Sunday, January 4, 2009


In my new year, get-a-grip effort Friday night, I achieved clarity about something I had been avoiding and had no desire to confront. I’m too exposed on the Interwebs. This has been magnified by the recent need to change my lock-and-key on FaceBook a few weeks ago and now (thanks phishers!) my Twitter password, too.

There, I said it, the “P” word. Have you ever taken inventory of your passwords? If your answer is, “Sure. My PINs are my spouse’s birthday. My passwords are my pet’s last name. You can catch Mr. Fluffy McScratchalot cited in the captions of the photos I upload weekly to Posterous,” I don’t want to know you. Really, I don’t.

My unpleasant realization evolved as follows. I paid my monthly bills – the same ones you all have – online in the waning days of ‘08. How? Supplying a password each time, of course, after logging in to my personal laptop. In fairness, half of those bills are deducted from a bank account, but I still log in to verify that they’ve posted.

I’m too active online, it seems. By my count, that includes those 10 bills, 17 social and professional networking sites, five email accounts, 10+ online retailers and streaming music sites, my personal website, at least eight job boards and freelance sites, my alumni page, my 401K, my bank, a FICO finder, a handful of charities, my GPS manufacturer’s site and my blog.

Every Monday through Friday, well Sunday through Saturday to be specific, you can add passwords for Salesforce, SurveyMonkey, the work laptop, BlackBerry voicemail code, expense report site, budgeting platform, recruiting site, and desk phone voicemail code.

On that note, don’t forget the voicemail code on the cell phone and the debit card PIN.

Do you see where I’m going with this? You’re probably like me in my seemingly unfortunate reach. Nearly 70 access points, each with virtually unique passwords! Ten years ago, I had four or five. How did things spiral so wildly out of control?

How does one manage, and how safe are they?

I’m no expert. I am not advising here, merely sharing my own strategies. You can say I’m a big fan of the Password Reset feature on many sites for starters. If anything, this helps me refresh stale ones that no longer bear any significant meaning. And be certain that my passwords are strong. Yours should be, too. That means mixing things up a little, or a lot. Some sites restrict the number of characters or the types of characters one can use. I am creative nonetheless, as creative as the site allows. I make them challenging, make them strong and make them many.

How? I use some core elements such as familiar (but not obvious) number blocks, made-up or foreign words, Leetspeak and special characters. For example:

  • Numbers: the honeymoon room number or a piece of a car’s VIN

  • Nonsense words: chibbylagwah, santercolift, happlifance, ublangr (If I’m not feeling creative, I just look at the parade of pharmaceuticals thrown at me during every commercial break.)

  • Foreign words: I prefer anything from the Balkan-area language family. Lots of consonants. On occasion, I will use an online language converter.

  • Leetspeak and special characters: I replace letters with numbers and vice versa. A “1” can be a capital “I” or a lowercase “L” for instance, or substitute the # for an “H.”

  • I’ve got a mental library of bite-sized, memorable and meaningful building blocks. On demand, I’ll pull out a few, arrange them accordingly, apply some Leetspeak and I’ve got myself a strong password. My personal paranoia has led me to make this a best practice since I first started playing and working on the Interwebs in its earlier incarnations.

    One last hint. Some systems require you to update your password periodically. For ease of remembering, I’ve inserted a favorite three-digit number in the middle of a nonsense word and merely update the number incrementally when prompted.

    If you aren’t convinced yet of the necessity for strong passwords, John P.’s old blog post, ”How I’d Hack Your Weak Passwords”, states the following about commercially available password cracking tools, “Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.”

    If you aren’t sure of the strength of your password(s), Microsoft offers a password strength checker on its website. Note also the related link in the right navigation bar on how to recognize spoofed websites.

    Think about it next time you join a new site or feel inspired to change your current access code. And definitely think about it before one or more of your accounts gets phished or hacked.


    Wrytir said...

    From Kerstin (@kayhaswings): Great new blog post! Really got me thinking about my own online situation and how I can protect myself better.

    Wrytir said...

    From Dan Thompson (@thewebdawg): Nice post. I have 3 or 4 strong passwords that I break out based on the perceived trustworthiness of the site I'm registering on.