Thursday, October 21, 2004

Password Memorability

Creating a password is always such a pain. I was reminded of this recently when I got an email from eBay's SafeHarbor security telling me that my account had been suspended. The email suggested that I go to eBay's site (no addy given, so I was to use my own lookup and link), then change my eBay password, my secret question, and then go to the email addy I use for eBay and change it's password in order to protect it. Not only did I have to do that, but I also had to change the email password in Outlook and in MSN Messenger since I use an address for eBay that is via hotmail and use the same addy as one of my logon's for messenger. Ugh! For good measure, I changed the password for my other Microsoft related email account.

Now, reminding myself of all of the places I had to change the passwords was one thing, but coming up with new passwords was another issue. What method do you use?

I used to use a method that involved some sort of word, program, or novel name with some sort of easy to recall numeric sequence in front of and/or behind the word. Later, as I became more cautious with security, I began using mnemonic phrases, also incorporating numerals and special keys. Now, I use more random passwords with numerals and special keys and make them at least 8 characters long (usually more).

In a blog post by Anil John, there is an interesting article on password memorability. In the comment posts, Robert Hessing of Microsoft Security suggests getting rid of passwords and using passphrases instead. It's a nice thought for Windows networks, but in cases of email where we are limited to say, 12 characters for a pass code, it's unworkable.

Interesting reads. How do you create your passwords/phrases? Do you use passphrases? Are you concerned about the security?

No comments: