Complex passwords made easy

The password is often the first line of online defence, but is also often very simple to crack

Take a moment to think about your signature. If it's anything like mine, it's a near-indecipherable mix of loops and lines; something that started out being more or less legible has over the years deteriorated into a lazy, hasty scrawl which is unique to you. And it's that uniqueness which gives your signature it's validity as an identification and authentication token.

Now, imagine that you were foolish enough to spend days and days carefully coaching me in how to duplicate your writing perfectly. Not simply giving me a copy of your signature from which to work, but actively demonstrating and critiquing my performance until I was perfect in every way in copying it. And perhaps, just to add the icing to the cake, you then give me your chequebook and your bank card. Until the money ran out in your account, I could be you.

Stupid? Of course. But in the online world, that is what your password does. If I have your password, I have your account; and if I have your account then as far as the computer is concerned, I am you.

As a second example, imagine that you decide to change your signature from the complex whorl of lines and scribbles, to something made up of simple, Roman-style capital letters. Your signature would now be one that I can easily copy; and again, I could be you as far as the bank is concerned. This, of course, is the real-world situation corresponding to a simple, short password such as your first name.

This happens often online. Users choose simple passwords; they share them with one another or, if the password is difficult or is forced on them, they write it down. Passwords form the first and best line of defence against "identity theft", but are almost universally misused.

To be effective, the password must be something which is hard to duplicate and must be private, like the way you write your signature.

There are some simple, easily remembered ways in which passwords can be made much more effective. A successful password must be complicated but memorable; for added security, a different password should be used for different services - one for Hotmail, another for the network. My passwords have two components: a common core phrase, alongside a mnemonic for the service to which it is applied. It has numbers, punctuation marks and a mix of upper and lower cases. It would take years to reproduce through brute force, but remains something that I can remember and reproduce quickly.

For example, say the core phrase is "bedtime"; I can write this as 9beD!tiMe#. This is hard to reproduce. For Hotmail, it might be hot9beD!tiMe#mail; for the network, net9beD!tiMe#work - subject to any password length restrictions. The result is a password I can remember but which is very hard to reproduce; nearly as good as the scrawl on my bank card.