One option to create passwords is to use a pattern across the keyboard:

q]w[epro
as3egfcd
%%ttGGbb

Very easy to type, very easy to remember, very hard to guess. Your pattern can then be used for types of sites: i.e. forum passwords get pattern A Bank passwords get pattern B and misc get pattern C.

The problem with password generators is they create difficult passwords to remember, and they require a large amount of passwords stored in one or more locations.

Password holding applications are one location for every password, so if they are cracked, you lose everything. You also need to take it everywhere with you, or back it up everywhere, so the vulnerability potential increases.

All in all passwords suck for all involved.

mjm01010101

My answers to those security questions never have anything to do with the question. I have a very simple algorithm relating one alphabet letter to another to add the name of the service to the answer, then I tack on the same phrase to all of them.

Since the algorithm and added phrase are the same everywhere, it's easy to remember.

phool

Remembering a cryptic password is easy if you construct it from the first letter of each word in a memorable phrase, especially a very provocative memorable phrase--something you would not utter in public, which makes it much less likely that you will divulge your password to anyone.

I've never needed a password manager. A handful of phrases is easy to remember and is more than enough to keep your stuff, your stuff.

penguiniator

Of course, you could just not use free email services to conduct Government business; you know, obey the law?

Duh.

Deadhacker

I like Keepass since its cross platform and open source, but I wish it integrated with Firefox. Is there a faster way to add new login/pass to Keepass from Firefox? Currently, I have to open Keepass, Click on New, then type in a bunch of stuff.

monkeyboy

there are even several stong password generators available to help you pick a secure password.

Isn't it strong?

Senethior459

It's time to use those password generators! Keepass for the win.

rdn98

I've always used the following:

First part is important 3-digit number typed across top row while holding shift key to get symbol-symbol-symbol.

Second part is to trace a particular pattern on the numeral pad. The number it creates doesn't really mean anything to me, but the pattern is easy to remember,

Third part is to type the name of the site I'm trying to access, first letter capitalized.

So you would get something like:

#@*6644789Ebay (No, this is not my real password).

Some sites won't allow symbols, so I just revert to using the numbers instead.

This gives me a unique, very strong password for each site I visit.

Cupajo

Use details from someone else's, such as the name of their dog and the year they got it, life as your password.

Triborough

might be nice if a non-fingerprint biometric standard with a cheap reader (either integrated or peripheral) could be agreed upon. Get rid of passwords once and for all and prove your identity with something that's damn near impossible to counterfeit.

StrangeTikiGod

C'mon. She wasn't "hacked." She stupidly gave the answer to her security question to millions of viewers over live television. She all but said "please read my e-mail."

I am however in awe of this woman's brilliance!

robinandtami

I've always found that acronyms work well, so that if I wanted to make it cities I've lived in it would go chronologically Key West, New Smyrna Beach, Zephyrhills, Jacksonville, Gainesville; my password would be KwNsbZJG. It's something that I can remember but not something so easy that a friend or even family member would be able to put together. I'd also tack on some numbers relevant to me and punctuation.

anonymousryan

People who speak another language is definitely advantageous when it comes to passwords and password retrieval answers. All of my stuff are in something not English :)

strang

my answers to security questions never relate to the question. like "what high school did you attend" would be "p_ut1t1n^yrmuthrza_$$" would be the answer. a simple phrase, not remotely close to the question but easy to remember.

(there goes my commenting privileges)

MuglyTheWorm

I use a couple methods. First I just select a "favourite" word, like "pippin." It has no identifiable meaning to me, maybe I just like the way it sounds. I use that for every answer, and all my accounts. If they demand a number or date, like graduation, I'll subtract a consistent amount or I'll use my brother's. The latter is easier to remember. I also use that in any customer or user profile that demands this info,

The final technique is using personalised question/answers that are arcane, but actually redundant. Instead of a question I just use a single word, like "cane." The reply would be Fido. Huh? See, that's not the walking stick or candy, it's Italian for dog. And Fido is (supposedly) my dog. You should look for words with multiple meanings (or languages) and choose the less obvious. So cheese and Gouda isn't very good, but cheese and fastball works okay.

If you follow the rules it makes it easy for the hacker. Find a thought process that's particular to you, and different from what the mailbox really wants. You can be a very linear, methodical thinker, and this will still work. Once you start to color outside the lines - even in black and white, you've made breaking your security exponentially more robust.

