Skip to main content

Please Provide A Password, Pronto!!! (Redux)

Column: Final Thoughts

From the Nov. 2008 Issue

A few years ago, I wrote a column describing a method to generate a different,
easy-to-remember, yet secure password for any website or program. Since that
column ran, I’m regularly asked to detail the system. In an effort to
help (and maybe cut down on a few questions), I’ve decided to re-run the
Column. Here it is:

I regularly visit hundreds dozens of websites, and more and more are
personalizing content for me by offering me “portal” type services.

Some are quite innocuous, like, “Tell me where you live, and I’ll
tell you about the weather.” It’s a beginning step in what I refer
to as the “you give, you get” paradigm. “Tell me what stocks
you want to watch, and I’ll personalize a ticker for you.” Again,
pretty innocent. What about, “Tell me your account number, and I’ll
show your transactions” or “Tell me your patient ID, and I’ll
tell you about your prescription drugs.” Now we’re talking about
SECURITY!! Those are areas where we ALL want great security.

Fortunately, most folks providing this kind of information on the web are
very security conscious and have provided for users to choose hardened user
IDs and passwords. Hardened is a term many consultants use to describe an ID
or password that is (usually) at least eight characters long, containing alpha,
numeric, upper and lower case characters, and a symbol. It is NOT your name,
your pet’s name nor the street where you live. In fact, it is NEVER a
word at all. IDs and passwords like these are extremely hard to break, and the
hope is that an intruder would lose interest rather than spend the inordinate
time required to break your security and access your information. But you knew
that, right?

What I’ll bet you DON’T know is how to manage those hundreds
(oops, there goes that exaggeration again!) dozens of user IDs and password
combinations. Here’s one method that seems to work well for me. I have
a “standard” user ID that consists of letters (some upper case),
numbers, a symbol, and two letters chosen from the website to which I am authenticating
or program I’m accessing. By way of example, my User ID might be wjY6%XeX,
where the X’s are the second and fourth letter of the website I’m
visiting or program I’m using. So, if I were visiting,
my user ID would be wjY6%TeA. Notice the “T” and “A”
are picked from the website address. If I were visiting, my user
ID would be wjY6%IeP.

The secret is that I actually have only ONE user ID to remember. In this case,
it’s wjY6%XeX, but it’s different at every site.

I do the same thing with my password; it’s a single hardened string
incorporating something from the site I’m visiting. The result is a simple
system that provides great security. Often, I’ll hit what looks to be
a new site, and when it asks me to login, I’ll just “try”
my user ID and password. Sometimes, I discover that I’ve already been
there as my “special” user ID and password take me right in.

Are there problems? Sure. There are some sites that like to “assign”
user IDs and don’t give you the right to change them.

A few have policies that preclude the use of special characters, such as the
following: !, @, #, $, %, ^, &, *, ( or ). One I use (a bank) actually had
the gall to tell me their disallowance of special characters was a “security
feature designed to protect you.” Amazing!

Some sites use your Social Security number as an ID (and they think THAT’S
secure?). Finally, some sites limit your password to only five or six spaces.
My answer to them more and more is, “goodbye.”

There are plenty of other “safe” sites to provide me with the
services I need. I hope you’ll join me in demanding high-level security
policies from the vendors with whom you work. And remember that if you’re
not already providing individualized web services to your clients, you probably
will be someday soon. And they will be asking YOU for the right to use “hardened
passwords.” Smart practitioners think ahead.

A parting tip: Many firms are now developing standards for password-protected
Excel, Word and *.PDF files that they exchange with clients. Take even a small
firm with only a few accountants times a few hundred clients times a few dozen
files each, and you can quickly have thousands of password-protected files floating
around. When you do, you darn well better have a system to manage them! And
when the system fails (sorry, but it ALWAYS fails eventually), and you’re
stuck with a file that’s so protected that no one can open it, try
It’s a magic little trick that WILL open it! Enjoy!

PS: The user ID detailed above (wjY6%XeX) is NOT the one I use!!!

PPS: If you’ve not looked at Microsoft’s new Live Mesh, I suggest
you do so … soon. Consider this a glimpse into the wonder of “cloud
computing.” It’s a data synchronization system that allows files
and folders to be shared and synchronized across multiple devices. A small client
on each machine allows you to set up relationships among different devices.
When a folder is marked for synchronization, it becomes available on all devices,
and any modifications made on any machine to any file in the folder will be
replicated to all devices. See
It’s FREE and, although still in beta, it’s been as solid as a rock
for me.

(You can get more of Greg @ his blog: