From the Nov. 2008 Issue
A few years ago, I wrote a column describing a method to generate a different, easy-to-remember, yet secure password for any website or program. Since that column ran, I’m regularly asked to detail the system. In an effort to help (and maybe cut down on a few questions), I’ve decided to re-run the Column. Here it is:
I regularly visit hundreds dozens of websites, and more and more are
personalizing content for me by offering me “portal” type services.
Some are quite innocuous, like, “Tell me where you live, and I’ll tell you about the weather.” It’s a beginning step in what I refer to as the “you give, you get” paradigm. “Tell me what stocks you want to watch, and I’ll personalize a ticker for you.” Again, pretty innocent. What about, “Tell me your account number, and I’ll show your transactions” or “Tell me your patient ID, and I’ll tell you about your prescription drugs.” Now we’re talking about SECURITY!! Those are areas where we ALL want great security.
Fortunately, most folks providing this kind of information on the web are very security conscious and have provided for users to choose hardened user IDs and passwords. Hardened is a term many consultants use to describe an ID or password that is (usually) at least eight characters long, containing alpha, numeric, upper and lower case characters, and a symbol. It is NOT your name, your pet’s name nor the street where you live. In fact, it is NEVER a word at all. IDs and passwords like these are extremely hard to break, and the hope is that an intruder would lose interest rather than spend the inordinate time required to break your security and access your information. But you knew that, right?
What I’ll bet you DON’T know is how to manage those hundreds
(oops, there goes that exaggeration again!) dozens of user IDs and password
combinations. Here’s one method that seems to work well for me. I have
a “standard” user ID that consists of letters (some upper case),
numbers, a symbol, and two letters chosen from the website to which I am authenticating
or program I’m accessing. By way of example, my User ID might be wjY6%XeX,
where the X’s are the second and fourth letter of the website I’m
visiting or program I’m using. So, if I were visiting www.etrade.com,
my user ID would be wjY6%TeA. Notice the “T” and “A”
are picked from the website address. If I were visiting www.AICPA.org, my user
ID would be wjY6%IeP.
The secret is that I actually have only ONE user ID to remember. In this case, it’s wjY6%XeX, but it’s different at every site.
I do the same thing with my password; it’s a single hardened string incorporating something from the site I’m visiting. The result is a simple system that provides great security. Often, I’ll hit what looks to be a new site, and when it asks me to login, I’ll just “try” my user ID and password. Sometimes, I discover that I’ve already been there as my “special” user ID and password take me right in.
Are there problems? Sure. There are some sites that like to “assign” user IDs and don’t give you the right to change them.
A few have policies that preclude the use of special characters, such as the following: !, @, #, $, %, ^, &, *, ( or ). One I use (a bank) actually had the gall to tell me their disallowance of special characters was a “security feature designed to protect you.” Amazing!
![[Get Copyright Permissions]](http://license.icopyright.net/images/icopy-w.gif){kind=small}
Click here for copyright permissions!
Copyright 2010 Cygnus Business Media