Heck, just adding a space (or comma, or x, or...) after the first letter in every answer will make it nearly impossible to hack the security answers.

imajoebob

@strang: Agreed. ^__^

I have three other languages to pull possible passwords from and ~50% of the time I even add some numbers. ^__^ Keep them guessing. ^__^

If nothing else, people could pick a non-native language that they like (even if they have not studied it) and choose some random words that they like from it and add some numbers to those words. Instant new passwords. ^__^ Once again...keep them guessing. ^__^

Asian Angel

I like the security feature in Gmail...it only uses the alternate e-mail to do a reset.. so if

Genius hacker A tries to hack gmail,

He has to hack my hotmail first, and luckily if hotmail refers to another email,then the recursion continues until Hacker gets thru..

the_gank

"Security" questions have always struck me as stupid nonsense. Answer them truthfully, and anyone can figure them out. Answer them like I do, and they're hard to remember. I mean "Favorite concert" = Chomolungma ?? (It happens to be the Tibetan name for Mt. Everest, which I happen to know. Long story.)

Just give me the damn DNA barcode reader already and stop bothering me!

quixote

But with he root + suffix thing, if someone guesses one password, say it's
Password123Prefix, don't they know how to get into all of your other passwords?

Klink

A root+suffix or other password combination is probably secure enough against any casual hackers, as long as the suffix isn't obviously the site name. Somebody targeting me specifically, sure, could figure out my password pattern, but a random hacker who guessed that my Yahoo! password was "!ooqet5" probably couldn't figure out that my Lifehacker password was "rekqet10" without a lot of thought. The way I figure it, if someone is interested enough in me to spend hours cracking my personal password scheme, I have other issues.

(That password pattern isn't my pattern, o/c, although it's probably more secure than my current one...)

insert

I'm not quite sure if it would be a wise idea, but why not store the answers to the security questions in a KeePass password subgroup.

The username is the question, and the password becomes the long string of random characters that nobody, even yourself, will never guess.

This will only work if you make sure to keep a safe backup of your password file... I'm not sure I'd try it.

tonalanswer

It's really been said by a few above....but, I would stress that security questions/answers not be used at all. Just answer something totally unrelated. Then, make sure you never need your password from said provider.

@Klink...Yes. Absolutely. The root + suffix is a horrible idea as it it is the same as a single password for every site as it wouldn't take long to figure out the suffix if, as many suggest, they only make it a variant of the site name.

Gerard Sorme

Also, do not forget.... you should not use secret web-based e-mail accounts to hide certain political activities. We saw this at the RNC, the White House, and now the Governor's mansion in Alaska. Strict ethics rules are supposed to make our government transparent. Using web-based e-mail instead of official government e-mail is simply unethical.

AlexPDL

I really dislike sites that have pre-selected security prompts you have to choose from. Like "what is your mother's maiden name" or "what is your pet's name". Those are fairly easy to figure out.

It's much better to able to enter your own prompt + answer combo.

greenbot

Wait, you guys don't just use 'password' for everything?

I guess I gotta go change mine now.. dang.

Jrsy is the dude, playing the dude, disguised as another dude

You could also come up with an extremely long and obscure password, write it down, and keep it in your wallet. Actually, I should try that sometime. There would be no need to set up security questions at all. You would jst consult your physical wallet if you forget.

smartboydan hates college

@AlexPDL: She was not using it for 'official government' purposes. It was for personal e-mail.

HousBinPharteen

@Jrsy is the dude, playing the dude, disguised as another du...:

You are playing with fire, you should mix letters and numbers. I used password123. Much safer

geek22

@smartboydan hates college: I tried that once but I had so many pieces of paper in my wallet it got too confusing.

Jrsy is the dude, playing the dude, disguised as another dude

@geek22: 123.. hey that's the combination of my luggage!

Jrsy is the dude, playing the dude, disguised as another dude

How about not using a service that uses archaic "security questions"?

Ortzinator

1. Many have good suggestions about what to do for users which is great. The issue however is the service provider. Since the answers are fairly unique from user to user, why not provide the user with the option to write his/her own questions too? There'd be no need to remember the question since that would be out in the open, but custom questions could make it that much more difficult for answers to be hacked.

2. Too many sites ask really stupid things easily discovered by others. Then there are the sites that ask "favorites only" questions, which I detest. Favorites is the gateway drug to practicing prejudice and before you know it, you're a hardcore -ist of some sort.

3. I too have developed my own technique but I hate having to use password retrieval for some because they have restriction breaking my model. Some sites require mixed case + number + symbol. Some sites prohibit symbols. Some symbol sites have a unique set of symbols from another. It's frustrating. But I think I've got it worked out now. Haven't used password retrieval in five weeks. Or minutes. I forget. :)

Still, no way am I using a password manager. The day my mind needs one of those is the day I sign up for Depends, get a Waring, and root around the attic for my childhood sippy cup. IOW, sometime next week.

pixelwax

About putting in numbers, symbols and crazy upper/lowercase combos making passwords hard to remember:

finally 1337 spelling found a practical use XD

TheLostVikings

yeah, i keep a lot of passwords where i can memorize them, but they are hard to crack. i never use password gens unless i write them offline, as some paranoid nut would prove how they track that pass and use it badly.

