World Password Day 2023
May the 4th be with you. This year World Password Day occurs on Star Wars Day. It seems like such a long time ago in a galaxy so far, far, away. In case you don’t remember, the first Thursday in May has been designated as World Password Day. A day to remember to change all of your passwords. The day when I begin changing all of my passwords, because I am not able to do the job in a single day.
To be fair, there is also a National Change Your Password Day that occurs on February 1st. I tend to ignore this one and since the National Institute of Standards and Technology (NIST) recommends only changing passwords once a year, I choose to use the later date.
Passwords have of course been in the news lately. The password manager known as LastPass has been cracked very publicly, not once but multiple times. If you are using LastPass, I strongly recommend first changing to a different password manager and then replacing all of your passwords immediately with new hard to crack passwords for each website and application you use.
A Word on Password Managers
I do use a password manager. I also recommend that you do as well, but I do not rely on it. However, I commonly need access to a password when my password manager isn’t available. In my opinion, the best password managers are the ones that are secure, and that securely synchronize passwords between multiple devices. This makes it less likely that you will not be without your passwords when you need them. Keepass is a secure, free and open source, password manager that operates on many platforms.
I feel more comfortable when I know that I don’t have to rely on my password manager. The scheme described later allows me to remember or recreate the passwords I need when I need them.
Practically Perfect Passwords
Let us revisit the first method I suggested for creating strong passwords when I first started to write this column many years ago. I call this method “practically perfect passwords” or (PPP). The key for PPP is to establish a set of rules. Then follow these rules to create unique passwords for each website. When you start to change all of the passwords on World Password Day, or National Password Day, or January 1st. I suggest the creation of new rules for the next year.
First, the goal is to create good, strong passwords that are easy to remember or recover. A good secure password is at least 15 characters long and has a combination of upper- and lower-case characters, digits, and special characters.
We do this by creating “password construction rules. The order of the rules does not matter and each rule may be as simple or as complex as you like. The first example of a rule is to select a phrase, maybe from a book, or a poem, or song lyrics. Try not to pick one from the beginning of the passage. I will pick, “Everyone has all we need in our yellow submarine”. Now I will select the first letter from each word of the phrase giving, “ehawnioys”. As the final step for this rule, I will capitalize the second and next to last letters giving, “eHawnioYs”. The numbers were random.
In this example, we base the next rule on the website name, known as the domain name. We will use Amazon.com and Facebook.com as our examples. We want a rule based on the domain name, so the passwords are different for each website. We will set this rule to take the first two letters of the domain and the last one. For Amazon this is “Amn” and for Facebook this is “Fak”. At this point, we could reverse them or scramble them but for this example, we will leave them as is.
The third rule will pick the digits. The rule is to use the digits for the numbers that correspond to the first and second letters of the domain. For Amazon this is 01 and 13 and for Facebook 06 and 01. These numbers are simply the count from ‘A’ to the letter so ‘A’ is always 01 and ‘Z’ is 26. You can choose to use all four digits or just two digits.
The next rule adds one or more special characters. This rule we will use the character above the largest digit we selected in the third rule. So, for digit 3 for Amazon the special character is “#” and for Facebook the digit 6 gives us “^”.
The final rule is what I call the assembly rule. It tells us how to mash everything together into a password. The rule in this example is to start with rule 1 (the phrase), then rule 3 (the digits), followed by rule 4 (the special character) and rule 2 (the domain). Putting this together gives us, the password eHawnioYs0113#Amn for Amazon and, eHawnioYs0601^Amn for Facebook.
Your Rules
These are the rules that I created as an example. You are free to make up any rules and variants you want. Just remember that it is important to base some rules on modifying the domain name so the result is different for each web site. Sometimes I might for example add a rule that capitalizes each letter in the domain that matches a letter in the phrase or add a rule that adds a digit for the length of the domain name.
Also, consider using different rules for different types of web sites. For example, I might use one set of rules for financial websites, another for shopping sites, and a third one for everything else.
Multifactor Authentication
While updating your passwords it is also a good time to enable multi-factor authentication (MFA). When MFA is enabled on a system the system will ask for additional proof that you are who you claim to be. The site may ask for a code generated by an app, or you may need to provide a thumbprint or an image of your face. While less secure, some sites may want to send email, text, or voice messages to your phone to verify it is you trying to connect.
We All Live in a Yellow Submarine
So yes, I am a Beatles fan, but I only use their lyrics for my examples. I tend to select more obscure phrases for my actual passwords. And so should you!
If you want to see the ways I have suggested in past articles to create strong passwords they can be found in my columns from March and April of 2015, January 2017, July 2018, April 2019, January 2020, May 2021, and last year, May 2022. It is important to change your password once a year, so I try to repeat this topic at least annually because it is that important!
Have a happy World Password Day. Until next month, stay safe online!