The pain of passwords

This post may get a bit rambly and is kind of self-indulgent, but some might find it an interesting story. There’s a tl;dr at the bottom.

I use a password manager to manage passwords to the majority of services and websites I have accounts with. Most of these sites have unique and complex passwords that I have no hope of remembering. I like it this way.

Password managers can’t help with everything. You still need to remember the password/phrase to unlock the password manager, and the phone and/or computer you access it from. If you host the password manager’s data file on a cloud storage service, like I do, you need to remember your password to log into that too. Further, given that, that in my case, my cloud storage service of choice, ownCloud, is self-hosted, I need to remember all the passwords pertaining to the server that runs that service. This includes local Linux passwords and SSH key passphrases.

Now, sure, I have a copy of the passwords on removable storage somewhere safe so I’m not dependent on all this infrastructure. But guess what? That copy is PGP-encrypted. With a passphrase. That I have to remember.

So let’s recap. The passwords I currently have to remember include:

  1. Local workstation computer password
  2. Smartphone PIN/password/pattern
  3. Password manager passphrase
  4. Cloud storage password
  5. GPG key passphrase
  6. SSH key passphrase
  7. Server login password

Now I’m going to put aside the questionable design decisions I’ve made here; I grant that I could just use a single encrypted password file on a USB key (with backups elsewhere), that I can plug into any computer I trust, and access my passwords. And that’s great for a fallback which I could easily implement, but it’s not exactly something I want to do on a day-to-day basis. Let’s say I simplified this system, though, so I wasn’t worrying about the cloud-hosting of the file. I’d still need to remember 2-3 passwords:

  1. Local workstation computer password
  2. Smartphone PIN/password/pattern
  3. Password manager passphrase

Yes, that’s better, and more manageable. Say, though, that I have multiple computers. Do I use the same passwords for all of them, or should I be a good security-conscious person and use different ones everywhere?

I will tell you right now that in the longer list of passwords above, several of those services shared a password. I hate remembering passwords, as everyone else does, so naturally, I try to remember as few as possible and put as many as possible in my password manager. It got to the point that the aforementioned shared password was one that I’ve used for a long time. By long, I mean at least 10 years. Now before you start yelling at me for being careless and insecure, in my opinion, it was a pretty good password. It was reasonably long, contained non-dictionary words and different character classes, and for the most part, the services that used it were not directly exposed to the internet, so you’d likely need possession of one of my devices to try to crack it.. I had no reason to expect that it was compromised.

Monday last week, I typed that password into a group chat. You know how it is; it could happen to anybody. You see your computer screen is blank, and, given how unlikely it is that you’re within the 5-second grace period, you assume your computer is locked, so you sit down, and blindly type in your password while your screen wakes up. You hit Enter, switch to the window you want to be in, and get on with your day. Then your colleague leans over quietly and says “perhaps you want to delete that message you just posted,” and, confused, you take a look at the channel, and feel the ground fall out from under your chair.

Not just because you remember that the password you’ve been typing from muscle-memory for a decade without really thinking about can actually be interpreted as a rather juvenile set of words that your present self would never use, but also because now you’ve got a problem: you have to relearn a new password or passwords, for the machine you type the password into about 50 times daily.

Bother.

Because of the nature of passwords, ones like this one have existed since before the jury came back on what a good memorable password looked like. My general passwords that I’d drop into a password manager look something like this:

$pyf|?u?'yB7pCNW~$y:yv;Kc*^<c,%U

The length I use has increased over time, as I’ve found less occasion to have to type these manually. There’s no way I want to remember a password like this, let-alone have to type it, fingers moving all over the keyboard, hitting Shift every second character. I don’t even want to contemplate having to regularly type something like this into my smartphone.

So after some deliberation, I took a leaf out of Randall Munroe’s XKCD comic

A comic contrasting the struggle of memorising low entropy passwords like "Tr0ub4dor&3" with high entropy passwords like "correct horse battery staple" (CC-By-NC Randall Munroe, XKCD 936)

Pictured: A comic contrasting the struggle of memorising low entropy passwords like "Tr0ub4dor&3" with high entropy passwords like "correct horse battery staple" (CC-By-NC Randall Munroe, XKCD 936)

This, combined with a handy shell script, written by a past colleague, which assembles a password from several words from Linux’s /usr/share/dict/words file, gave me a password that I just had to start remembering. I quickly set the password on my laptop, while storing it in my password vault accessible from my phone (which I could access with other, different passwords that I already knew and didn’t need to change right now) for the inevitable moments I forgot it.

I probably had to look it up about a dozen times, and about two dozen other times I had to sit at my computer for several seconds while I (a) typed my old password before remembering it had changed, and (b) remembered which words comprised the new one, getting it wrong the first couple of times. So all it all, it’s taken almost a week, but I think I’ve got it embedded in my memory now. I still want to have a backup of it somewhere safe in case I have a lapse of memory, but I’m pretty pleased.

There are still a couple of services that shared my old password that I haven’t changed yet (a reason I was reluctant to publish this post yet, but decided wasn’t a big deal), which I’ll do shortly, after I’m a bit more confident in my memory. My main remaining question is whether I get ambitious and try to use different passwords for each of these services. I suspect that if I leave some time between changing each one, I’ll be able to sufficiently remember them all, but it’s a bit scary to think that I could forget one of them and then be completely locked out. I will consider this further.

In summary: Passwords are hard. Brains are fallible. Computers are the worst.

Tl;dr: I typed my very old workstation password into a work chat room and had to go through the pain of choosing a method to generate and remember a new one, then change that password in all the places I used it.