This is full of tricks relating to choosing passwords. Passwords for accessing websites. Passwords to use when locking a file by encryption. Passwords for almost anything! As is always true, one size does not fit all. If you have a password need that isn't met by something below, do, please get in touch.
(There are many programs available to encrypt your files. This isn't about that! Whether you use a special program, or simply the 'password protect' option provided with good applications, you are faced with the problem of choosing (and remembering!!) a password. (Where the encryption is used to protect a file in transit, there is also the problem of letting the recipient (only!) know what the password is.) (It may amuse... and reassure?... you to know that this page has been around so long that at one time I had Quattro and AmiPro as examples of good applications.))
Also here: I have also put something here about a way to "share without sharing". Very much a "password" thing. Not so much about "protecting files". It is down at the bottom: "How to share secrets on Facebook".
Two final quick comments in passing:
a) Proton Mail: Encrypted email. Free. You can send to non- Proton users, too.
b) If you use the Libre Office or Open Office wordprocessor, you can encrypt you document, you can create password protected .pdf's to send to correspondents who do not have your word processor.
We all have passwords. They are a pain in the neck. It is tempting to just have one password for everything. Bad idea. Do I operate "the perfect" password management regime? Of course not. But you can go a long way towards good password management with just a few simple things. And if you want to do more, there are more suggestions further down the page.
Include digits in your passwords. Include some upper case ("CAPITAL") and lower case ("small") Letters iN yOUr PaSsWoRdS.
Better still, when it is allowed: Include some punctuation marks, if only the occasional hyphen.
But... in general... don't get carried away. A superb password policy will probably be so complex that in everyday use it does as much to frustrate you as it does to frustrate the people you are trying to keep at bay.
Confession: I don't put many uppercase letters in my passwords, because lower case letters are easy to type.
A bit of useful fun: I often include the date I first created a password for a given account or document in the password. Years later, it is amusing to be reminded that I've had a particular account since the date in the password. Telling you more than I should, I will go further and say that if I were setting up a password for Facebook today, 26 Mar 2012, the password might be "fb12mar". A weak password... but at least it has some digits in it.
You will need to write your passwords down somewhere. If you keep that list in a machine readable form, with an ink-on-paper copy to refer to for day-to-day needs, then use your wordprocessor's facility for saving things with a password. And don't write your passwords down in that document in a form that gives everything away. Your ink-on-paper copy may go astray.
To my hypothetical Facebook password mentioned above, I would add something extra. For the sake of this example, let's say I decide to add "Panthera" to it, making the full password "fb12marPanthera". But I wouldn't write that down in my passwords list. I'd write "fb12mar//1tiger//"... and be sure never to use "//" in any password. I would be setting that aside to delimit cryptic clues in my password list. How does "1tiger" turn into "Panthera"?
I have a background in biology. The "Latin" name for a tiger is Panthera tigris. So, knowing my password scheme, and seeing "tiger", I know to substitute "Panthera". (Any biologist will tell you that genus names are always written with the first letter in upper case... thus putting at least one uppercase letter in my password, one that I will know is upper case, and thus making it a stronger password.
Of course, not everyone is a nature lover. Not everyone will base their password trick on Latin names. But everyone has some personal special interest which they can draw on to create a similar scheme.
Why "//1tiger//"? The "1" is there to allow other schemes.... for instance, here's something really simple...
If, in my hypothetical world, I saw "fb12mar//2fred3//" in my list of passwords, I would say....
"Ah! This is a scheme 2 encoded password. So..."
"Ignore the "fred"... that's just there to throw unauthorized users of this list off, and was a word picked at random by me."
"Scheme two is based on my favorite musical, Billy Elliot, and the phrase from that "Give 'em the old razzle dazzle"."
"Take the "3" from the hint, and because it was a 3, go to "the", the 3rd word in the phrase."
"Use the first two letters only... because that's "the rule", nothing to do with the fact that this is hint scheme "2"... and use uppercase for the first one.... the full password is...."
fb12marTh
That gives you a very simple system which you can do entirely in your head, with no need for "keys" to the hint scheme. Being so basic, I would recommend that you restrict its use to not-very-important-password situations, but we all have plenty of those. The first idea below gives you a stronger system... but one with elements of the simple idea we just finished. The overlapping elements will help you remember the systems, if you use both.
It is a terrible fact of life that people sometimes die suddenly- "hit by a bus", etc.. Or at least become incapacitated, e.g. a serious stroke.
Think of the people who will have to step in, deal with the situation.
On a less horrific level, what if your data "dies" suddenly? Are your passwords all in a nice, tidy, wordprocessor document? Do you have an "ink-on-paper" copy, in case your computer "dies"?
But if you have it on the computer... what happens if you have to leave the computer with some third party to have a repair or upgrade done? Are you sure they won't snoop around your hard drive? Won't misused the information there. (Put the passwords document in an encrypted file or folder.) (Your computer could always be stolen, even if it never needs repair.)
So... you have an encrypted machine readable file, and a hardcopy backup. Does the hardcopy have your passwords written out in plain text? See below for tricks for "writing" your passwords without writing them in an obvious way.
