Simple Two Tier Password Setup

28 02 2012

First, why should you have two tiers of passwords?  Every once in a while a company will have a breach and all user names and passwords will be stolen.  What can happen is that the phisher can try all the stolen user name and passwords on other popular sites, and thus break into your life.

Password limits are stupid, courtesy of XKCD and creative commons

There are a million different things that people say make a good password.  There is no such thing as a completely secure password (especially with keyloggers existing), but I have a few simple tips to help you develop a great two tier system that will protect from:

  • brute force
  • someone getting your password on one site, then using it on another
  • someone getting a low level password, like to log on to comment on a blog, and using it to access a high level password, like your banking
  • forgetting your password

If you’re paranoid, the best thing to do is use a password storage program, such as KeePass.  You can have it generate extremely complicated passwords and copy and paste them everytime you want to use them.  Personally I don’t like that system, so I use a simple two tier variable password setup.  Here are some of the basic rules:

  • Use lower case, upper case, numeric, and symbolic characters
  • Be able to substitute for symbolic characters when stupid websites won’t let you use symbols
  • NEVER use the same exact password twice (but they can be close)
  • Save your passwords in a secure storage program just in case.  I also keep a copy of the master password and how to access my passwords in my safety deposit box, in the event I die my family can access my digital life
  • Have at least two tiers of passwords to separate important things like banking from unimportant things like a forum logon

Creating Your Passwords

You need to create two separate passwords, the first being about 7 characters long and the second greater than 15 characters long.  I would prefer both to be 15+ characters, but most websites are retarded and have very short maximum password length requirements.Here’s the process, with an example.

  1. Choose a word, phrase, or character trait.  I will choose entelechy
  2. Sub in some numbers.  3 can be e, 1 can be L, or you can just randomly add some.  3nte1echy
  3. Sub in some symbols.  a can be @, 1 can be a semicolon ;, o can become parenthesis (), etc.  3nte1ec^  I choose the carrat key because it is phonetically the same, so I would think entelec key when typing.
  4. We haven’t used uppercase and we haven’t distinguished our password between websites yet.  We can solve both by adding 3 cap letters which are related to the specific website.  Make a rule, for example, the first letter, last letter, then second letter of the website.  So gmail would be 3nte1ec^GLM.  Or you can get more complicated, such as using the second consonant, last vowel, first letter.  3nte1ec^MIG.  Also, have an “escape” rule, in case you have some website like AAA, which has no consonants.  So, for example, if there is no consonant or vowel, sub in the last letter of the website.

Now repeat to create a stronger password, but with a phrase which is about 15 to 20 characters long.  A phrase will work better than a word for this one, for example: Iloveyourdeepblueeyes, yugiohrocksmyworld, idriveanacuraintegra, etc.

Save your password in your password manager plus your rules to complete it.  The last thing to do is type your password several (hundred) times to help get it imprinted in your motor memory (also a good way to remember phone numbers).  If I had to read off my actual password, it would take me several minutes to actually remember what it is, but I can type it in a second or two.

And that’s all there is to it.  Now you have two passwords with upper case letters, lower case letters, numbers, and symbols, which are relatively easy to remember and that are never the same on two different websites.



2 responses

28 02 2012

Because of you, I had changed a bunch of my passwords 😛

6 03 2012
Extra Password Security Tip, plus some extras « Russell Nagami's Blog

[…] Forgot to include this rule in my recent post on passwords: […]

Leave a Reply

Your email address will not be published. Required fields are marked *