NICEVILLE, Fla. — In this week’s It’s Geek to Me, Jeff Werner shares a reader’s creative password-generation method and explains why modern security guidelines discourage frequent forced password changes.
Niceville.com Community Partner
Geek Note: I received several emails from readers in response to my recent series about poor password management. I thought I’d share this one that stood out with you.
Question:
Ed R. from Fort Walton Beach, Florida, writes:
I agree with your columns about passwords (Geek Note: I.G.T.M. #951, Oct 12, 2025 and I.G.T.M. #953, Oct 26, 2025). At the end of my Air Force career, I had a job in security, and we continually ran into people not “doing the work” when it came to passwords.
Oh, the systems (plural) we used ensured that passwords were long enough, complex enough, and changed frequently. BUT, people kept writing them down.
They’d stick them to the back of their monitor, on the underside of the keyboard, or hide them in books. As a security guy, I “got it.” BUT as a user, I felt their pain.
For example, the military medical system has a computer application for appointments, prescriptions, etc. My issue was with how often we had to change passwords. Every two months was excessive — especially since we didn’t even see our doctors as frequently as we had to change the passwords! Grrrr!
Niceville.com Community Partner
Here’s how I dealt with the requirement for long, complex passwords: I got out my Scrabble Game and removed tiles that would provide the entire 26-letter alphabet. I put them in a small box. For “special characters,” I took some more tiles, put a piece of tape on the back, wrote the special characters on the tape, and put them into the box.
I did the same thing for numbers.
Once the letters, special characters, and numbers were in the box, I shook it and blindly withdrew one tile for each character I needed, using each tile once. (I suppose you could put them back in the box, but some password systems don’t like repeated letters.)
I have a paper log book where I keep them for safety. I suppose I could have had the computer generate a “random” string of characters/numbers, but I recall learning that computer-generated random numbers aren’t really random. Besides, that wouldn’t be any fun, and I’m not a fan of password managers.
Keep up the good work!
Niceville.com Community Partner
Answer:
Thanks for sharing your insights and experiences, Ed. Those frequent forced password changes are one of the things modern analysis of password best practices has said has got to go.
It actually reduces security rather than the intended purpose of strengthening it.
You are, of course, entitled to your opinion of password managers, but it’s one I don’t happen to share. For very little effort, Password Managers solve a lot of problems that are associated with entering, changing, and maintaining passwords. They aren’t a panacea, but they do an end run around a lot of what’s difficult to deal with in the password management requirements of today’s complex information systems.
Your Rube Goldberg-ish method with the Scrabble tiles gave me a smile. I suppose it works just fine, but your description of it sounds way more complicated than, say, a password manager or using any of the many Internet sites that will generate so-called strong passwords for you.
By your own description, you kept these passwords written down on paper “for safety,” which is definitely not a best practice.
Niceville.com Community Partner
You’re correct about random numbers on a computer. That’s why they’re typically referred to as pseudo-random. However, the algorithms that generate pseudo-random numbers are complex enough that you can set aside any concerns you may have about someone (or something, as in another computer program) detecting a pattern in them.
For the purpose of what we’re talking about, they can be treated as truly random.
Speaking of random stuff, I want to share a couple of fakeroo things that crossed my various inboxes this week. One came through the same web form that readers use to submit questions.
It was a solicitation from a San Francisco company that apparently specializes in creating Wikipedia pages for businesses. If this was generated by an AI, I give the author major props for having a bot smart enough to navigate my website and enter this information on my “Submit a Question” page. Kudos.
The other one arrived via the email I use for Geek Lights on the Corner, my annual Christmas Lights and music show. It declared that Geek Lights was the #1-rated venue of its kind, and wanted to honor the show.
Niceville.com Community Partner
As I looked more closely, the period they cited was for July of this year. Interesting, as the show only exists in November and early January. I discovered the true purpose of this SPAM when I dug a little further. They wanted me to purchase a wall plaque with the details of the “award.”
They offered various styles for $300 and up to over $1000. No thanks.
The point is, not all email schemes are covert. These were completely up front about what they were offering. It’s just that what they were offering was expensive and worthless. Be careful out there, my Geeks!
To view additional content, comment on articles, or submit a question, visit my website at ItsGeekToMe.co (not .com!)
Jeff Werner, a software engineer based in Niceville, Florida, has been writing his popular “It’s Geek to Me” tech column since 2007. He shares his expertise to help readers solve everyday tech challenges.