Back to "what if you become incapacitated?"
We'll assume that your passwords are in a machine readable file... either on your computer, or in the cloud.
But that the file is password protected.
If your Amazon account's password deserves "50 points worth" of care and concern, how many points is the global password to all of your passwords worth?
So how do you protect it, and make it available to the person/ people who will need it, should you become incapacitated?
Here's one way... One that also has the benefit of providing accountability, to help ensure the password isn't used before such use would be legitimate.
For the sake of a simple example, let's use the following for "your password". Of course, in real life, it would be something longer and with no "pattern" within it.
a b c d e f g h i
To provide for the possibility that you are suddenly not available, choose two trusted friends to be the guardians of your passwords... when both feel "the time has come". But give each only half of your master password. They must BOTH feel it is time. And use of the password becomes accountable... (Keep reading... the idea is better than that!)
What if, when the time come, one of them is not available? (Or one of them have lost(!) their piece of the puzzle?
Answer: Give a group of THREE people a way to access all your passwords if any TWO of them feel it is time.
How? If your password were what I said a moment ago, give the following to your friends...
First person gets...
a b c d e f - - -
Second person gets...
a b c - - - g h i
Third person gets...
- - - d e f g h i
Now any two of them have "enough"!
You would (of course) want to use a password of at least 12 characters, and to use both upper and lower case letters, digits and punctuation marks. Be sure to make clear to your friends what represents a "missing character" in the incomplete string they have been given.
(If you want to be especially obscure... but increase the chance of them failing to recover the master password... you COULD use random letters for the job done by the hyphen in the example... as long as a different character appeared in every position a hyphen held. But you'd have to get your trustees to understand that they need to compare what they have, and only use characters when what's in a given column in both (or all three) password clues. And remember that extra bit of the whole, already challenging puzzle. Remember that they will be under stress if they have to use it.)
Problem solved. Now you just have to make the time to go and set that up for your family/ executor!
Before we go further, let me point something out.
As much as we would all like to use human friendly strings of characters in our passwords, it is a Bad Idea to incorporate actual words in passwords. No matter how cleverly you devise a prompt to, say, "hidden123", the inclusion of an actual English word, "hidden", in the password weakens it. My thanks to the reader who wrote in to point out that I hadn't said that on this page. To quote my kind reader's email:
"Determined hackers are making greater use of what are known as rainbow lists. They are composed of commonly used words, quotes and number combinations." "
No system will ever be impregnable. One way to have your cake (use words), and eat it to (protect from rainbow lists) is to reverse words in your passwords. E.g. "neddih123" would be stronger that "hidden123".
Here are some more ideas which overcome some of the problems of using passwords.
Make yourself a little card like the following....
A B C D E
1 9 7 5 3 1
2 8 6 4 2 0
3 WBJL AWD PGEF JLT IEB
(Don't worry about the last line for the moment.)
In your mind, but not written on it anywhere, call it your "Secrets Card". Now if you want to write down the password "pw08Dec", you can write down "pw//SCe2//8Dec", which being interpreted is "pw" + Secrets Card cell e2 (which is "0") + "Dec". Without the secrets card, and an understanding of how to use it, the list of passwords is useless. The "//" are used, as in the simple idea further up the page, just to "set off" the part that is the cryptic clue, which is meaningless to anyone who doesn't have the Secrets card.
You could, of course, write "pw08Dec" down as "pw//SCe2SCa2//Dec", encoding both the "0" and the "8" with the Secrets Card trick.
The final line on the secrets card in the example goes a step further. You'd have to adapt what I've done, to fit your background. In my life, I've known some remarkable people. Each cell in line 3 contains the initials of one of those people. And if WBJL's first name was Warren, then if I had a password recorded as "Dec08-SCa3", then the actual password would be "Dec08Warren". (Prizes to any friend who can explain how Warren goes with WBJL, which isn't actually WBJL's first name. But you had to know me 40 years ago to get the answer to that!) The other groups of letters are also people from my life, and in my mind a name goes with each.
Of course, there are other ways to indicate something in cells on the card without writing them out explicitly, and if you take up this idea, you should probably create a more extensive card for yourself. Try to create things that will have fixed uses of uppercase letters embedded in what you have chosen.
When putting a password on a file, you can make the password visible to you from just the file's name by the following, or some variation of your choice...
Call your file anything you like, but let me add three extra characters to the first part of the name. For example, if you want to call something "PHONES.TXT", that's fine... but I would change the name to "PHONES423.txt" if I had used "ursdaesday" as the password for the file. How on earth are you supposed to remember that? I am using 'my' three characters as follows.
The 423 tells me that the password is made from parts of....
In this hypothetical system, I always use parts of two days of the week in every password. I always take 5 characters from each. I started (this time) with the 3rd letter in each name, because of the last character (3, this time) in my code tells me which letter of the day's name to start from. An additional safeguard and aide-memoir would be to put files thus encrypted in a folder called "DaysOfWeek". Meaningless to an unauthorized snooper poking around your hard drive, and probably not attractive... and at the same time a reminder to you of the system you were using for passwords on the files in that folder.
