great piles of the easiest stuff to steal: password databases on commercial sites. They analyse their booty, which includes your private information, decrypt passwords, and try and reuse the information elsewhere for their criminal gain. This booty includes your user name and password, and any private information you gave the site (which is why it’s essential not to give out information that can’t be changed). My goal here is not to be among the easy targets when such information is stolen.

I dislike password managers. You need access to them to do things. If they’re on your phone or PC, you have to use that device to access them. If they’re on the cloud, you need access to the provider to get a password. Normally, this isn’t a problem, but sometimes providers go down. Worse, sometimes you need a password to get an internet connection working, which is a bit difficult when you need the internet connection working to get the password: so much for router passwords. Obviously, any decent cloud provider will allow you to keep a copy of your password database on your smartphone: but I was shocked to find a number of cloud providers only pretend to copy data to phones (I got stuck once because I used to cloud to put a bus timetable on my smartphone, only to discover, when at a bus stop without a timetable and without a mobile signal, the provider had deleted the file to ‘avoid wasting space’ — the presumptive c*nts). This, it must be said, is partially a problem of smartphones themselves; the operating systems are very carefully designed to prevent users doing essential tasks, like copying files to a safe place. Ultimately, in my experience, cloud providers depend on flakey infrastructure, namely the internet, and flakey kit, namely smartphones.

Furthermore, they have a single point of failure, the password used to get into them. This has to a very good password. If you forget it, you’re stuffed. If someone else gets it, you’re stuffed. It’s a single point of failure, and I don’t like single points of failure. Protecting your crown jewels with a one key keylocker is silly.

On the other hand, password managers are in fashion in a certain clique, and if you want to be with that clique, you need to be seen to use them.

So I don’t use a password manager. I use unique passwords for any site of importance to me, one I can (usually) remember. Basically, I mix a long standard password with a unique site identifier. That way I keep things different, keep things relatively difficult for hackers, and keep things memorable. Long passwords have their own advantage: if a site is cracked, the user id and passwords stolen, it’ll take the hackers a while to crack my password (presuming the site owners were sensible enough to encrypt passwords). If the site owners are polite enough to issue a warning, I’ve a change of changing things before any damage is done. Better, the same password won’t work against the same user id on other sites.

The weakness with my system is if someone wants to hack me specifically, after they’d stolen and cracked a couple of passwords, they could probably work out my strategy, so making it easier to crack my other passwords. If there really was a risk of that, then I wouldn’t use this method.

Anyway, it is very important that the long standard password is not suitable for dictionary and other standard attacks. It shouldn’t contain recognisable words, whether written directly or with the common letter substitutions (such as 1 for L or I, 3 for E, and so on)—it’s not exactly difficult to amend a piece of search code to include those common substitutions in searches. It complicates the search, true, slowing things down, but not dramatically. Use original alternatives. This is one of the few places where being unusually bad at spelling is an advantage.

The long sequence of characters I use is based on old songs I misremember. One I do not use, for example, is “See My Baby Jive”, which could be miswritten as CmyB3b3Jyv. (Actually, that’s too short, but it’s good enough to illustrate what I’m suggesting.) Then, given I like to call facebook faceboot (as per 1984, although it’s more Brave New World), so my facebook password with that system might be Cmy-Boot-B3b3Jyv. Linked In might be Cmy-Off-B3b3Jyv (I’m Linked Off with Linked In). Sneak in punctuation if you can, as per those hyphens, that can give password hackers a headache too. The vital point with individual website passwords is to be consistent with the site identity encoding in passwords, because you won’t remember what they are when you come back in six months time, but you can reconstruct them easily enough. My consistency is, unfortunately, sarcasm.

I say I usually remember the passwords. That’s true. But I do forget too. So my passwords are written down, but encoded. For example, I’d remind myself of the facebook password above with, say, wizard winston. Wizard is Wizzard, e.g. the band that originally performed See My Baby Jive, and of course Winston Smith was the protagonist in 1984, with the party’s image of “a boot in your face forever”, which I understand to be President Trump’s slogan too. Wizard Winston is good enough to remind me, but should be meaningless to almost anyone else. It’s not perfect, though; both those associations are public knowledge.

Despite all this, I keep considering password managers. A good one will offer entirely random passwords, which is far better than any system like mine. If you are the kind of person who might reasonably be targetted, you shouldn’t consider doing what I do.