Robin Jones considers the password conundrum

Not long into the New Year, a report circulated around the news wires that up to 80% of calls to help desks were from users who had forgotten their passwords. Admittedly, that was the top end of the scale but 35% of respondents to a survey by Axios Systems put it at around half of all calls. On that basis, all our help desks are overstaffed by a factor of two. Or they would be, if we could solve the password problem by a method more secure than leaving it printed on a post-it note on the monitor.

This problem first came my way about 10 years ago when I was running an IT department that served some 250 users. My support staff would chortle gaily that so-and-so had forgotten his password for the third time that week and reset it without a further thought, beyond using the event to confirm their prejudice that all users are incompetent. So I decided to get the support staff to train the users to choose passwords that were both secure and memorable. We had set up the system to require users to choose a new password on the first day of every calendar month. It kept a log of previous ones and would reject any attempt at reuse. So it wasn’t really surprising that users got confused. Some of them would choose the names of Manchester United’s first team and then forget where they’d got to, for instance. Even if they got that right, they had a new problem in about a year’s time, football teams having a finite membership. I told the help desk staff to suggest the following technique:

1. Choose a base word, which will never change, in a mixture of upper and lower case, LEMoNAdE, say.
2. Make sure that you have a mnemonic to remember the upper case letters – in the above example, all the letters that have no curves in their upper case forms.
3. Now insert the current month and year (mm, yy) in a memorable way. So the general form of the password perhaps becomes LEmMmoNAdEyy (with month digits surrounding the ‘M’ for memorability). For April 2003 this would give Le0M4oNade03.

This wasn’t a panacea, naturally. People still forgot their passwords or mis-remembered their algorithms. But there were many fewer ‘nuisance’ calls (as the Help Desk perceived them), which, as a by-product, improved the relationship between users and IT support staff.

Of course, because the scheme is algorithmic, it’s potentially more susceptible to a hacker who knows the system. But if that’s a threat, it’s easy to add ‘day’ information and change passwords daily. Cracking that in real time wouldn’t be easy. We’d be interested to hear of password tips and tricks that have worked for you.

[Something you’d like to get off your chest? Email me (Robin Jones) at eo@iap.org.uk.]