Now you have a way to 'mark' your files with an indication of the password which will unlock them. If you send things to other people across the net, you can tell them the system and they will know the password from the file's name.
For more critical missions, you can extend the system. Use letters instead of numbers, so 'dce' would mean use the 4th (d is 4th letter) and 3rd starting points, start at the 5th point within each. For such a system, a book with pages 1-26 marked 'a' to 'z' would be helpful. The third character could be interpreted as 'Use the first word on the nth (5th in example) line.'
Another, simpler, trick: If you are fond of the song "A Nightingale Sang In Berkeley Square", then the password "ANSIBS" (first letter of each word) is easily derived from that. You just have to remind yourself, by an oblique reference, which song the password derives from. Using first letters of a familiar phrase can be applied in many ways to many things.
Passwords with digits and characters other than letters are generally stronger than those without. Passwords become even stronger if you put in punctuation marks. As mentioned previously, to get some digits into a password, I often incorporate a date. So, say I sign up for NetFlicks in December 2008. My password might well be nf08dec. (Using a mixture of uppercase and lower case is also a good idea... if you can be bothered, e.g. NF08Dec... but be careful with using mixed case. It is easy to get confused about where you used an upper case letter, and many authentication systems are case sensitive.)
The excellent Shortkeys is a wonderful utility for Windows. (The link takes you to their very generous "free use" version. No time limit.)
Because of Shortkeys, across all of my Windows work, if I want to type out my rather long and tiresome eddress, Ng100...@yahoo.co.uk I only have to type q-n-g. That instantly disappears, and is replaced by my eddress. (I chose the "type eddress" "code". I start all such codes with a q, making sure that the next letter isn't a u. Thus, I prevent fragments in ordinary words triggering keystroke replacements.)
What's this got to do with passwords?
It introduces a bit of insecurity, but I think it is worth it, and maybe on balance improves your password security if you use something like Shortkeys as follows...
Set up a few Shortkeys like qpw1, qpw2, qpw3. They could expand to, say....
Re5Ul7Of;pw1 22//3:4Five Abc123
... respectively. Now you have three "prefixes" that are easy to use, easy to refer to cryptically.
So, my passwords, for the following, might be... (bear with me!...)
Facebook: Re5Ul7Of;pw1OtherBit Amazon: Re5Ul7Of;pw1Azon eBay: 22//3:4FiveeBay
.. but to ENTER (or note on a piece of paper) my passwords, I'd only TYPE...
qpw1OtherBit qpw1Azon qpw2eBay
Use YOUR imagination! Mix bits of some of the above together, and create YOUR "answer".
I hope you found the ideas above useful and interesting. (A quick email or Facebook "Like" would be welcome if so!) The ideas are not earthshaking... but maybe they will inspire you to imagine systems which work well for you. I have ideas for a more complex, more secure system of 'locking' files based on 'one time pads' stored on floppy discs. Let me know if you would be interested?
You want to send your phone number to someone you "know" on Facebook. (Be careful about that, by the way.) But you don't want to announce it to the Facebook world. (2.3 billion users, they say. And who knows how many computer systems Facebook has sold data to.)
You name here, as is tradition, is "Alice". Your friend is Bob.
For this to work, Alice and Bob need to be able to refer to something obliquely. Let's say they both know Mrs. Smith, known as "Mamma S", who has one grandchild, "Henry". And that connecting "Henry" to "Mamma S" would be difficult for anyone who shouldn't have the phone number.
Let's say Alice's phone number, the one she wants Bob... but not anyone else... to have is 860-676-5432.
Alice would go to Code Beautify's Online Decrypt Encrypt page. An easily "passed on" way to get there is "http://bit.ly/EncryLite", which takes you to https://codebeautify.org/encrypt-decrypt.
She would put 860-676-5432 into the big box, "Enter plain or cipher text" box, just above the "Encrypt"/ "Decrypt" boxes, and "henry" into the "Enter Key" box above that. "Arcfour" and "CBC" will do fine for the two boxes on the first line.
And click "Encrypt", and copy the test that appears in the "result" box, at the bottom of the page. That text, for the example we are doing, should come up as...
Pehi7OhfyEn9qxuO
Then she'd send the following to Bob, via a FB message...
Hey, Bob... Go to http://bit.ly/EncryLite. Put "Pehi7OhfyEn9qxuO" (without the quotes) into the "Enter plain or cipher text" box, give it Mamma S's grandchild's name (all lower case) for the key. Use the default "Arcfour" and "CBC". Click the Decrypt button".
And, presto, Bob should have the "860-676-5432"!
Final caveat... The really paranoid will want to remember: Code Beautify can see anything you put on their page. Do not, for instance, put "the code to access bank account 1234 at Bank Of Mugs is ABCD" into the encryptor. You may laugh, but this illustrates nicely the dangers of Big Data, if you think about it. Once we could keep "bits of our lives" separate. Now that is increasingly difficult.
Page has been tested for compliance with INDUSTRY (not MS-only) standards, using the free, publicly accessible validator at validator.w3.org. Mostly passes.
AND passes...
