Tuesday, 25 May 2010

Write Your Password on a Post-It and Stick it to Your Monitor, you idiot!

The phone goes. I pick it up. "Hello, IT Support."

"Er, yeah, hi," says the voice on the other end, "Erm, could you do me a favour and reset my password on the Klueless Decision Support server? Hehe, I've locked myself out – again."

I sigh. This is the third time this week.

"Ok," I say, I'll email you the new password (mental note: set it to '1mad1ckh3ad').

I reset his password and mail it. He'll be back, I just know it.

This happens a fair bit in my line of work, and it annoys me. OK, we all get a bit forgetful from time to time, but some folks seem to have a very localised and specific form of amnesia in the area of passwords.

So I'm going to share something that will perhaps save you from annoying your IT Support crew and thus becoming the object of their everlasting scorn and hatred (we are a mean-minded lot, when all's said and done and, remember, we can get into your stuff, bwahahaha!).

You know that bit where they tell you never to write down your password? It's a great idea, right?

Yeah, except that a lot of systems these days insist on password complexity rules like not re-using any of your last 100,000 passwords, or having a password the same length as the human genome, which must include numbers, upper- and lowercase letters and special symbols like underlines, ampersands, Eygyptian  hieroglyphics and so on. This makes for pretty difficult remembering, doesn't it?

So, here's how you can get away with writing down your password without leaving yourself vulnerable.

You password will be broken into two bits.

The first bit is a short (say four characters long) 'stub' which never changes. You must remember this part because you must never write it down or tell anyone what it is. Don't make it too obvious in case someone does actually guess it, or too obscure because you have to remember it. You can make the stub harder to guess by substituting numbers for some vowels like zero for O and three for E and so on.  Try to make it meaningful and memorable.

The second part of your password is the bit that changes when a system insists you give it a new password. This is the bit you can safely write down.

For example, suppose my 'stub' was the name of your first ever pet, Freddie the fish. The 'stub' could be 'fr3d' (see we've already included a number to help with the complexity). Then we could stick an underscore on the end of the stub (adding more complexity) and then think of a suitable ending, say, 'summertime'.

The password would be fr3d_summertime. You could safely just write summertime in your notebook (or on a post-it stuck to your computer – always a favorite) and still no-one could use it to get into your stuff.



  1. It always happens with me too. I am an SAP Admin. If they cannot get in 3 attempts, for the 4th they are locked.
    And you have to release the lock and reset the password, which sometimes irks me.

  2. Guilty! Although I'm usually VERY good about remembering my passwords... I have, on occasion, locked myself out because Caps Lock was on. Sigh. It's just so EMBARRASSING!

  3. @Shilpa - I only get annoyed when it's the same person over and over again.

    @Bug - Some versions of Windows are sensible enough to ward you that caps lock is on when you are entering text into a password field - saved me a few times, that one has.

  4. finally made it.. (me mum called round and I was about to catc up with harold etc) :-D
    anyway.. passwords are never a problem for me.. i have three and they are used alternately for everything... and have done for the last ten years :-) (because I'm one of those people with zero brain/short term memory, a lot like that fish in the joke;
    1st fish: watch out for that bridge
    2nd fish: what bridge?
    1st fish: what's a bridge?!...
    ahh.. that still makes me larf!

  5. love this post, i just a few minutes ago went to log into my email. I am using web mail because my computer died and I am on a borrowed laptop while waiting for mine to get here via fedx. I did not want to set up email on this comoputer, so I am checking emails on my IP web mail, I have two addresses which requires me to log in and out a lot. I tried twice to get in and thought I KNOW this is the right password, yes, it was on caplock. I have not done that since i retired. I was team leader for 21 people and the same ones over and over lost passwords and IT would call me and say get them under control, it's the same two calling here with the same problems. I like the idea of the stub

  6. @Watercats - Hehe, love the joke! In my job I need passwords to about thrity different things. Then there's my perosnal ones. It's a crazy world.

  7. I remembered my password but I've forgotten what I was going to say.

  8. @Sandra - We've found the stub thing very useful here at work. Not everybody is using it
    @TFE - Hehe!

  9. i'm reasonably happy with my password at the mo, coz its suitably strange and not obvious and yet at the same time completely easy to remember.

    what annoys me more though is that my bank wont allow me to use special characters in my password, thus making my password less secure

  10. Remind me never to come to you for IT support.
    Of course I have written down all my passwords and of course they are all totally obvious.
    I just hide the whole damn computer.
    Why must everything in life be so complicated!

  11. @DFTP - I agree: we're supposed to all be security-conscious and then we get systems which make it more difficult by banning special characters. Maddening.

    @Friko - Haha, hiding the computer is a good idea.

  12. One could always try the page number from a favourite book, password = first word on that page approach.

    I think we use passwords far too much. You have to enter one just to turn computers on these days, unless you change the settings.

    Fear is a social glue.

  13. @Dominic - Ooh, yes, very DaVinci Code. I've actually chosen the changeable part of my password by opening a book at random, closing my eyes and placing my finger on the page. Yes, passwords and PINs are everywhere. I sometimes like to run a little thought-experiment about how different the world woudl be if people were honest and trustworthy. Pure fantasy, sadly.

  14. I have a serious question, Argent. What if I use the same password for everything without numbers or special characters? If it isn't a dead giveaway password, such as my name or whatever, am I walking in danger land?

  15. @Enchanted Oak - You are probably not in too much danger. If the password is a normal word, you might conceivably be subject to a 'dictionary' attack. This is where the hacker basically runs a whole dictionary worth of words through the same encryption routine as is used by by your system in the hope of producing a string of characters that will ket him in. Systems that lock out after a fixed number of attempts can be helpful here as, unless he gets it in 3 goes, he's not getting in. The thing with security is to be cautious: don't open emails or attachments unless you're sure they're from someone you trust as these may download code onto your computer that grabs your keystrokes and sends them off to the hacker - no amount of password complexity is going to help when he's got the whole thing. Regular use of anti-spyware/anti-malware/virus scanners is useful to keep your computer minty-fresh and free from nasties.


Without your comments, I am but a wave without a shore...