HOME

Keys to the Electronic Kingdom:

Passwords, user IDs... your "creds" for authorization.
Keeping them. (So you don't lose them!) Keeping them private.
And why it matters.

(filename: priv4-sens-system.htm)

Use a computer? You'll need passwords. And user IDs.

Tedious? Yes. Necessary, even if you never do anything "sensitive" on your computer? Yes.

Happily, much of the tedium can be avoided with a carefully thought through system.

Happily, in many cases, one of your email addresses can be used as your user ID.

A term: "Credentials"

Passwords and user names work together, in pairs. You may well have the same user name in multiple places. However, it is unwise to use the same password over and over again. The password and the user name it works with constitute a pair you use, say, to order something from Amazon. The pair is called "your credentials". They are what will lead the Amazon computer to authorize you to give it instructions. Like "send me a new laptop."

Private and Secure

No matter how trivial the things are which you do with your computer... (or smart-phone... or tablet... all of the following applies equally to each of them...) you do need to keep the credentials that give you the use of things private and secure.

Private: Your passwords are private if only you know them, and they are not stored in ways that would let someone else use them. They should be available only to you. (And perhaps a few carefully chosen people close to you. People of integrity and competence.)

Remember this though: you may be hit by a bus. Insha'Allah not, but...

There are ways you can make your passwords available to the right people in that eventuality. Ways that even keep your passwords private until someone else needs to have them, and you are not in a position to provide them. I will return to this "detail" later.

Secure: Fort Knox is secure in several ways. However, I am using the term in a narrow sense here. When it comes to the need to have your creds "secure", all I mean is that they are stored in a way that makes losing them impossible. Or losing the odd one or two of them. Can you really say that your current system... if it is safe on the "privacy" front... doesn't ever leave you wondering what password you gave to something that you only use occasionally?

Yes... usually we just send an email to the "door-keeper", say "I forgot my password"... and they, with none or a few (or many!) checks to see that it is "you" asking, will give you a way to set up a new password.

But you really shouldn't need to use that option very often. One of the benefits of a proper system for creds management is that you don't need to struggle with the nuisance the way people without one do.

The fact that many creds can be circumvented with a simple email should heighten your awareness of how important it is to keep the creds for your email account private.

Yes! It is a pain to put the passwords in regularly. But what if someone steals your computer, and you've set it up to fetch emails without any need for the user to put in a password? You've handed the keys to a lot of things to The Bad Guys if you take that shortcut.

Even if your computer isn't stolen, the day will come when it needs repair. Do you know how much integrity the person who will be doing the job has?

And the very worst aspect of the danger is that if your creds reach people who don't have them, they can get into your system, and use it in ways you don't know... use it for things like selling kiddie porn and extorting huge sums of money from big institutions. Don't you feel you need to do what you can to make it difficult for those people?

In passing: Your anti-malware software is of course also relevant to these concerns. You need to have it. (I like eSet, but there are many good suites out there.) And you also need to be sure it is working properly.

Privacy, security

Protection should be a matter of layers. You would of course lock your car if leaving a laptop in it. You would have a password on the device, so that when it is turned on, that password has to be supplied.

But that doesn't have to be the end of it. You will, of course, have to give the general access password to anyone you hire to repair it when it is misbehaving.

But that doesn't have to be the end of your care of your creds.

I certainly don't do it with every word-processor document I save... though some people do... but I frequently put passwords on them. A service person might see a file called "Memories of my last employer"... but he/she wouldn't be able to read what's in the file. If I send something sensitive in an email, I use a password protected .pdf, and communicate the password to the recipient by a different route than that traveled by the email with the attached .pdf. (If you use the free Libre Office, it lets you turn documents into .pdf's, AND it lets you "lock" them with passwords.)

And so on. All of this will only succeed if you engage with the issues, apply a bit of cunning to adapt my system to your circumstances.

Part of that adapting is to find ways that you can add "layers" to the "onion" of your system of protecting the privacy and security of your records of your creds.

