Secure Password Method -- Bang (strategically) On Keyboard
A lot of people don't seem to know about this method, so here you go. Been meaning to do this for a while, recent events merely reminded me. Note, please take into account the suggestions mentioned in this Refdesk topic. Also HH has good tips here.
The most secure passwords are random strings of as wide a range of keyboard characters as possible. An easy way to create them is to bang on your keyboard.
It sounds primitive -- it is -- yet it gives you the most secure possible password. The only downside is you must record it somewhere, or memorize it, but I recommend copying it to paper; if you use if often enough you will probably memorize it anyways.
So instead of agonizing over coming up with new passwords -- or worse using easily guessable ones -- just bang on the keyboard!
For added security, though, here are several easy techniques to make it more strategic than just a random bang.
1) Make it long. Maximum possible if you can; unfortunately some sites limit passwords to twelve characters or so, which is IMO stupid but they do it.
2) Bang on the letters area AND the numbers area.
3) Make sure you're not just banging up and down in the same few spots. Cover the whole keyboard randomly. (Of course, avoid the F# buttons and other things such as the "Shut Down the Computer Instantly And Ruin All Your Unsaved Work Just Because A Cat Happened To Step On Your Keyboard" button if you have a keyboard from Stupid Design Enterprises™ like my other comp does.) For this I recommend slowing the process down, so you randomly bang, then consciously move your hands, then bang again, etc. until you have a long password.
4) Alternate holding and letting up on Shift as you bang, so that you get a mix of capital letters and symbols too.
5) Alternate holding the keyboard backwards, so the side that's normally away from you is closer to you, just so you don't get predictable finger-relation patterns. Though hackers would need to be super mathemeticians on the level of Charlie Eps on Numbers to use such patterns. Still. If you do Step 3 well enough this isn't necessary though.
6) Once you've got a long string, look for often-repeated characters and delete them. Also make a note to yourself to avoid hitting them so frequently in the future; if that happens often you're not doing Step 3 well enough. However, if it's fairly rare, leave them be, as a truly random string is quite capable of having repeated characters and if you interfere too closely you're probably making it easier to hack, not harder.
7) If you wanna go supersecure, bring in a few foreign characters (Insert Symbol option on Microsoft Word has a lot of 'em for example), although then you can't type it. Well, I've heard these have keyboard shortcuts sometimes but no idea what they are -- you could research that and stuff. But make sure you just randomly put a few in, and don't reuse the same ones. Also, don't use only these; remember the idea is to have a wide range of characters.
Other advice, do NOT store it anywhere online. Especially not in email accounts, and never use the same password twice (see the web page the Refdesk topic links to). Assuming you haven't memorized it, you have two basic options IMU.
One, store it in a text file on your hard drive, recommend naming it something illogical to have anything to do with passwords and bury in lots of other text. Then when you need to sign in, copypaste it to the password area. (You could write it on paper too as a hard backup, of course.) (Many people including HH advise against this, but aren't factoring for keyloggers, see below.)
Two, write it on paper only, and physically type it in every time you need it. This is harder, and might be less secure in the case of keylogger viruses, which record keystrokes and can send them to the makers of the virus. On the other hand, if a hacker got into your files the other method could be equally risky. So which of these two you choose may not matter much, far as I know (and I don't claim to be a professional this is just based on everything I've heard/read over the years).
What I recommend strongly AGAINST is storing it on the computer AND typing it in, as that puts you at risk of both ways for a hacker/virus writer to get it. The chances of either method or even the third one happening to you are rare, but better safe than...
8) Another idea to avoid both the above risks is to type it from paper, but use a random "count how many I've typed, skip characters, then count back and insert the missing characters" pattern, which you should probably write out in detail and diagram on paper instead of trying it from memory. This adds a level of security that could only realistically be thwarted if a hacker logged keypresses, mouse clicks, and where exactly you clicked. No idea if that's much harder for hackers lol, but it's further complexity and a normal keylogger is guaranteed not to break it right away.
9) In fact, you could even use a randomly shifting group of skip and insert patterns that you cycle or the like if you're REALLY paranoid. Or just periodically change your pattern.
Unfortunately both methods 8 and 9 take the "easy" claim mostly out the window, but if you plan it properly, it's not much harder.
My best advice, though, is this -- if you think these more complex ideas are too hard -- BANG ON YOUR KEYBOARD NOW. That, at least, is so kindergarteney easy with such great results there's no excuse to put off changing your password.
Finally, change it often. Your idea of passwords online should NOT be something you memorize and then just use forever, IMO, but of something you must periodically change intended to keep your online stuff safe. The old simple memorizing idea is a nice gesture, and maybe in ancient times it worked fine, but it doesn't necessarily anymore.
(On the other hand, a passphrase is still more secure than a password, so that idea hasn't entirely gone out of usefulness, but like I said, many sites limit your password max length to ridiculously low amounts, so phrases don't really work there; in that case I recommend not risking easily memorizable words, and you'd better be able to memorize the random string anyways.)
Yarr. I intend to repub this several times in future.
In other news, tons of work on the EM is happening. It rocks. Yay and stuff.
- 1
21 Comments
Recommended Comments