Password maintenance - The Double-Secret

 

This document is an internal

memo for the PPI team.

 

NEVER WRITE YOUR PASSWORD IN PLAIN TEXT ANYWHERE
 

 

Overview

 

This is for anyone who needs to store and track passwords.  These are the 4 items most overlooked.

 

  • Change often
  • Double secret passwords
  • Always more than 10 characters
  • NEVER use the same password on two different things................. NEVER!!!
     

 

Really, read this comic first, please:


 

 

Change often

 

At the very least, change your passwords every year, but of course, change them as often as you can.

 

I make it a habit to methodically change ALL passwords at the start of the year, even if I changed them a week before.

 

Double-secret password

 

What is a double-secret password, you ask?

 

It is where we don't even trust the system where we store the passwords themselves.  That means we don't trust your computer, we don't trust the online services like Google, or even the NSA, we don't trust even our own service, etc.

 

  • Diversity - Most sites want a number and a capital letter these days.  So the trick is to make sure your passwords contain something like A1 somewhere in the sequence consistently (meaning at least one capital, and one number).
     

  • Date - Next trick is to build the date right into a password, which forces you to remember how old your password is.  An example might be 2015-01-01, or make it smaller with 150101.  Every time you type in 1995, you know damned well you need to change your password, and perhaps some other things too.
     
  • Site-specific rule – One problem with passwords is that if someone happens to get hold of a password for one site, they might be able to use it on another site.  For this reason, each site needs some type of custom aspect to the password.  It is best if this is 3 or more characters using all aspects of numbers and letters and caps, etc. An example of a formula might be to take the 'given name' of a company or site, and apply some encryption.   

    Convert letters to numbers – “ABC” might become “480”
    Convert vowels to symbols – “AEIOU” might become “@&!*)”

    This will massively reduce the chance of password scrapers just harvesting your password - even by accident.  Most hacks are actually boring bots from countries like India, China, and Russia just looking for the equivalent of an unlocked door on a car or house.  Don't make it easy for them.
     
  • Secret password – The secret that makes this a double-secret is that inside the password you store in a system in writing, is a password that is never written down.  Basically, it is a personally transmitted password usually agreed to by a group of people.  For example, a team working on something might all agree that the password will be the top 4 ranked fast-food places “mcdonaldstacobellwendysburgerking,” or just the first 4 letters of each.

    In other words, when storing the password, you will NOT store this double-secret part of the password.  It is only transmitted verbally by a group.  If it is never written down, it cannot be stolen by computers in that manner.

 

 

Recap

 

Keep in mind some annoying people who control the metrics of passwords (often Banks) only allow a limited number of characters or symbols or some other limitation that does not match the rules presented above.  In those cases, one has to annotate the passwords as stored.

I usually add a note on the password of '#aholes' to remind me that the institute is placing rules on passwords that make passwords less safe!

 

Real Example

 

For example for Google, using the first three letters of the company name converted to 8**


Actual password: 

 

A11501018**8mcdonaldstacobellwendysburgerking

 

Password stored:

 

A11501018**8[shared]

 

New era with AI

 

2025 - Things are about to get a lot more complex

 

Prepare for Password changes

 

There is no good way to create a secret password when you're not in the same room with another person.

 

What is needed is to agree on a password scheme before you use it.

 

For example:

You have to update a password with a team of 3, all in different places.
It needs to be checked once it is updated.
If you don't have a clear plan in place and a pre-known double secret word, there is no good way to do this on the spot.

 

 

 

Reference

 

How to encrypt your entire life in less than an hour

 

Failures

 

 

PasswordbookFail.jpeg

Theresa White (via LinkedIn - Freelance Writer | Musician | Fun-Fact Connoisseur) 23306
 

 

= END =