Password Security

February 23, 2009

Several times in the past couple of months I have gotten emails that indicate to me someone is trying to access one or more of my online personas. The latest was this morning and took this form:

This email is a response to your request for information about the Blogger account with the user name [obfuscated]. To regain access to this account, please click on the following link:

[... snipped for obvious reasons ...] 

Apparently someone is trying to create an account using my old user name, on Blogger. I've not been active on that service since 2001, but it still contains all the old postings I made there. I've also had password reset emails for my primary Google email account.

The problem with GMail is compounded by their unusual practice of granting you all the variations on your email address using a dot separator. For example, if you registered an account as first.last@gmail.com, you also have firstlast@gmail.com, and f.irstlast@, and fi.rstlast@, and so on. I continually get emails addressed to my account minus the dot. And I am starting to get password reset confirmations for that variation as well.

That these services require an email confirmation is good, it prevents my accounts from being hijacked. However, getting these emails and realizing that someone is testing the locks on the door makes me nervous. 

Like most people I'm fairly lazy when it comes to passwords. I have several that I like and use, and I hope that they are secure enough to withstand casual cracking attempts. I tend to use a combination of upper and lower case, numbers, and misspelled or foreign words, but I also reuse the same password across many accounts. I am of the opinion that one really good password, that has lots of entropy used across accounts is better than individual passwords that maybe weaker for each account. The trick is finding a really good password and trusting that it is really good.

I've tried patterns on the keyboard where I don't need to remember the password itself, just the pattern and a starting point. However I am not entirely convinced that a smart cracker wouldn't attempt pattern based attacks, so hopefully my pattern isn't obvious.

I've been experimenting with 1Password on my Mac, which in addition to remembering passwords for you, will generate new ones. The problem I see with using a password generator is that while the resulting password may be much stronger than one I would think up, I can't remember it and therefore am totally reliant upon the software to remember it for me. If something should happen to 1Password, then I will be dependent upon the email verifications that started this posting. I suppose that wouldn't be the end of the world but it seems messy somehow.

So I'm searching for a 12 ~ 15 character password that doesn't contain dictionary words, has numbers and symbols, isn't a readily identifiable pattern and is something I can remember and easily type.

Author's profile picture

Mark H. Nichols

I am a husband, cellist, code prole, nerd, technologist, and all around good guy living and working in fly-over country. You should follow me on Twitter.