Choosing Your Password

Your secret key has to be protected at all times, so cryptography programs don't store it in a readable form. Instead, they encrypt it, using what's called a password, or sometimes passphrase. You can think of your password as the key that unlocks your secret key. Whenever you use your secret key (for example, to sign someone's public key, or to read encrypted email), you will have to type your password. So, your password should be easy for you to remember. However, it should also be difficult for someone else to guess it.

When choosing your password, there are several passwords which you should not use, under any circumstances. These passwords are so easily guessed that you might as well not use them at all. This type of passwords includes the following list:

• Words which appear in the dictionary (any dictionary, including the Klingon dictionary)
• Those same words, but backwards
• Those same words with a number at the end
• Those same words with a number at the beginning
• Those same words with a number in the middle
• A pair of words stuck together
• Significant dates in your life (anniversaries, birthdays, etc)
• Significant numbers in your life (social security number, etc)
• The same password which you use anyplace else

That seems to make it impossible for you to have a good password, especially one that you can remember. But all of those (and probably some others) are very, very bad passwords, and will result in your keys being cracked more easily.

So how can you find a good password? Here's the method I use:

1. Pick a book you have nearby, with at least three words in the title
2. Pick a page from the book
3. Memorize which book, and which page

Now, this can be used to build a password which you can always find again:

1. Take the initals from the first three words in the title
2. Insert the page number
3. Take the first letter from each of the first three lines on that page of the book

For example, I have a book here titled Database Programming with JDBC and Java, for use by Java programmers. I've chosen to use page 152 from this book. The first three lines of the book read:

  class. This class runs in its own independent thread, allowing update() to return
  immediately. In less than a second, the ChangeMonitor pulls the change off the
  stack and tells the PersistentPanel to observe that change.

Using my example, with the rules above, I have a password of ''DPw152cis'', which is, for anybody else, a string of garbage. But, because I know the book and the page, I can always remake my password if I forget it for some reason.