Dealing with password fatigue

How many passwords do you have? According to a study done by the NTA Monitor in 2002 the average computer user has 21 different passworded accounts. Twenty One! And that was before Facebook, Twitter, or any other social networking tool. I personally have well over 100 distinct account credentials on various websites and servers.

It’s no wonder that many users resort to picking easily guessed words, put passwords on sticky notes, or use the same password for every service out there. A recent study even indicates that IT security professionals are suffering from password fatigue.

Password Managers

One solution to password fatigue is using a password manager. Many operating systems, like OSX and Windows 7 even include password management tools within. My personal favorite is KeePass, an Open-Source manager that was developed for Windows, but has been ported to OSX and Linux.

The main drawback with password managers is that they require extra effort to maintain. Every time you create a new account or change a password on an existing account you have to keep your password manager in sync. Over time it is easy to have the wrong password on file, or worse, not have the password you need on file.

Password Schemes

An alternative to password management tools is coming up with a consistant scheme for generating new passwords. The idea is that if you use the same rule for generating passwords, you can figure out what the password would be.  One scheme is to use a base password, then append something related to the service. So for example, your base might be ‘asdf’. So if you were creating an account on Yahoo you might use the password ‘asdfyahoo’ or ‘yahooasdf’.

The drawback with this approach is that each site has its own password guidelines. Some require alpha and numeric characters, some require a combination of upper case and lower case, and others require extended characters like ‘$’ or ‘&’. Coming up with a scheme that supports all the requirements is a challenge. And what about services that require your password to change regularly. Either you have to create multiple base passwords or multiple service keywords – and once you do that you are back to keeping track of individual passwords.

Choosing Memorable Passwords

A third option is picking passwords that are easy to remember. The challenge is in picking a password that is both easy to remember and secure. For example, while everyone can remember ‘password,’ it is not a very secure choice.

One trick is to pick a phrase that can be remembered such as ‘The fox jumped over the tall hedge’ and use the first or last characters from each word. So in our example phrase you might use the passwords ‘tfjotth’ or ‘exdrele.’

While this approach makes passwords easier to remember, you still should not use the same password for every service, so it makes sense to pick a few phrases that can be remembered and cycle through them.

How do you deal with the many passwords in your life?

3 replies
  1. Chuck Rock
    Chuck Rock says:

    I would also consider a few other things regarding passwords. If you’re a bad guy trying to figure one out, a space in the password can make it almost impossible to guess or crack. Using a space for some reason also makes the typical “random” password much easier to remember. Something like SD0I12d would require some training, but “SD0 I12d” becomes easy to say, remember and hard to crack.

    I agree with the password manager program, but you should guard that file as if your life depends on it. If someone is able to get it and open it, all the passwords in your life are available to them.


  2. Brian Wahoff
    Brian Wahoff says:

    Those are both good points. In practice, I’ve found sites that disallow the space character in passwords. I think this is primarily caused by sloppy password validation mechanisms that ignore whitespace. Thankfully, these sites seem to be few and far between.

    The latest version of KeePass for Windows has a few very cool protection mechanisms. In addition to password (or passphrase) authentication it can also require a keyfile to be available. This forms a pseudo two factor authentication. I’ve heard of people using a favorite mp3 or movie as their keyfile.

    It can also use the windows account guid as a seed for the file encryption, so that file is only available to a given windows account.

  3. Mike Sweeney
    Mike Sweeney says:

    On a daily basis we see people working harder than they have to in order to cover password complexity. The suggestions listed above would make it easier to remember the passwords as well as to generate new ones. Just because there is a minimum password length, that does not mean that your password has to be that. Often times passwords are BETWEEN 8 and 12 characters, not 8 characters no more, no less.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *