Rob Kraft's Software Development Blog

Software Development Insights

The Contrarian Guide to Passwords

Posted by robkraft on June 9, 2011

Not everything you believe about passwords is correct.  In fact, some of what you believe is totally incorrect.  Allow me to explain some of the rules for computer passwords.

Rule #1 -Don’t hide the password.

This rule is for those who develop web sites and desktop applications.  Back in the 70’s, a co-worker looking over your shoulder represented the biggest risk for password theft.  To combat this risk, application developers resorted to showing asterisks on screen instead of the password characters as they were typed.  What is wrong with this?  First, it creates account lockouts because users enter their password incorrectly too many times, and users do so because they cannot see and confirm what they are typing.  Second, it causes users to choose shorter passwords in order to reduce the challenge of entering a mistake free password on screens where you cannot see the values you are typing.  Third, very few people  today are concerned about the person looking over their shoulder to steal their password.
We are far more concerned with hackers on the Internet guessing our passwords  through brute-force attacks.  Therefore, most web sites and applications should show the password as it is typed.  This will improve the accuracy of password entry and provide a more pleasant logon experience.  Most applications should include a checkbox labeled ‘Hide password as I type’ to give the user the option of masking the password as it is entered.

Rule #2 – Write your passwords on a piece of paper.

If you would prefer to use a long and complex password but are afraid that you won’t remember it, write it down on a piece of paper.  Remember, in most cases we are trying to protect our account from getting hacked by someone on the Internet, and they don’t have access to your basement office where you do all your work.  So feel free to write down passwords and tape them to the wall or monitor.  A long and complex password
written on a piece of paper is more secure than a short and simple password that is easy to remember.

Rule #3 – Put all your passwords in one document on your computer.

Let’s face the truth, we all have a lot of passwords and we need to keep track of them somewhere besides in our heads.  The convenient place to do so is on the computer so that you can find them when you need them.  So how can we keep this document safe in case someone else gets on our computer, or our computer gets stolen?  Well, you can store your passwords with a program like kee-pas that will encrypt them all for you.  You could also put them in an Excel spreadsheet, but if you do so, I recommend you name that spreadsheet something like system.dll. Make sure the file does not have the .xls extension.  Most laptop thieves would never think to open system.dll in Excel or notepad to see if it contained passwords.  Of course, if your computer is stolen you should begin changing your online passwords soon.

Rule #4 Print all of your passwords on a piece of paper and stash it somewhere.

A locked, fireproof safe in your house is an ideal location for this.  You want to put the list somewhere convenient for easy reference, but you don’t want to paste it on the refrigerator for the first burglar to spot.  Taping it below the desk your computer is sitting on, or tucking it in the refrigerator work well also.

Rule #5 – Use the same passwords over and over.

Do you need to create an account on a site you’ve never been to and never plan to go back to after you download their white paper?
Then use the same simple password you have used on hundreds of other similar sites.  I use the same simple password on the Pizza Hut web site, the Papa John’s web site, the On The Border web site, and a hundred other sites that have no financial information about me and no profile of myself that I am concerned about being vandalized.  But you should never use a password used on an important site on any other site because if someone at one site learns your password they may attempt to use it on other sites.

Rule #6 – Don’t change your passwords…

all at the same time.  Ok, I admit that I was just trying to trick you into reading this rule.  You should change your passwords probably at least once a year or more.  I don’t.  But do as I say, not as I do.  I change my passwords at work regularly, but not the passwords on my bank accounts, facebook, email accounts, etc.  I mean to change them though!  I have a reminder to myself to change them.  But I already have them all memorized and it takes a while to memorize new passwords, so if I change them I need to have my list of passwords accessible for a while as a backup to my brain.  Also, it takes a few minutes to come up with new good passwords and to go through the process of changing them.

My real advice here is that you should not try to change all your passwords at once.  Instead, pick a few to change every month.  Doing so will make it easier for you to remember the few new passwords you changed instead of trying to remember the fifty you changed all in one day.  Also, in case your computer happens to be infested with a keystroke logger, you don’t want to change all your passwords at the same time and give away all your passwords to every account you own in one day to the villain on the other end of the keystroke logger.

Rule #7 – Don’t even bother to remember or write down your passwords.

Most web sites provide links to send you a new password or a password reminder in case you have forgotten your password, so why even bother trying to remember it.  Just enter a long, complex password; and then every time you need to log in use the ‘Forgot Password’ option to email the
password to you.  However, you probably don’t want to do this for sites you login into frequently.

Password guidelines

For really secure passwords, use a pass phrase at least 10 characters long with upper case, lower case, numbers, and a special character.
TheRoyalsWon8-2!  MyChiefsLost49-0!  If you want to write it down, write down a mnemonic like SWOIyear for StarWarsOpenedIn1977.  Then anyone can see your mnemonic password, but hopefully only you will know how to decode it.

Another approach is to use a pass phrase for your password, but substitute some of the letters for numbers and special characters.  Then,
write down the pass phrase without substitutions.  If your password is IH@veNoP@ssword write down IHaveNoPassword.

One more option is to use foreign language phrases for passwords.  In Spanish, Muy Caliente means very hot and MuyCal1ent@ is a very strong
password that is also resistant to English dictionary attacks.

But if you really need a great password, go to to have one generated for you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: