Joan Reeves writes that she has an address book that she keeps her usernames and passwords in. I cringed when I read that.

These days, people don't use Franklin Planners any more; they keep their data on their cellphone, instead. I remember too many people frantically searching for their Franklin Planners. "I've got to find it. It contains my life!" is what they would always say.

Situation: FAIL

Last week, the reruns of "West Wing" had presidential candidate Matt Santos (Jimmy Smits) leaving behind a briefcase, discovered by an operative for the opposition candidate, Arnold Vinick (Alan Alda). There weren't any strategic plans of any consequence, but there was a checkbook. It seems that Santos has been sending monthly checks for nine years to a former subordinate with a nine-year-old daughter. Several episodes later, we learn that his brother is a worthless lout who can't be trusted, and that when he messed up and disappeared, Matt and wife decided to support his niece.

It worked for that dramatic series because people can easily believe that important briefcases get forgotten all the time. Every day, people leave over 300 Iphones and Blackberries in New York City phones. Are you willing to bet that you will never lose that address book of usernames and passwords? There are two problems if you do. Not only does someone else gain access to your data, you lose access at the same time.

I used to spend a fortune on my checking account, because I would be hurried by the people behind me in line, and I didn't get the data written down in my check register. Then when I switched to duplicate checks (NCR carbonless paper), I ended up finding myself losing track of entire check pads. It gets expensive really fast when the bank covers an overdraft. I switched to debit cards, and that's rarely a problem. People like the "float" of writing a check and not having the money disappear from their account for three days, but I'd prefer the money disappear immediately, so I can easily determine exactly where I stand.

The Free Vault

When we bought this house, there was a huge antique safe in the closet. I'm sure it's fire-proof; it must weigh 400 or 500 pounds. The previous owner thought it simpler to replace the safe than to try to move it. It's a convenient place to keep the car titles, the deed and abstract to the house, etc., but not a good place to store passwords, not when we have four computers networked together in this house.

And I've learned that the only good way to keep track of tax papers, etc., is to scan them onto a hard drive. It's pretty simple to have each computer back up another computer's hard drive data; disk crashes are inevitable, but for us, it would be relatively painless. Our only worry would be a house fire - and if that happens, we've probably got bigger worries than that.

So how do I manage passwords? It's pretty simple. I only use about three of them.

There are sites that I deposit money with. They're all pretty much interconnected, and they all have a lot to worry about, should they be compromised, so I figure they take measures to keep employees from learning customers' passwords. Since I only connect via HTTPS to these sites, I figure it's safe to use the same password with all of them. It's a fairly complex password, none the less, because a break-in could be really expensive.

Triage: Category 2

There are also sites that I control. They're on the server I lease, and there's no risk of a data center employee accessing it, because if they ever need to access the server, I change the password immediately before (if possible) they access it, and change it again after they access it. They have a narrow window for access. No reason I can't use the same password for all the sites, because the only "insider" who could use the password from site A on site B is me. This password is also fairly complex, even though the potential loss is much less, because I access these sites via regular HTTP. Passwords are transmitted in plaintext in HTTP, and in theory, the password could be grabbed by the sysop of any router between me and the server.

Then, there's everything else. I use the third password there. It would be fairly simple for Joe, who runs site A, to steal my password and use it to impersonate me in posting on site B. That might be embarrassing, but not much more. Even without that, though, he could edit my posts on his own site, or make posts in my name on his site, that give me a black eye or a red face. That sort of thing just doesn't happen all that often.

So how do you make a fairly complex password that you can easily remember? Well, combine a word or two that you will remember, and a number. You might choose jazz3ant. Passwords of 8 characters are usually acceptable at most sites. Some will insist on a punctuation mark, and you can use jazz3ant? or jazz!3ant for those sites.

Now, you'll notice that jazz and ant, while both fairly common don't go together. Using "art" or "rap" with jazz would be less secure. You probably want to avoid first names, last names, pet names, sports team names, curse words, birthdates, anniversaries, curse words, and "qwerty", "shrdlu", or "password". Something like 10-15% of all passwords are "password". Something like 07041776 or 09112001 is almost as bad. And it doesn't matter if you are using your grandmother's middle name which nobody else knows if it's emily; the person trying to break into your account doesn't know what names people in your family have, so he tries all sorts of common names.

Punching It Up

Want a slightly more complex password that's still simple to remember? Shift your fingers one key to the right or one key up, or both when you're typing your password. It becomes significantly less intelligible. Or instead of using existing words, create a bizarre acronym. A friend of mine thought Doyle Brunson was the greatest ever. He made an acronym of "Super System 2: A Course In Power Poker", so that SS2acipp became his password.

But whatever you do, don't get so clever that you need to write down your password - ever. It makes you so vulnerable to "social engineering."

If you want to break into the computer systems of Company, Inc., get an interview with the president of the company. If he doesn't have his password written on a post-it note stuck to the face of his monitor - there's about a 10% chance of that - have a confederate create a reason for the president to leave you alone in his office for five minutes. There's an 80% chance that the post-it note is stuck inside the lap drawer of his desk, the upper right drawer of his desk (assuming the guy is right-handed), under the blotter of his desk, or on the December 31 page of his desk calendar. So far, you've got a 90% chance of grabbing his password. If he doesn't have it written down one of those places, check out his secretary's desk, and your odds jump from 90% to 99%.

Not Even Your Wallet Is Safe

Even writing it down on a card in your wallet is a bad idea. I just had to order a new Medicare card. I think the podiatrist's office failed to return it to me - that was the last doctor I've seen - but they insist they did. It's the fourth card Medicare has sent me, and I'm apparently not much worse than average; a friend who works for an insurance company says between 5% and 10% of all their customers lose cards in any given year. Think your password would be any safer? You'd be pulling that card out much more often than a Medicare card.

There are a number of ways to keep track of your passwords, but by triaging sites as critical, casual and unimportant, and using three passwords you've memorized seems to be a fairly good system.

Other Bloggers On Related Topics:
address book - Alan Alda - Arnold Vinick - backups - disk crashes - Doyle Brunson - house fire - HTTP - HTTPS - insurance card - Jimmy Smitz - Matt Santos - Medicare - NCR carbonless paper - passwords - poker - security - West Wing