Managing strong passwords: You got a better idea?

Our recent article that listed some real-world bad passwords provoked a flurry of comments on the virtue of complex credentials vs. the difficulty of remembering them without writing them down, as the experts all say is important.

So we're launching a contest. In the comments below, give us your best tips for creating and remembering strong passwords – without writing them down. The GCN editors will judge and the person who submits the best tip will win a prize. (Really!). We'll take entries for one week, ending on Monday, May 24.

The article detailed a security firm's analysis of several million passwords that a hacker had stolen from a Web site. The analysis showed that nearly half of the passwords were exactly the kind security experts say you should never use: sequential numbers, dictionary words and even the word "password."

Bruce Falk noted the other extreme: Policies that require excessively complicated and frequently changed passwords.

"This article fails to account for the disconnect between online security and practical human frailty," Falk wrote. "Yes, these passwords represent rock stupidity, but so do policies and infrastructures which require multiple log-in identifications and passwords, entry of certain arbitrary characters (e.g., caps/lower case mixtures or alphanumeric mixes with symbols), and which then insist on frequent (less than 24 mos.) changes to same."

Such requirements can actually undermine security, Falk added, because they encourage users to "select least-common-denominator IDs or passwords (which are easy to remember), to rely on cookies or workstation keystroke recall, and/or to maintain easily located files or hard-copy cheat sheets with the necessary access information."

What's needed, he said, are password policies that take into account both the need for hard-to-guess passwords and human limitations for memorizing complex strings. "If we could identify a workable middle-ground, we could stop laughing at inadvertent or foolhardy security policy abusers and likely increase genuine security (as opposed to security theater)," Falk wrote.

Not everyone agreed. James Reeves, responding directly to Falk's comments, wrote: "By insisting on upper and lower case, numbers and special characters, we increase exponentially the number of random guesses that an automated process must go through to discover a password. At the same time we eliminate the possibility of common words, simple sequences of numbers or letters, and so forth. The rules about 'strong' passwords are sound."

Carl Andersen then addressed Reeves and Falk, partially agreeing with both, bot not fully endorsing either.

"I have some sites that require password every 60 days, others every 90 days and some that never require a change!" Andersen wrote. "In addition, some sites will not accept certain symbols, such as hyphens, while others accept hyphens but not underscores! Finally, some applications will not let users select their own passwords, but instead create passwords using a random collection of letters, numbers, and symbols. It is this lack of uniformity that makes it so difficult and annoying to maintain security. It is impossible for me to not keep a cheat sheet when I have over 20 work related applications/web sites for which I need to maintain current passwords – with different schedules and rules."