Secure Your Passwords on a Post-it

Quite a bit of chat about changing your passwords and making them secure, particularly at Gizmodo, which is promoting a “Change Your Password Day”.

The system I use (strictly speaking I use a more complex variation) has no requirement for software, mnemonics or other tricks, and is near foolproof, in only 3 steps:

1) Think of a short sequence of characters – lets say 4 – and keep this to yourself. Don’t share this with anyone. Make it hard to guess. i.e. not your name or birth year and avoid any existing PIN: the more random the better.

In this example, I choose “1b7Y

2) Generate your passwords using a secure online password generator – http://strongpasswordgenerator.com/ as an example. Ask it to generate passwords of the maximum length for the site or system you’re using.

Here’s are 8 and a 12 character examples, but go as long as you can:

w$TU-5CA
e23&03|!CI

3) Record these passwords along with the website or username in question. Stick them on a post-it on your monitor, or print them on a sheet, or as your desktop wallpaper, or in your pocket, or in a spreadsheet, or a photograph on your phone, or all of those – it doesn’t matter how promiscuous you are, or how public it is, just put them where they’re handy.

4) Don’t use these passwords when you actually register! First, replace the first 4 characters of each password with your “secret” four characters. Or the last four, or at any position you choose. Just keep it consistent.

Using the two previous examples, I replace the 2nd character onwards to create the passwords I’ll actually register with:

w1b7Y5CA
e1b7Y3|!CI

5) You’re done

Now all you have to remember is your 4 character  code, and the position of the 4 characters you want to replace. It doesn’t matter who sees your list of passwords however or wherever you’ve recorded them: they can’t use any of those passwords to login.

You can change as frequently as you like, there’s no penalty for having different passwords per-website (and you definitely should), and they are immune to brute-force attacks.