Passwords Are Broken, a Temporary Fix.

David Byttow
I. M. H. O.
Published in
3 min readJul 17, 2013

--

Passwords are broken, but unfortunately necessary. In this article, I explain how I keep all of my accounts secure by creating strong, unique AND memorable passwords.

Signing in to an account is all about proving your identity. And that can be accomplished in three primary ways:

  1. Something you know. This is the most common, and what a password effectively represents. This is the cheapest solution.
  2. Something you have. In the real world, this is a physical key or a fob. In the digital world, this is often represented by your mobile phone.
  3. Something you are. This is rare, but a common example is a fingerprint or retina scan. Although extremely secure (except in the future that is Minority Report), it’s also the most intrusive and expensive solution and doesn’t really work in the digital world.

Given the rarity of #3, let’s disregard.

That leaves something you know and something you have. Choosing between the two, the former is more secure because it’s harder to lose or misplace something you know. But the two combined, is extremely secure. This is known as “two-factor authentication,” or 2F in short. Gmail offers this and you should enable it immediately. That brings me to my first point.

Protect your email account at all costs.
This is is a single point of failure. Most services don’t offer 2F auth and rely on you creating a password. If you forget that password, the service will likely allow you to reset it via your email address. So if you’re email address is compromised, you’re potentially in for a world of hurt. Make your email password strong and enable 2F authentication.

Don’t share passwords across accounts.
Good folks often use the same password for random-new-social-app-they-just-read-about-on-TechCrunch that they use for their most critical services. Do you really trust the junior developer implementing account creation to encrypt and protect your password in their datastore? Or to even prioritize it? Don’t. If someone gets that password and then attempts to re-use it on another service that you shared it with, you’ve been compromised. And oh-dear-god please never re-use your primary email password.

Develop your own password generation algorithm.
So, your passwords should be strong AND unique, but how will you remember them? There exist solutions to this, such as 1Password, which believes that the most secure password is one that you can’t remember. But, once again, this is a potential single point of failure.

Instead, what I do is create a tiny algorithm for generating passwords. For example, say you’re creating a password for two services: Instagram and Vine.
Instagram: Qfjpin0109$
Vine: Qfjpvi0109$

In isolation, these look pretty secure. They’re broken up in the following way:
Qfjp: Random (or not!) string of letters.
in: First two letters of the service name.
0109: Someone significant’s birthday.
$: Punctuation character (if allowed).

Of course, given two of these passwords, it’s likely pretty easy for someone to deduce the pattern. But you can take this as far as you like. For example, perhaps if the service ends in a vowel, you swap the random letters and the numbers. Or, instead of the first two letters of the service name, you use the first letter + 1 (so, j instead of i).

The point is, given only a couple chunks of information to remember (4 letters and a couple rules), you can create a unique and strong password for each service.

Oh, and please go enable two-factor authentication for your email accounts.

Love or hate this article? Let me know @davidbyttow.

--

--