Password Strategy

I just checked and I have over 100 UserIDs and passwords. The vast majority of them are for sites that don’t have any of my personal information but require registration before viewing or commenting. I don’t really care if someone hacks into those sites with my UserID. For those sites I use a weak password protection scheme. I use the same UserID and a password that has a codeword, numbers, and something specific to the site that I can remember. I’ll let my browser remember the UserID and password, but sometimes I’ll have to type it in. So, lets assume that my UserID is WellGolly and I want to register with the New York TImes. The first part of my password will be NYT followed by a code word. Here’s where you get creative. Make up a pseudo-word like delk or kifr. It helps if it is easy to type i.e. the keys are next to each other on the keyboard like these. (But not qwerty or asdf.) Then add a number to the end. Pick something like the first four digits of your locker combination in high school, your street address when growing up, or the year you graduated from high school. Then add a special character like ! or #. That should satisfy most password checkers and no one is going to guess the password. So my hypothetical New York Times password would be, NYTkifr3212!. My Washington Post password would be WPkifr3212!. A lot of places use your member ID as your UserID. There’s no way I’m able to remember all these, so I’ll let the browser remember them for me. For all of the sites in this category, I’ll let the browser or operating system remember my UserID and password.

The second kind of password is one where they have my credit card information. For these I never use a UserID that is visible on the web. They frequently use email addresses as UserIDs so it’s hard to get a secure UserID to use on these sites. For these sites, when I want to receive their spam I create an email account with their name as my email address. e.g. or I can filter their email and look at it from time to time. For sites where I don’t want to receive spam, I use This goes directly into the trash and I only look at it if I need to reset my password or go through a confirmation link to activate my UserID on the site. If you don’t have your own domain to play with, set up a free account at Google or Yahoo and use it only for registrations. The other benefit of this strategy is that if one of these sites is cracked, the crackers can’t use the email and password information from the cracked site on a different site.

I use the same strategy as above, just a different code word and number than the one for the throwaway sites. I let very few websites keep my credit card information—usually only places where I make frequent purchases. And by frequent, I really mean frequent—like weekly.

The third kind of password is for banks and credit card companies. Here I use a different code word for each account. That way, even if someone knows my strategy for choosing passwords, and my throwaway code word, there is no way they can guess the password. I’ll also use a number that is secure but that I’ll remember—like the number for the garage door opener or the security code for the alarm at the office. The codeword is something that is associated with the bank, like My password at Bank Of America might be, BOAcindr1875!#. I use these often enough that the codeword is easy to remember.

Banks are starting to use additional questions to verify your identity. Unfortunately, the questions they pick aren’t things I can remember. They used to ask things like mother’s maiden name and city where you were born. I know the answer to those kinds of questions. They’ve moved to questions that can’t be googled. One account wanted to know my favorite candy, color, and band. I won’t be able to remember what I told them so I’ll have to write the information down somewhere. On a Mac, you can use Keychain Access to create a secure note where you can write that stuff down. It’s a very bad idea to keep that information in a regular text file. If you don’t have a way to save it securely, then write it down on a piece of paper and store it somewhere secure.

Keychain Access (and other password managers) will let you test how easy it is for random crackers to crack your passwords. All of the passwords that are generated with these methods receive Excellent scores. You can get better scores by increasing the length of the password, and that might be something to consider.

For banks and credit cards, never ever let the browser or operating system save your id and password. If someone has access to your computer, then they have access to your accounts.

Update 2011-01-09: This article calculates the time required to hack a few common types of passwords. Dictionary words and random letters don’t take very long. A three word phrase takes basically forever. Add a few numbers and only the NSA is getting in.

Update 2011-07-18: The only secure password is the one you can’t remember. is an interesting read if you’d like to know more.

Downloading the NACO A/FD

NACO publishes terminal area charts and the Airport Facility Directory (A/FD—also known as the green book) and has an online version of the PDFs. The only obvious way to access them is through a map interface. The interface works fine for the terminal area charts but is broken for the A/FD. It’s been broken for years and they don’t seem to have the expertise to fix it. The code is a bit convoluted and it’s on my list of things to decipher and fix. However, in the mean time I’ve provided a table by state to access the PDFs. It is located on the Touring Machine site at this link. The page provides links to the PDFs that are located on the NACO site. The NACO site uses an XML file to determine the page in the AF/D for each airport. Since XML is a very structured format, it is fairly straightforward to parse the file and convert it to useable HTML. The exact methods I’m using are specific to this file but the general process works on any XML file.

The first step in the process is to read the XML file. The address is, where the date changes every 56 days. Your browser won’t display the xml, but if you view the source and save it you can begin working with it. The first couple of times through I used BBEdit to convert the XML to HTML tables. There aren’t too many steps, but it makes sense to automate the process. Any program that supports regular expressions could be used and I chose sed because I’m familiar with it. Make sure that the CR/LF setting is changed to Unix or Mac if you aren’t working on a Windows machine. Character encoding should probably be set to Western (ISO Latin 1), since that’s how it was originally encoded.

#### Script to convert NACO A/FD to HTML tables
## Remove the first five lines of XML and creator information

## The opening and closing tags aren't needed

## Make each state a header tag
s/<location state="/<h1>/

## Set up the table for each state
<table width="100%" border="1"><tr><th>Airport Name<\/th><th>
City Name<\/th><th>ID<\/th><th>Navaid<\/th><th>pdf<\/th><\/tr>/

## Location is the demarcation for each state.
## Close the table and put an End of State line for splitting

## Open and close the row for each airport or navaid

## Replace each of the following with td> to open and close the columns

##The pdf tags are replaced with a link
s/<pdf>/<td><a href="http:\/\/\/pdfs\//

## Change Tabs to spaces
s/  /  /g

Run this code on the raw XML file and then split it at the EOS line. I use a script to do it.

while read
 if [[ "$REPLY" = "EOS" ]]
  (( INDEX++ ))
  echo "$REPLY" >> /Users/username/Desktop/DEC/$FILENAME$INDEX

You could modify it to take an argument but I just feed the input file to it.

./ < afd_17DEC2009.xml.html

You can download the scripts from here.