D3M0L1SH3R

just use

actual answer to question plus a set of special characters.

zolielo

I detest the security questions. My bank has a very limited number of questions including "What is your favorite football team?". For starters, I hate football. I don't have a favorite team. This is a ridiculous question in the first place because 80% of people are going to answer with the name of the nearest NFL team. How hard would it be to guess the answer to that one?

If I wanted to keep track of all of the answers to their stupid questions in my password file I would have to keep track of (1) username, (1) password, (8) answers to stupid questions. Instead of keeping track of a username and password, my password file would contain TEN entries for one account.

As a workaround, I entered an expletive for all of the answers to their "security questions".

djlurch

@Ortzinator: Like the internet? :)

Quine

I've found that using two to three words/numbers that i can always remember and splicing them together in a formulaic fashion works wonders. Brute force hacking doesn't work because nothing makes sense if you read it in sequential order, and all three words/numbers are related to totally different things in my life, so it'd be near impossible to figure them all out.

Also, here's another good way to prevent people from guessing your security questions - here's my mom's maiden name according to gmail:

fahsdjklgdsajkl;fdsafhuipfexbnmmwqajkl;vcxznlvasd

yea...good luck guessing that :)

Quine

my strategy is to be a boring idiot. that way no one wants to read my email anyway. and yes this works quite well for me

AdamG

I fool them by using all asterisks.
**********

paddledog

@mjm01010101: you have to hope that the keyboard language is the same on every keyboard you use, otherwise this doesn't work.

Having learned that the hard way.

karlawithak

It's even worse in french, there is no contact form, you have to email all your information in plain text !

[help.yahoo.com]

Not very convenient and what about the security ?

Conclusion : use gmail.

Myka

Have you noticed how hard it is to change the security question in yahoo ? I could not find it through their user interface and had to google it :

[help.yahoo.com]

It looks like it's not automated !

If anyone has more information, please tell.

Myka

@greenbot: I particularly like setting my security question as "What is your password?"

caelanarcher

What is wrong with password hasher?
People like to use the same password for everything, this addon for Firefox gives them that ability.
Here is a demo for those people too cautious to try it or look it up.
You click a little box next to your password entry, then type in your one and only password. The addon makes a hash of the name of the website that you're making a password for and of the thing that you typed in.
Once you have done this you have a password that you could never remember, very very difficult to crack and you don't even have to write it down.
:: Here you go ::
site name: lifehacker
passphrase: Secret!
password: Vov6IX-jI0jXds
That is with just 14 characters, letters, numbers, symbols and uppercase turned on.
The only thing you have to remember is "Secret!".
How hard can it be to make passwords secure?

PReDiToR

So I generate my passwords with KeePass where I use extra entropy by using random sites with random content like [www.grc.com] or something like that.

Michse

Where possible, I use a strong, 12 character password for the answer to my "secret question". A couple sites required phone verification of answers, and would only accept "reasonable" answers.

jtimberman

My password creation method (which I probably learned from Lifehacker) is to pick a word - lets say 'yes' for the sake of simplicity; then for each letter, type the keys that surround the letter in a circle. So for "y" - I would type "67uhgt", for "e" it would be "34rdsw" and for "s" it would be "wedxza".

To add non-alphanumeric characters, I hit the shift key for the circle of keys representing every other letter, so my password for "YeS" would be: ^&UHGT34rdswWEDXZA. I just skip out keys that would create any problems (space, tab, etc).

If the password starts getting too long, you don't have to use the full circle of keys, you could just use the ones on top, etc.

Incredibly easy to remember and to type in, but nice and secure...

GregH

They are plenty of examples in the comments of great ways to create complex passwords and answer security questions. The point is that you do not want to reuse the same small set of passwords over and over on the 75 sites you access. This is where a tool like KeePass really shines.

shakiestnerd

This is all great, of course... lets not forget that Palin's password in the first place was: "popcorn"! -- gvcbekx12@imap.cc -- http://www.fastmail.fm - The professional email service

GiovanniAeolus

Password recovery phrases? I never use them, and I hate them. They're usually not configurable (as they should be), and they're usually easy to guess, like "Mother's maiden name" or "City where you were born".

So, whenever I encounter one, I mash the keyboard like a retarded chimp, being sure to include numbers, letters, and special characters. If the text box is masked, I do the mashing in the Run box and copy/paste it as needed.

I don't store the answers I provide. Obviously this prevents me from ever using the password recovery phrases. I don't need them since I store my passwords and backup the password database.

leftist

I'm always surprised that people don't know the "shift" trick. Simply use a short phrase and before you type it in shift your fingers off of the home row, up, down, left, or right. Which works better depends on your phrase and it is easy to remember. "ShiftUp" becomes "Wy8r5&0" when I shift my fingers up from the home row.

