How many times a day do you have to type in your passwords? It’s a pesky business remembering all of them, and even though there’s many different types of software that can keep track of passwords, you still have to type them in places where the software doesn’t work, like at your laptop log on prompt.
So what’s my take on this? I use personal goals as passwords. Not the goals themselves of course, but most of my passwords are derived from personal goals.
Why? Well, this may seem silly, but if you google “how to achieve your goals” every article seems to agree that you should to write your goals down, or otherwise visualize them daily. By using passwords that are derivations of real-life challenges and goals, I have to repeat them to myself (not aloud, of course) each time I use them, which is often several times a day. That way, my goals stay in focus, and at the same time, it makes it easier for me to remember the actual password.
This is best illustrated by an example: Let’s say that I have a goal of achieving a CISSP certification by August 2011. I’ll then formulate a sentence (basically a mnemonic) based on this goal, and derive a password from it. For example:
“I’ll succeed at the CISSP exam and gain certification by August 2011″
becomes the password:
By swapping certain words for non-aphanumeric characters and Capitalized letters I make sure that the password has the right complexity. By using a long sentence I make sure that the password has a sufficient length, in this case 16 characters.
Cracking this password is hard, even if you know how I use my goals as mnemonics for passwords. If we assume that I’m using all 95 characters in the printable part of the ASCII character set as an alphabet, the strength of the password should be strong enough for most appliances.
But the real treat is as mentioned that I force myself to repeat my goals in order to remember the password each time I type it in, and that both makes it easier for me to remember it, and, as a side effect, makes my goals stay in focus.
Of course, random passwords are still best. But I find this method to be a reasonable trade-off between usability and security.
Now excuse me, I’ll have to go change all my passwords.