David Emm from Kaspersky writes a good article on securelist.com about the tug-of-war between the need for passwords to be strong and variable for each account and the human tendency to make them weak and similar for easy recall. He gives two suggestions for making strong and easy-to-remember passwords. But there is a third option he neglected to mention, which may prove faster and easier for some people, writes financial services industry expert Vinnie Orlando, CISSP.
Think of a blue sky password. A password such that in a perfect world you could remember and use without fear of compromise. Of course, in a perfect world you wouldn't need a password, but stay with me here. Let's say it is your daughter's name "Emily". Now Google the term "SHA1 hash generator" and select the top link. At the time of this article, it is the gtools.org generator. In the data field type "Emily" and submit. You will get a message digest of 40 characters. Highlight the first eight characters with your cursor; in this case "b6421c86". This is your password - a hexadecimal output resistant to dictionary attacks and impossible to reverse engineer back to "Emily". Keep in mind that the SHA1 protocol is case sensitive, so the input "Emily" will give you a different result than "emily".
The downside is that this type of password is not ideal in terms of memorising, but ultimately you do not have to memorise it. If you forget your password, go back to your message digest generator and submit "Emily" again. Unlike the standard "Forgot your password?" option, this is less time consuming to recover. Traditional password recovery options also often rely on polling questions and e-mail to deliver your password. If you used a web-based e-mail to register your account and you are at work, the firewalls may block you from checking your mail. On the other hand, most firewalls are indifferent to message digest generators, and the recovery is quick. Ideally, you should be able to remember eight alphanumeric characters after repeating them back to yourself 10 times in a four-letter by four-letter cadence. If not, you almost certainly will remember it after using it a few times.
You should still do your due diligence to not use the same password for all of your accounts, but that doesn't mean you need a unique password for every account you own. For personal accounts I recommend at least three unique passwords: one for your e-mail accounts, one for your financial accounts, and one for all the rest. If you use Administrator accounts and wireless network access keys for your home network (you should), isolate these as well. Keeping these accounts compartmentalised limits the damage of a breach.
The stakes are even higher for your organisation. With all of the recent security incidents in the news such as RSA, Sony and Epsilon, IT security managers should revisit their firm's password policies. The combined effect of enforcing strict password requirements and expirations, giving people the tools and processes to quickly recover, unlock, or reset their passwords, and tying similar accounts to the same directory for authentication (reduced sign-on) will help in protecting your professional data. Message digest passwords are just one tool you can use in your larger defensive arsenal.