Editorial: September 2, 1996

It has finally happened. And, it's not pretty. I've reached password saturation. The pressure of memorizing what seems like hundreds of frequently changing codes—for my apartment building, the office, the men's room, the office photocopier, the bank ATM, the office LAN, various Internet providers, my three telephone calling cards, a half-dozen World Wide Web-based information services, and my brokerage account—has caused my mind to latch up. After a recent late night out, I spent 30 minutes futilely punching numbers into the keypad outside my apartment building. Finally, a guard woke up and let me in.

Security experts are full of advice about passwords. Unfortunately, their advice suggests that they have to remember only a couple of passwords. The experts advise us to stay away from names, birthdays, anniversaries, telephone numbers, ID numbers, and any other personally significant information. They also advise against using real words, which are easy prey for password-cracking programs persistent enough to go through the dictionary.

In other words, if you can remember it, it's not a good password. Never fear: The experts have plenty of helpful recommendations about what you can use. Quite correctly, they suggest that an unpronounceable password is less vulnerable. So, according to the experts, you should use unfathomable strings of letters like "ascxzase" or "bcvdiasx." Better yet, you can put ASCII symbols, such as %, &, #, @, and !, in the middle of your passwords.

These recommendations suggest that security experts need to spend more time relating to actual humans. Computers can easily remember something like "do%S93#cX," but I have enough trouble trying to figure out whether I'm about to put on the same necktie I wore yesterday. Another complication is when a computer assigns the code for you. Because the computer has no temptation to use a convenient mnemonic, these codes are undoubtedly more secure. Sadly, the only thing harder than remembering a random sequence of characters you chose yourself is remembering a random sequence of characters chosen by something else.

As if all that weren't enough, security experts suggest changing your password every 30 to 45 days. Excuse me, but it's tough enough to remember the 30 or 40 codes I know today. Replace them with new ones every month or so? I don't think so.

So, in the interests of simplifying my life, I've taken to using a few mnemonics. One of my mental tricks is to combine the initials of friends and family in interesting and unique ways. I then make up definitions that help me to remember these bizarre words. I also like to use numerology to create a code, such as 3824, from 3×8=24. And, as soon as I've found a really good password that I can remember for more than a day, I recycle it among accounts.

These memory tricks alone will probably upset security pundits; mentioning them in this column will probably really make the pundits crazy. But, actually, I have little fear that what little I own is vulnerable to hackers and thieves. For example, you have to wonder how many people would spend more than a couple of minutes trying to tap into my brokerage account, which holds a grand total of $15. If, by chance, somebody did go to the trouble of breaking in, I'd be happy to let them have the money in exchange for the password.

P.S. Allow me to introduce myself. I'm Mike Markowitz—most recently Editor in Chief of EDN Asia. Prior to that, I was a Technical Editor for EDN. I'm taking over for Steve Leibson, who left to join a start-up company. He and I share the same philosophy: We at EDN see each of you as our partner. Please call, write, or email me or any EDN editor and tell us how we're doing and how we can make EDN work better for you.

Michael C Markowitz
Editor in Chief