Thursday, May 27, 2010

On passwords (or passphrases)

I read this article trying to justify having a password file storing all of the rest of your sensitive information. I think the author is completely wrong.

I have a system of password templates for specific tasks being done by the password. If the password is being used to complete an administrative task, I have a template (I actually call it a passphrase). For general tasks requiring a password, I have a specific password template.

For instance, l3t_m3_1n_$sitename (template isn't real, just for showing purposes) would be a fairly legitimate passphrase, replacing $sitename with a word that describes the website at hand (maybe the site name, maybe the site topic). If you subscribed to the wall street journal's website, your passphrase may be l3t_m3_1n_wsj. If you were an admin for wall street journal, you may use the template l3t_m3_adm1n_wsj.

With this system, your password will be different for each website you use, thoroughly complex enough keep the passphrase from being cracked, and the templates themselves don't change, so what you remember is far less than what the password itself is.

The only nuance I have found is that not all websites allow the same characters in passwords, which does get annoying.