A small topic: Good Passwords

Here is a pretty good password....

eaegAAgagf$"^$1272XXXy

... good, in some ways. But given that you could never remember it, and would soon tire of entering it, it isn't good, because you would soon change it to "password".

But it illustrates some of the things you need to put into something that is actually "usable" and is "good" on more esoteric grounds.

You've heard it all before... A "good" password...

The first two perhaps need a bit of explaining. Suppose I had a daughter named Sarah, born on 28 August, 2005.

"daughtersarah28august2005" would be long(-ish) and even have letters and digits. But certainly "daughter" is a bad thing to have in a password, and probably "sarah". And if there's a real Sarah in your life, and 28 August is her birthday, those are terrible things to put in a password.

Even "SarahIsACharacterFromGenesis" is bad, on the "don't use real words" front... especially like this, with a number of words in a meaningful sequence.

So there are some general do's and don'ts. We'll talk more about password composition later.

Compromise, compromise...

For every question, there is a simple answer. And it is wrong.

In a prefect world, I would say, never write your creds down. But it isn't a perfect world. So what compromise to I choose, so that I can write my creds down, with as little compromise of those creds as I can achieve.

Remember: I want them to stay known only to me, but I do want them known to me, which they won't be if I simply use my gray-cells memory to store them.

How do we write our creds down?

I keep my creds in a word-processor document. And no one can read that document without knowing the password that opens it. (There's no user ID to go with the password... if you have a copy of the file, my system takes you half way to having my creds. But I don't post the file on the internet, and I haven't saved it under a name like "AllMyPassword.doc".

And I use it fairly regularly, and thus am unlikely to forget where it is, or what the password is. And there's even a hint to the password in the file's name! Maybe my favorite football team is Fenwick United. The file might be saved as WickUnitied.doc, locked with "fenwick". (Not a very good password, of course.) Also "of course": I do something a little more complex. But I want it all to remain private, so I don't speak about what I actually do. Devise your own system! The very act of devising it will help you remember it... so you have access to your creds, so that they are secure.

Once the creds are in a computer file, I do, of course (again!) do backups of the file. Ordinary backups. Taken the same way as I back up my other files. The best password management system in the world is no good to the user on the Tuesday after the Monday on which is hard drive crashed... with things on it that hadn't been backed up. Or on the Tuesday after her working- just- fine laptop, with un-backed-up files on it, was stolen.

Now.. this may come as a shock to you, given all that I've said so far, but I also print out my document with my creds in it!

... and continue to put "layers" on the onion, between my creds and The Bad Guys. I look after that document. I don't leave it lying around. Anyone with a cell phone can snag a copy in an instant, peruse the document at their leisure.

But that's not all...

How to make ink- on- paper "unreadable"

Cast your mind back to my "good password"...

eaegAAgagf$"^$1272XXXy

Yes... that's a "good password"... by some tests.

But whatever your system is, it has to be one that is usable... by you!

A system that 100% keeps The Bad Guys out is useless, if it keeps you out too. Hence my system allows for an ink- on- paper copy of your creds... because if you had to fire up an app every time you needed some creds, it would, to any reasonable person, be "unusable".

The secret.

Let's say I have four children. And rather boringly, my partner and I named them, in the order they were born, Alice, Bob, Carol, Dave.

We will further say that I will never use / or \ in any of my passwords.

If those things were decided upon, and I was, in August 2020, setting up an account with the excellent online source of second hand books, Abebooks, for the first time, I might USE "abe20AugBob" for my password. But in my document, I would write "abe20Aug/Ch2\". ("Ch2" standing for "child number 2").

I usually do the "written down normally" part first, and the written down obliquely bit at the end of the password. I often need to refer back and forth to the passwords document to put all of the first bit in properly. (If is it a sensitive site, that first bit will be longer than my password to buy books.) It is easy to hold "Ch1" in your head, if you know how the oblique referencing system works.

