Okay, given that we are on a little low-tech password management campaign here, I am going to offer a variant that might be useful to add security to any of the previous methods discussed.  This post builds on any of the systems we already talked about, and takes them up a notch.  All it requires is a little bit of practice, and then it becomes pretty much second nature.  At this stage, it is safe to say we are getting a little nerdy.  I get it, but hear me out.   If you have a little black password hint book, or a file with passwords, or a “book code” style password management system, they all have a couple of potential flaws.  They can be damaged or destroyed which is inconvenient.  They can be stolen which could be even more of a problem.  There is not much you can do about the integrity of the text or the files, except make periodic copies to limit the exposure to the downside.  Keep the copies safe as backups and replace them as needed with newer copies.  Destroy the older copies.  Relative to the problem of security, there are a few steps that you can take to make these systems more secure, one or two of which we have already covered. Let’s quickly review those and then add a twist. 

First, you match the recorded passwords with a master password that you do not record, but can easily remember.  You will use it for pretty much every login, so it will be remembered pretty easily.   It is best to make it a combination of letters and numbers, given that most sites will allow for those as a component of passwords.  If you have a site that is weirdly particular (I have one site that I use that is strictly numbers for both user ID and Password), you can make a note in whatever system you use that reminds you of this fact.  I would keep the master password shorter than five or six characters, because there are still a few sites out there that do not have the capacity for very long passwords, and if you use up all of your available characters with the master, it will not be as secure.  If you read the previous posts, you remember that our hypothetical user Jeff, uses “JDog3” which is pretty good.  Upper case and lower case letters, and a number.  If you have a site that allows special characters, you add a character between this and the site password.  And then the site password you have chosen, by whatever means you chose.  This makes it a bit better if your password book gets picked up by somebody, and they try to put it to use.  Because those characters are not in the book, their attempts will fail.  A professional could work with this, but it prevents a casual snoop or amateur thief from doing much. 

If you wanted to be really security conscious, you could add one more component to these, which is rule based, and does not require any kind of record, except a practice key while you get accustomed to it.  It is a basic substitution system.  You pick a handful of selected letters, and substitute either numbers or special characters for them, ideally ones that look similar but to a piece of software are entirely different.  For example c@t is recognizably cat to me, as is d0g reminiscent of dog.  To a brute force attack, this is a bit trickier.  There are programs that can make this leap but it is harder.  Avoidance of simple word passwords is said to generally work to prevent the attacker from sniffing out the pattern.  As I said before, there are technology tools like password managers that are stronger choices than this, but some people don’t feel great about those, so this is being provided as an alternative.

Using some of our previous examples, from the first two posts, let’s do a sample substitution:

Substitution rules:

Jeff’s passwords with substitution(Master password/Character included):

In order for this rule to work reliably without causing a ton of frustration you will need to condition yourself to make it the default choice. Some sites do not allow special characters, and you will need to be aware of that by recording it in your system.   For these there is no special character substitution, but otherwise there is no change to what you do. Thankfully these sites are rare and becoming more so every day.   Also, the master password stays unaltered, without any substitution. 

That is all there is to it, we hope that is a useful way to round out the series.  We have another one coming later with a totally different approach to passwords, but before we get to that, we are going to examine some of the technology that is worth using.  So from low tech, we will move on to high tech in a few weeks.  We have a few other topics that we want to touch on first.  If you want to be kept up to date on these, feel free to subscribe to updates, and follow us on social media.