ShrilekhaAliquippa

I've taken to creating a a fake profile of information about myself that I use consistently (so I don't forget it) for my birth date, mother's maiden name, and father's middle name, high school attended, etc.

That way, even a family member couldn't hack your accounts (but why would they want to?).

ksigmund

I'd cut her some slack on this one. I get emails from people using their work email and business stuff from their free account when they are at home. It's nothing sinister, and all to easy to blur if you're not at the office and need to send something.
People don't use secure passwords because they are too hard to remember. Those security questions are really a problem as has been pointed out. All that stuff you can search for nowadays.

Hello_Newman

in a recent posting to the RISKS Digest, the real problem is people who choose (and worse, organizations which force you to choose) publically available information as an authenticator. If you didn't make it up yourself from scratch, and disclose it *only* to one other party, who will use it to authenticate you, then it's not an authenticator; it's a false sense of security -- Baylink

RichardShooter

Alright I think I've posted the same thing 3 or 4 times because I don't understand how this comment thing works...I hit submit and nothing happens...

Dakhara

This all seems like so much work, personally I just use the same answer for everything. You just have to pick an answer that has nothing to do with any question or anything in your life, like...

"lamps are for chickens"

just something obscure that's easy to remember once you start putting it in a couple times, and no one will ever guess it...

Dakhara

just use the same phrase for every answer. its simple and as long as you pick something that you don't say on a regular basis and has nothing to do with your life, no one will ever guess it...something like

"lamps are for little children"

and then just use that for everything, no password manager required, or insane system.

Dakhara

I think thats a lot of extra work. I'm not sure if this is a good method but what I've always done is use the same phrase for an answer for every question. I picked the phrase the first time I ever had to use those silly questions, its just something completely random that I've never written down, and is undoubtedly impossible for anyone to guess. Then just use that every time. Simple enough.

Dakhara

Is it still a bad idea to just write passwords on a piece of paper and keep it in your drawer? That would get them off the computer altogether, and who really needs password security from actual people in your house anyway?

joeljkp

I'm using motorcycle brands and types as passwords (I guess cars work as well):

bgs1200
sgsx1300r
yfjr1300
sgsx1100f
hvfr800

(b=bmw,s=suzuki,y=yamaha,h=honda)

Warped1

Often worse than security questions you can't answer, like "what was your favorite sandwich when you were ten years old?", are the free format "Enter your own security question and answer"-style setups.

A bank I used to use implemented this feature for phone banking. Thinking I'd be a smart ass, I entered the following combination as one of my security questions:
Q: Hi, I work for [bank name]. Can you guess if I'm wearing underwear?
A: I don't think that's any of my business. Do you?

This worked fine until they began using the same information for online banking, which meant that to access my account, I had to type my answer perfectly including punctuation and capitalization. Needless to say, I'm no longer with that bank.

Another reason I'm not with them is because they'd phone me - note, I said THEY phoned ME - and the conversation usually went something like this:

BANK: Hi, this is [name] from [bank]. I need to discuss your account, but first I need you to answer a security question. What is your mother's maiden name?
ME: No. You called me. If you want to discuss my account, you answer a security question. What's my current balance?
BANK: Erm...I can't do that until you prove to me it's your account.
ME: Well then we're in a stalemate then. Should I call you?

GRBrit

I wish there was more of a "standards of practice" or something among services....

I know most services tend to ask the same/similar questions...

I mean shit, they hack one account, it wouldn't be to hard to gain access to another account.

Some security enhancements I'm thinking of:

a) delayed lock-out after say, 3 incorrect guesses - which would require dialing in to the company to request access, in which they would ask further questions.

I know this is how my banking site is, after 3 incorrect password attempts, you are locked out and have to call their 24/7 line to regain access...

Of course for the "generic internet startups" that appear by night on the web, this wouldn't be too feasible :P But then again, these are lowly sites that often get passwords assigned such as "asdf1234" or "password123", etc...heheh.

I gotta say though, Password Safe is a godsend ;) It
s with me always, on my usb drive, backed up across 3 e-mail accounts, and my google docs account (in it's encrypted form).

ahoier

One of the easiest ways that I have found for generating strong yet memorable passwords is to translate a phrase you will remember into a foreign language and then transliterate it back into English keyboard characters. This is especially good with phrases that have no meaning in the target language, like LOLCats (translate it as cats that laugh noisily).

For example, I use Arabic frequently, so the standard I use for keyboard transliteration is SATTS (Standard Arabic Technical Transliteration System). Arabic has 29 characters, so some of the special characters on the keyboard are automatically used. This virtually ensures that the word created will have no meaning in any dictionary and special character prefix or suffixes can easily be added if they do not appear naturally.

sahir