Passwords. They have become so ubiquitous in modern life that we rarely think about them. Even our phones have passwords, and some cars and even houses have electronic locks that you can access with a password. They are here to stay, and virtually everything we do, certainly every transaction, has a password associated with it.
I still remember my first password. I needed one at the end of public school to access the brand new computer lab. Yes, we just got computers in my public school. No, I’m not 90 years old. That’s what happens when you live in a rural area. Anyway, I needed to come up with something, and not knowing what else to do, I picked my favourite Pokemon.
It was clean, simple, easy to remember and no one ever hacked it. I thought it was great, and I would have kept using it as my password forever … until they changed how passwords work.
You know what I’m talking about. If you go to any website, set up an account anywhere, you need to input a password. Instantly, you will see both recommendations and requirements. For instance, your password must be at least 3 characters long, and often it needs to have a mix of upper and lowercase letters, and maybe even special symbols, numbers and who knows what else.
This process has made me slowly lose my old password. During my third year of high school, I needed to add numbers to my password. Yes, all passwords must now be alphanumeric. This was fairly easy, because every Pokemon has an associated number in the Pokedex, so my password went from Jolteon to Jolteon135.
Yes, I was that much of a Pokemon nerd that I knew the encyclopedia numbers. Hey, it came in handy, right? This new password lasted for half the year, and then the school had a hacking incident where several people’s passwords were compromised. The administration reset everybody’s passwords and input a new guideline: must have capital letters and must be at least eight characters long.
My password didn’t need to change, but the school forbid anyone from reusing the same password as before. The system automatically rejected any such attempts I thought long and hard on a new password … and then just said screw it, typed in something random, logged in and then clicked change password. There we go, that worked, back to Jolteon135.
That remained my password, and my password for every online account I had, until I went to university. I had to sign up for an email account, and my password needed to fulfill about eighteen-thousand requirements:
- at least two capital letters
- at least two lowercase letters
- at least two numbers
- minimum of eight characters
- certain strings of characters were not allowed (so no 123 or abc, and oddly, not even 135!)
- must have letters inbetween numbers (so aaa123 is bad, but aa1a23 was okay)
- no part of your password can be a dictionary word (so the ‘jolt’ in Jolteon was a no go)
I’ll just let XKCD take it away here:
It took me 45min to think of this password. This password was more than just my email; it accessed everything on the university system. I needed it to go to the library or even the gym on occasion, so I couldn’t just save it in my browser and forget about it. At the same time, I almost certainly will forget it because, well, it’s basically designed to be forgettable.
I came up with a fairly good solution, if I do say so myself. I still use it today, so it’s stood the test of time. It involves two components. First, a phrase. It’s not a common phrase, and it’s nothing I ever say, but it means a lot to me. It has sentimental value. This phrase will be the skeleton of the password, and I then use leet-speak to dress it up.
Leet-speak is the language of the videogame nerd. Technically it’s not a language but a primitive cipher, where certain letters are substituted out for other characters, in this case keyboard letters. There are many varieties of leet, some which just sub out vowels with numbers, some which substitute more and then even some that substitute every letter, usually with multiple symbols.
What I’ve done, then, is translate this phrase into a variation of leet-speak. I capitalize the first letter in each word, and then I leet the rest up. This ensures a steady collection of uppercase, lowercase and numbers, which should fit the bill for most sites. It actually works too well, as it’s 22 characters long, and some places have a maximum character count of 16 or so … which is hilarious.
You see, it’s been shown time and time again, having a mixture of different characters (upper and lower and special and number and whatever else you can think of) does nothing to increase your password security. The only thing that works is length. You could just use numbers, so only ten characters, but if your password is long enough it becomes virtually uncrackable. By contrast, a password of ‘S()1tHy2Q’, one that seemingly follows all the rules of a strong password, can be hacked relatively simply, simply because it’s short.
The longer the better, period. For those sites that require shorter passwords, I use a variation of the above method, where I still use the phrase but reducing each word to just three characters. This fits me at 12, which most websites allow. Awesome, I have a universal password. I know, I shouldn’t use the same password for everything, but I don’t. Some have the longer version, some have the shorter version, and my most important accounts, so Paypal and online banking, have their own special sequence. If my random forum account gets hacked, oh well, I’ll live with it.
I’ve had the same password for years and years … until yesterday, where I needed to set up an account through UPS. In addition to all the other hoops I needed to jump through, they required special characters in the password. These are the !@# and the like, and I needed not just one but three. I couldn’t think of a good way to make my phrase work with these characters, so I made a dummy password of, more or less, abc123ZXT*&^.
I like to think I’m not alone in this. Given all these random characters needed to make passwords, so many people just pick easy sequences of characters to memorize … which of course makes them that much easier to hack, which then necessitates more websites making even dumber requirements for passwords. Just make it 30 characters, minimum, and be done with it. If someone cracks a 30 character password, they deserve a medal.