World Password Day
World Password Day is a day set aside on the first Thursday of May for everyone to change their passwords, add multi-factor authentication, and generally review the security of their devices and applications. The observance is May 2 this year (2019). I wrote a bit about this in January because many observe February 1 as Change Your Password Day. If you didn't change your passwords at the beginning of the year, now is a good time.
In general, a good password is 13 or more characters long and uses a mix of upper- and lower-case alphabet letters, digits, and special characters. A unique password should be used for each website or application. I prefer to create secure passwords that can be remembered, but many people prefer to use password managers.
A password manager is an application used to securely store passwords. Most provide an option to generate secure passwords associating each password with the site or application the password unlocks. Popular password managers include LastPass, which has free options, and KeePass, which is free and open source. Most web browsers also provide an option to capture and store passwords, but beware: the only browser that seems to securely store passwords is Firefox. Firefox also has the ability to securely sync passwords between your phone, laptop, and desktop. A password manager requires one very secure master password to protect the passwords it stores.
Secure Way to Create a Single Memorable Password
My method for creating secure passwords was briefly reviewed in January 2019. The original article can be found in the April 2015 issue (in the archives). I prefer to create passwords that can be memorized because it seems I always lose access to my password store just when I need my passwords. I will not repeat my method here but instead will share another method that is ideal to create a Wi-Fi password or a master password for a password manager. You will need a regular, six-sided die and a word list that can be downloaded from this URL: https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt. Follow these steps to create a password;
Step 1: Roll the dice 5 times and write the number down. Let's say we rolled 15562.
Step 2: Scroll down the word list to find the matching number and write the word next to the number: chubby.
Step 3: Repeat steps 1 and 2 four more times.
At the end, we should have five words randomly selected from the list. For this example, I use 15562: chubby, 53345: scribble, 33456: hardship, 45561: provoking, and 24456: earshot. I append all of the words making the long password: Chubby+scribble+hardship+provoking+earshot: the word list has 7776 unique words, one for each possible roll of 5 dice. This makes more than 28 sextillion possibilities. This method is well documented and can be found on the Electronic Freedom Foundation web site: https://www.eff.org/dice.
This system works for one or two passwords because memorizing 5 words is typically a lot easier than memorizing a complex set of random numbers and letters. Therefore, it is useful for master passwords and Wi-Fi passwords. More than two of these and I can no longer remember them. I may modify the password slightly into a memorable phrase. For example; "Chubby scribbled a note about his hardship provoking everyone within earshot" is a nonsense phrase that is easier to remember and can be written down to jog your memory.
Safely Store Master Passwords
I have a trick I use to safely store information I want to protect like master passwords, recovery keys for multi-factor authentication, and other critical information. I use a free archiving program called 7Zip found at https://www.7-zip.org. This software is primarily known as an archiving utility like WinZip but is free and open source. It also has the ability to securely encrypt the files stored within the archive. To secure files, create, and archive, add a password and select AES-256 for the encryption. Each file added to the archive will be encrypted using that password and the AES-256 algorithm. The password is also used to extract the files.
This is also a good way to sent secure information via email; just send the secure file as an attachment and share the password over the phone or another means of communication. Until next month…