The Best Password Policy Ever!
16 November 2007Thanks to Steve Gibson and Leo Laporte on Security Now for the inspiration for this article.
Passwords, passwords, passwords. Everyone seems to have dozens of passwords. Good passwords, however, are as rare as women at a Star Trek convention. Why is that? Well, simply, people are stupid. It’s not our fault, our brains just aren’t meant to work that way. There’s no way we’re gong to remember 3F4&d@!1, much less ten of them, then remember which of your 35 accounts it goes to.
So what do we do? We use: password, 12345, 1911, or our login name. Some people think they’re clever and use: drowssap. Hate to break it to you, they all suck. And please, suppress the urge to use your pet’s name, don’t be Paris Hilton. I know you want to, but don’t.
Get a Good Password, Dilbert:
I know it’s painful, but not near as painful as finding out someone transferred every last penny from your bank accounts to somewhere in New Jersey. Good passwords are like the one in the first paragraph. It consists of random uppercase letters, lowercase letters, numbers, punctuation, and function keys. You know you have a really good one if you forget it by the time you finish typing it.
If you’re like me, thinking up a really good password is like flossing, it’s painful just thinking about doing it. Instead of doing any actual thinking, go to Steve Gibson’s Perfect Passwords Page, Please. There you will find a 63 character password generated only for you. Apparently, Steve is a little paranoid, okay a lot paranoid.
Hey, wait! Come back! Just because the NSA might be trying to break into Steve’s ebay account doesn’t mean their after you too. Schizophrenics aside, no one is out to get you personally, unless you’re a real jerk. You don’t have to use the whole damn thing, break it into eight eight-character chunks, then use those. I know what you’re thinking, you will need to add an extra character to the end of the last password. If for some reason you can’t think of a character, just hit yourself in the hand with a hammer, then use the first letter of the first word out of your mouth.
Make a List, Check It Twice:
So how can we keep them secret but still be able to remember them? Most people put them on a post-it note then stick it to their monitor. Those people deserve to have their passwords stolen and their accounts broken into. Never put your password on your monitor, unless it’s a decoy. There’s nothing wrong with pissing off a would-be password pilferer.
Unfortunately, there is very few places to hide a good password list. Everyone knows to look under the keyboard and in the nearest drawer. Light fixtures are also a bad place since you can see the outline. Sticking it in an air vent is bad for several reasons: it can block the air flow, flap in the breeze, or possibly blow right out and land at the thief’s feet.
Hide Them Well:
I decided that the only truly secure place to hide my passwords was on my body. That way I could monitor any theft. I went with a tattoo, but not just any ordinary tattoo. To solve the visibility problem, I used ultraviolet ink that can only be seen under a blacklight. I had the tattoos placed on different locations on my body. That way if a thief finds one, they may not find the rest.
I Put the higher security passwords in more private locations. My weather.com account could have gone on my forehead for all I care, it’s not important. My medium security passwords went in several locations including armpits, soles of my feet, and palms. My bank account password is somewhere near my genital area, I’m not going to say exactly where. For my Ebay password, I put one character on each finger, then I interlace my fingers to get the password. However, my highest security password is tattooed on the inside of my eyelid. To view it, I shine a blacklight through the closed eyelid.
I went to eight different tattoo artists, it would be a security risk if any one artist knew more than one password. I covered previous tattoos so that the next artist couldn’t see any of the previous tattoos. The trickiest one was my eyelid, I can’t say how he did it, it’s a trade secret and I signed a non-disclosure agreement. Plus, he would kick my ass.
I ran out of room on my body, yes I have that many passwords. This meant I needed to find another location to store them. I decided to use my daughter, however, since I won’t have direct control over the passwords, I only used low security passwords. You’ll remember I mentioned my weather.com password, well I didn’t tattoo it on my forehead, I’m not that big of a loser. I had it monogrammed on all of her shirts. What? You thought I would put a tattoo on my daughter? I don’t know what type of parent you are, but no child of mine is going to have a tattoo until they’re at least twelve.
In addition to the real passwords I used several decoy passwords. I mixed them into several of the locations, but which ones is top secret. One of the passwords my daughter carries around is a decoy as well.
List Of Locations:
You will need to maintain a list to remind you which password goes to each account along with it’s location. Obviously a single list with all the locations is a major security risk. Instead of listing the actual password locations on one list, you need to make a master list that refers to other lists that are located in various secret locations in your house, work, friends house, and safe deposit box.
However, listing the actual location on the master list is also a security risk. Instead you will need to tattoo the list location list onto a part of the body which you can see without the help of a mirror. In my case, upside down on my stomach, but only because I never take my shirt off in the presence of a blacklight.
I have the master list which refers to which list has the password’s location on it. Each password location list has only two or three passwords on it, one low level, one medium level, and one high level security password. Once you find out which list to refer to, you refer to the list location list to find out where the list is hidden. All the lists by themselves are mostly useless, for security.
Let’s say I want to get my Paypal password. I would first close all the door and curtains. Then I retrieve the master password list and find out that I need to look for list number 9. Once I find that out I take my shirt off and turn the blacklight on to read the list location list. Now I know that list number 9 is located in the toilet tank. I retrieve the list and see that My Paypal password is located in my left armpit. I can now sign into my Paypal account, but no one else can.
I should also mention that you should put in your will, the location of the master list, as well as the list location list. This way your loved ones or even your lawyer can close all of your accounts down. You wouldn’t want charges accruing after you pass away. It’s really hard to pay bills then.
Share ThisPopularity: 100% [?]
on November 17th, 2007 at 3:20 pm
Please, don’t use function keys in your password. The behavior of function keys changes from one application to another so you might become locked out, unable to log in.
Use only letters (capital and small), numbers and punctuation marks that you can type on any keyboard (no local or typographic varieties).
Of course, if you’re certain that the system supports it, and you know you’ll use the password only locally, you can put anything you like. Go for a mix of chinese, arabic and klingon symbols.
on January 1st, 2008 at 7:05 pm
[…] The Best Password Policy Ever! […]