Posted by: Ken Harthun
Password, Password best practice, Password Management
Oh, I can already hear the groans and see the rotten tomatoes flying my way. But wait! There’s a way to recycle your favorite passwords without compromising security. It’s rather ingenious, if I do say so myself. All you have to is set up a recurring, shifting pattern based on your password change cycle. This will work on your job as well as at home. Inspired by Steve Gibson’s Password Haystacks, and completely in line with my New Password Paradigm series of posts, this method of recycling passwords makes it easy for you to comply with your corporate password policy, without getting stumped about what password to use next.
The first thing you will want to do is take out a piece of paper; you are going to write down your password pads, i.e., the characters you are going to add to your “standard” password. (Don’t worry, you won’t be writing down the actual password, that’s going to be something you will easily remember.) I suggest you use two characters at the front and two characters at the end, but that’s entirely up to you. The key is to make a secure password that is not only easy to remember, but different every time you are required to change it.
For the sake of illustration, let’s say that you are required to change your password monthly and that you cannot use any of the last six passwords you previously used. That means you must have seven “pads” that you rotate. (DO NOT USE the pattern I propose here; change it to make it your own!) You could do it this way: on the left side of your paper, write down the numerals 0 through 6 placing each on a new line. Then pick seven different uppercase and lowercase letters and some symbols and write one next to each numeral. My example list looks like this:
Now, either choose your favorite, easy-to-remember word or phrase, or use the favorite password you use for everything (I KNOW you do that, so don’t worry about it). For this example, I’ll use password.
At the first password change, use 0!password, 0!Password, 0!password0!, or whatever variation you wish, provided that you will remember it easily. Remember, the longer, the better. Cross off the pad you just used and each time you have to change the password, just change the pad and cross it off. After you use the seventh one, you can start over at the top of the list and the server should allow it.
One caveat: some password policy engines require a certain number of characters in the new password to be different from the old password. That’s no problem, just use the pad more than once or twice and you’ll be good to go.
Simple. Secure. Easy to remember.