May is arriving shortly and that of course means Memorial Day, May the Fourth, May Day, and of course World Password Day.  This year World Password Day is on May 1st, just like May Day.  We usually observe it on the first Thursday of May.  It serves as a good reminder to change your passwords and verify or reset your security and privacy settings.  Because keeping passwords secure is so important, I write about it in this column almost every May.

Best practices for passwords include changing them once annually, making unique passwords for each system, application, or web site, making passwords 16 characters or longer, making them a mix of upper and lowercase letters, digits, and special characters.

1           Rules to Create Strong Passwords

Practically Perfect Passwords is a way to create memorable yet secure passwords.  The rules I will provide are an example to give ideas to create your own rules. 

1.      Start with a memorable phrase from a song lyric, poem, famous quote or phrase or another source.  I find it helpful to select three to four phrases for different categories, for example one for financial sites and a different one for social media, and a third for shopping.  I will use the phrase “We all live in a yellow submarine” as an example.

2.      The letter selection rule uses the first letter of each word in the phrase from rule 1.  This gives us “waliays”.

3.      The capitalization rule decides which letters to make uppercase or lower case.  We will use the rule last letter and first letter will be uppercase.  Our example now looks like “WaliayS”.

4.      Pick a 4-digit number that you will remember.  I will use 1492 (when Columbus sailed the ocean blue).

5.      Pick at least 2 symbols.  For the example, I will use the left and right square brackets [ and ].

6.      Pick some letters from the web domain. This is the name of the website site, like amazon.com for example.  We only care about the amazon part of the domain.  How to pick is the part of the rule.  In this case, we will pick the first two and the last two as the picking rule.  These are AMON.

7.      Create a domain code by adding a number to each letter to move the letter in the alphabet.  For our example using the number 1, AMON will become A+1, M+1, O+1,N+1 or BNPO. This creates a “domain code” value of BNPO.

8.      The assembly rule determines how we combine these rules into a password.  For this example, we will follow the rules in order.  The assembly rule will be

a.       Select your phrase, at least 7 words long

b.      Take the first letter from each word in the phrase.

c.       Upper case the first and last letters

d.      Append the first symbol.

e.       Append the digits from step 4.

f.        Append the second symbol.

g.      Append the domain code.

So, applying the rules to Amazon.com, I might get:

1.       “The Beatles say ‘We, all live in a yellow submarine’”

2.       “waliays”

3.      “WaliayS”

4.      1492

5.      [ and ]

6.      AMON

7.      BNPO

8.      WaliayS[1492]bnpo

This password for Amazon is 16 digits long.  If your password is too short, you can always create an extension rule like append letters from a license plate until 16 or longer.

The passwords created using this method can recovered by reapplying the rules.  Typically, it’s safe to write down the rules if you can’t remember them.  I also use different rulesets and phrases depending on how secure the data on a website needs to be. 

2           Password Managers

Password managers are software designed to store your passwords securely.  Many of them will also generate secure passwords for you.  Both Firefox and Chrome browsers have built-in password managers considered adequate.  Many people consider Bitwarden to be the best and it provides plug-ins for most browsers. 

3           Monitoring the Passwords

Both Google, Firefox, and now Windows 11 monitor your passwords looking for compromised passwords.  Other password managers and some antivirus programs will also check.  You can check a password yourself by using https://haveibeenpwned.com/Passwords.

4           MFA

Multi-Factor Authentication, sometimes called 2 factor authentication requires another factor to complete the login process.  You may have been required for a site to send a code you your phone or email and then enter the code back to the site.  This is a primitive and less secure form of MFA because text messages and email are not secure.

Time based One-Time Pass typically uses a secure web application that sends a unique changing code.  Each website uses a different base and so the code generated for one website is different from the code generated for any other website.  If you are using authentication app you need to have your phone with you anytime you want to login.

Google, Microsoft, and Authy all make apps that work well with Android and iOS devices.  To add a new site configure the site will offer a QR code to be scanned by the phone camera.  Once scanned, the site will require you to reply with a generated code to make sure the synchronization between systems. 

There are other hardware mechanisms for MFA, like finger print readers, cameras with facial recognition, retina scanners, and FIDO devices.  FIDO devices are typically considered the most secure means of MFA.

5           And in the End…

Going back and reading my previous May columns will provide you with some simpler examples and other ways to create secure passwords.  Last year I even showed how to create a very secure address book style to write your passwords down.  Have a happy World Password Day.

In the meantime, stay safe online!