By the way... including the date you first set up an account pays dividends in due course... I sometimes get a small dose of pleasure when, seeing the date in a password, I think to myself, "I've had that account that long?!"

(And yes, bonus points to you if you noticed, using those particular names was a nod to Mssrs -R-ivest, -S-hamir, and -A-dleman... who are not unconnected to what we are discussing here.)

Even with those simple "rules" we are already turning out passwords that have a mixture of upper and lower case letters. (You will have to remember to be consistent... ALWAYS a capital on the first... and only the first... day of the month.

Incidentally, the months create a bit of a pain. I would assume you will abbreviate the names. You don't want to be writing out "January". But will September be Sept or Sep? June, July? Write in full? Jly? Jul? It doesn't matter... choose the rule that YOU will find "natural", and "right". (I would go with "use three letters for most, but use June, July, Sept for those. That's what seems the sensible compromise to me. The middle ground between "always write out in full" and "always use 3 letters". (The latter flawed anyway, as we said, as July can be Jly or Jul.)

Besides having both sorts of letters, we've got some digits into the password.

And we're just getting started!

But before we go on, the names thing served a purpose, but is flawed. What family doesn't have nick-names? Is "Bob" always "Bob", or is he sometimes "Robert"? Try to find a system that has no ways to go wrong.

Layers

We're going to come back to the question of ways to "write things down", e.g. "Bob" without writing them down as they are. In the case of "Bob", in my scenario, "/Ch2\" is good for "Bob".

But, partly to make the passwords longer, partly to add a layer to the steps we are putting into the system to make it more private, we'll set up at least one other parallel system of "writing things down without writing them down". Thus if a Bad Guy has your hardcopy, and has somehow found out how to decipher the /Chx\ entries, he will still be locked out until he cracks the second one too. Besides the /Chx\ entries, there will also be /P[letter]\ entries!

"abe20Aug/Ch2\/Pd\" will stand for "abe20AugBob$"! You can probably figure out how that can be... but how would someone who only had "abe20Aug/Ch2\/Pd\" guess that it stands for "abe20AugBob$"? He doesn't even know that the / and \ aren't just some odd punctuation marks thrown in as part of the password!

Secure

We've talked a lot about keeping your creds private.

The discussion of making backups contributed to the keeping your creds secure, i.e. "safe" from loss.

But we frequently acquire new creds to keep track of. We should change our passwords from time to time. (Confession: I don't change mine very often... do you? Please at least change them if "something a bit odd" happened in connection with an account. You don't have to completely change them. If the old password was "mypassword", then "mypasswordupdated" is hugely better than leaving it unchanged, weak though they both are on almost every front.

So here's what you do...

Edit your document, to sprinkle blank lines throughout it. Print out your not- quite- giving- everything- away document.

Now, if you add a new set of creds, or have to make changes to old creds, you just take a pen to your hardcopy (ink- on- paper copy).

From time to time, make a photocopy... or, failing a copier, a simple photograph... of the edited- by- hand version of your creds list. ALWAYS do this if you list is going to be leaving "home". Say traveling with you on a trip. Bags do get lost. Use your imagination! Guard your hardcopy, and that means anticipating the possibility of losing it, and having arrangements in place to be able to access the information on it in the event of a loss. How would you lose your hardcopy? I don't know because I don't know what goes in in your life. And not knowing that, I don't know the best way for you to protect against the loss that might arise. As I said: Imagination.

But eventually, your list of creds, or maybe another document that is important to you, gets a bit long for frequent copying.

Here's the answer to that. When you've printed out a hardcopy, draw a few diagonal lines across any whitespace at the bottom of the last page, to remind you that edits do not go there.

And attach a blank page to the end of your hardcopy.

When the first time to edit or add an entry arises, just put "1" and short note in the main body of the hardcopy. Say, for example, "1- abebooks". Then, on the blank sheet, write "1"... and next to it "abebooks" and ALL the details of the edit. (And the second one is done the same way, but you mark it 2, and so on.)

