My Bank asked me to set up an 8-character password. So I chose Snow White and the 7 Dwarves.

I can’t remember whose line that is. Tim Vine, maybe.

Anyway, IAP President, David Morgan, recently raised the password issue in a LinkedIn post. That’s prompted me to describe the system I’ve been using for several years now.

First, I select an alphanumeric sequence of half a dozen or so characters that’s meaningful to me but impervious to a dictionary attack. Let’s suppose I choose the initials and birth date of a relative, which generate:


Now I perform some simple arithmetic on the date component to avoid attacks that expect a date to be present. Adding 30 to each of the day and month components will do:


That now forms the root of all my passwords. Then I add a component that reflects the account I’m setting up. Let’s take a shopping site, Not On The High Street, as an example. Suppose that I extract the last letter of each word:


Now I divide the keyboard into two roughly equal groups. Let’s say the top row (Q – P) and the rest (A – M). Letters that appear in the top row are upper case, the rest lower case. We now have:


for the whole password, unique to Not On The High Street.

Finally I add a couple of special characters, choosing a pair that appear on the same key (for a reason that will become clear in a moment). Let’s choose ‘?’ and ‘/’. Now I adopt the rule “the rightmost lower case character is followed by ‘/’ and the rightmost upper case character is followed by ‘?’”. This gives:


Finally, I add month and year data at some arbitrary place in the string so that I can change the password every month:


which would be my password for December 2014.

So I end up with a password that’s around 20 characters long, contains upper and lower case characters, digits and special characters and has no components that have dictionary or similar vulnerabilities. To save me the bother of remembering a password string, I maintain a spreadsheet that generates it automatically from my set of rules (which, it goes without saying, aren’t the ones I’ve listed here). The spreadsheet is, of course, itself password protected. I can log into a site by copying the relevant cell and pasting its text to the password field. That frustrates any attempt at keylogging.

Comments are closed.