Now the only thing you need to copy, to greatly improve the security of your data, is the list of corrections! You don't need to copy all of the pages of the document.

It is because we put "abebooks" in front of the edit on the blank page, we don't need the "1-abebooks" in the body of the document. Having it makes a lot of things easier... but it isn't essential.

There's an old saying in computing: "Easy to use? Hard to explain."

This whole essay is a case in point. It isn't short. It isn't "simple". But actually using the system explained here is very simple.

Back to the fun stuff... codes for privacy, for oblique references to password elements

I said the family names idea is flawed, and it is. And I said you want at least two code systems in use, probably in almost every password. You can skimp a bit with sites that aren't sensitive. (The "password" into one of my IP Cams is, at the moment, "123"! Iam human, too, even if a geek human.)

The family names thing is flawed because you might not ALWAYS use EXACTLY the same thing, if you try to think of "child number two's name".

Pick something that is extraordinarily familiar to you, and which is a sequence of words and or digits. Maybe you have a Ph.D. in the history of the British monarchy, 1838-2000. You would "just know" that the monarchs over that period were...

(For our purposes, consider "Victoria" as "Victoria I", which indeed she was, though it is never expressed that way.)

So... IF you were that professor, and in your creds document you saw "/m2\", you would know to substitute "Ge6", IF you had decided that "the rule" was "Monarch: Use two letters. First letter capital. Add the number of that monarch as a digit."

Of course, you are not a history professor. Do you have a favorite song? Let's take "Deck the halls".

That starts...

 Deck the halls with boughs of holly, Fa La

That's enough for our purposes. "/dth4\" could mean "Wit" goes here. Your rule would be "From "Deck The Halls...", take first three letters of the 4th word." (When its a "4" (duh!) after the "dth" hint.)

To prepare for being hit by a bus

When I say "you may be hit by a bus", I am of course using that as a general shorthand for lots of things that can happen to us.

It would be wise... for various reasons... to prepare another document secured behind a password. And to be extra careful with copies of that document... The better the program you used to create the document, the better the chances that some Bad Guys have a way to discover the password. Happily, you won't need to access the document very often.

In this second document explain: What punctuation did you use to indicate an oblique reference? You don't HAVE to use "/" and "\". (It is easiest if you pick something that won't arise otherwise.) What systems did you use?

Once that document is finished, protect it with a LONG password... at least 12 character. Choose three trustworthy people. Give each of them a copy (electronic copy ONLY) and PART of the password.

If the password were "123456789012", you would give the first "guardian" 1234....9012", the second guardian "....56789012" and the third guardian "12345678....".

This trick ensures that no one guardian can "open" the document until at least one... and one is enough... of the other guardians agree that "it is time". Look at the bits given to the three guardians. I think you can see why this does what I say?

Punctuation marks

There a bit of a pain in various ways, but having punctuation marks in your passwords is worth the hassle.

You can, of course, put them in just as they are, and hide other parts of the password.

Or you can think of a System for them.

Make up your own! Far better than just using something from the internet.

But if you aren't inspired, and you are willing to have a little card that you keep in your wallet, or somesuch, here's a scheme that eats punctuation marks for breakfast, admittedly not very privately, and provides for much more. How much more depends on how large a card you want to contend with. Remember... you don't want to "flash that card about".

Here's a possible card...

  |  A       B         C        D
--|------------------------------------
1 | star   percent   dollar   amper
2 | g'dad  unc-fred   sis    got shot
3 | Exxon   Pfizer   AT&T     Cisco
  |

... well... possible for a certain person...

With that card, /cA1B2C3\ would stand for... *GAWT.. to someone who kept in his head....

The first row is punctuation marks, "star" indicating an asterisk.

The second row is the initials of people, "unc-greg" being Uncle Gregory, whose initials are GAW.

The third row is the ticker symbol for the companies shown on the card... "T" being the ticker for AT&T.

You would, of course, have to make up your own card... AND no lose it!

"Got shot" was "JFK". For this to be satisfactory, the person using the card should be a little obsessed with the assassination, and "JFK" should leap into his mind as soon as he start to think "who was it that got shot?".

Simples!

One final idea... a system for strings of numbers

Some sites will not allow you to choose a good password. They insist on mere strings of numbers. Furthermore, your creds list is a good place to write down bank account numbers, etc. Which, like creds, you ought to have private but secure records of.

So how to write down a number without writing it down?

Again... you use a system which is partly in your head.

If your name were Percival Wyems Madison, and you were to write the first 10 unique letters of your name on a scrap of paper, you would get...

P E R C I V A L W Y

(Little Percival is lucky... (if you can call arriving at a prep school with that name lucky)... he wouldn't have to "drop" any letters. Andrew Jeff Anderson wouldn't be so lucky... he'd have to use the slightly more complicated string "ANDREWJFSO".. and if he hadn't had a middle name, he'd be out of luck entirely because we need 10 different letters.

From there you have probably figured it out? If Percival wants to write "123334" in his private, secure list, he writes /dpeeer\! ("D" for "digits"). He doesn't WRITE DOWN (at least not in the list) what "the rule" is. He carries that in his head. A week of using the system, and he would "just know" what digits the different letters stand for, anyway.

Two digressions...

1) A frill.... but it is the frills that really mess up The Bad Guys. If Percival wrote down /dpzeeqer\, he would know that he should just ignore the z and the q, there being no z, no q in his name. But The Bad Guys would be struggling to make them mean something.

Ah, the fun you can have! Just be careful that you don't get so clever that you do something you can't remember two months from now!

2) Percival was lucky... and I was lucky. I was lucky in that although I was not spelling his name correctly, at first, my error came at the 11th letter, and thus was irrelevant to the point I was making. I had "Percival Wyms..." instead of "Wyems". Happily, that second "e" in his name is the 11th letter, and so it doesn't affect what I was saying before I was spelling "Wyems" properly. Whew. Just before I leave long names, I have to tip my hat to Christopher Metcalfe-Gibson. And blush... I can't promise I have the first name right. A long time ago, I ran an organization's database, and his name "broke" my design, forced a modification. If someone who knew him... (or knows him- I'd to reconnect.)... can put me right, I'd be glad of the correction. Mr. Metcalfe-Gibson and I had "Feldmore" in common.




A few words from the sponsors...

If you found this of interest, please mention in forums, give it a Facebook "like", Google "Plus", or whatever. ("This" is: http://wywtk.com/hh/priv4-sens-system.htm) If you want more of this stuff, help!? There's not much point in me writing these things, if no one feels they are of any use.



index sitemap
What's New at the Site Advanced search
Search tool (free) provided by FreeFind... whom I've used since 2002. Happy with it, obviously!

Unlike the clever Google search engine, this one merely looks for the words you type, so....
*    Spell them properly.
*    Don't bother with "How do I get rich?" That will merely return pages with "how", "do", "I"....

Please also note that I have three other sites, and that this search will not include them. They have their own search buttons.

My SheepdogSoftware.co.uk site, where you'll find my main homepage. It has links for other areas, such as education, programming, investing.

My SheepdogGuides.com site.

My site at Arunet.




Please... If you discover flaws in this page, please get in touch! Spare the next reader! It would be helpful if you mentioned the page's URL. (wywtk.com/hh/priv4-sens-system.htm).

Even an "I liked the page... such and such was particularly useful." would be welcome!




Valid HTML 4.01 Transitional Page has been tested for compliance with INDUSTRY (not MS-only) standards, using the free, publicly accessible validator at validator.w3.org. It passes in some important ways, but still needs work to fully meet HTML 5 expectations..

AND passes... Valid CSS!


Why does this page cause a script to run? Because of the Google panels, and the code for the search button. Also, I have my web-traffic monitored for me by eXTReMe tracker. They offer a free tracker. If you want to try one, check out their site. Why do I mention the script? Be sure you know all you need to about spyware.

....... P a g e . . . E n d s .....