Building Strong and Memorable Passwords (Part 4 of 4)
This is the last of four posts about passwords as a technology, and describes my personal approach to making my passwords both strong and memorable. Other parts of the series are linked from Part 1.
Welcome, Digg readers! This blog is about my work – other endeavours, mostly photographic, are found at my personal homepage. Thanks for visiting.
So far in this series of posts about passwords, I’ve returned to the idea that as a technology, passwords have a both material and methodological aspects. That is, how you use the technology is as important as how advanced its parts are. So far, this discussion of improving passwords has largely focussed on the material side, namely OAuth and OpenID, and password interfaces. These improvements happen at the will and ability of the people making web and desktop applications. As such, users will always be waiting for them to happen if they haven’t already. This post takes things to the methodological side, which is more the user’s domain, by describing the rules I use to make strong yet memorable passwords that are unique for each account.
There’s a disclaimer (there’s always a disclaimer): I’m not a security expert. I’m offering my method as one that works for me, but hasn’t been robustly tested by people who get paid to robustly test these things. However, to bring an objective measuring stick, I’ll use the password assistant in OS X’s Keychain application. This feature is one I didn’t know about for a long time, but I think it’s pretty nifty; take a bow, password assistant:
As discussed in Part 3 on password interfaces, Apple does well in providing tips and warnings to help a person create a strong password. Taking those tips further, the method I describe here uses chunks of retrievable information as constituents of the password. As I describe the parts of the method, or the chunks, I’ll use the password assistant to test the method’s outputs.
My rule for a strong and memorable password practice has three variables or components:
A. Dictionary or Foreign word
B Significant Year, (not a birthday, it’s too obvious)
C. Fragment of the application or website name where the password is being created
A and B don’t change much from one password to the next, and is used in every password the rule generates. Component C, however, does change for every application or website, meaning that each password is only used in one place.
Let’s look at some details of each component and how they build the strength of the password.
A. Dictionary or Foreign Word
When choosing a word, aim for something between 4 and 6 characters. This gives you a wide range to play within, and allows you to pick a word that is personally memorable. There is a great advantage to choosing a word from a foreign language, in that it’s unlikely to be included in dictionary attacks, a basic tool in any password cracker’s toolkit. Don’t know a word from another language? They’re easy to find, and to base it on a word in your native language you can just translate by using the venerable Babelfish. By the way, I owe credit to Tod Maffin, who clued me into using a foreign word as part of a password.
Using both a dictionary word and a foreign word, we get two different measures of strength:
In both cases the password is pretty weak sauce. We’ll add the next piece and see how we do.
B. Significant Year
Obviously, you don’t want to pick your birth-year, unless you really can’t remember any other. Assuming you can, think about a year that is meaningful to you in some way. If you’re a fan of space exploration, like myself, you might use 1969 for the year of the moon landing. You might also use the year you graduated from high school, the year of your first kiss, almost anything will do, but choose something memorable. On its own, using a year as a personally meaningful year as a password would be bad, as in guessable. Stuffing the year into a longer password does the opposite by making an existing password more complicated to guess or crack, but still very easy for you to recall.
Adding the year of the moon landing bumps up the measure on our fledgling secure password:
C. Name Fragment
This part of our method is the most interesting, as it’s the one that keeps your password changing between every application or website that you use. The key is to create a rule that allows you to pick part of the name of an application or website to use as part of the password. I use a syllable-based rule, by picking the first syllable of the name. In the case of ‘Google’, the first syllable is Goo. In the case of ‘flickr’, I would use flick. In the case of ‘Digg’, I’d use Digg since there’s only one syllable.
Notice that I also reflect the capitalization in the syllable, as well. This allows the introduction of an uppercase letter to the password without having to recall where I put it.
While we know that including an uppercase letter is more secure, at this point the quality meter doesn’t differentiate – we’re in iron-tough password country, now.
Extra Spicy Variations
It’s well possible that you’d like an even stronger password. That’s certainly possible by adding one or both of the following to the formula we have going already:
* More mixing of lower and uppercase letters: make the first or last character your Dictionary or Foreign Word uppercase. Whatever you choose, make it rule-based
* Add punctuation characters. As with adding more uppercase characters, there are a number of positional approaches to adding punctuation that will make it easy to remember as part of your overall formula.
* Oscillate between two Dictionary/Foreign Words and/or Significant Years. You’ll likely need to make more attempts if you forget which you used, but you’ll know your range and keep your passwords more mixed up.
* Vary the ordering of formula elements
Wrapping it Up
The method I’ve described here can be summed up as: [Dictionary or Foreign Word] + [4-Digit Year] + [App/Site Name Fragment]
or for even stronger passwords: + [Optional Uppercase Rule] + [Optional Punctuation Rule] + [Optional Oscillation]
The advantages of the method:
* memorable passwords – when the rule is known, any password can be reconstructed on the fly when forgotten
* different password for every site or app
* should satisfy most password requirements you’ll encounter
* sufficient length and character mix to defend against guessing, dictionary and brute force attacks
* the formula (as in the variable names) can be written down without disclosing its entirety to unauthorized eyes
But there are disadvantages, as well. If someone were to guess your formula from one or more instances of the password, all the accounts you protect with passwords based on the formula will be at risk. Also, this method doesn’t play well with password policies that require the password to be changed every so often. But that’s about the extent of the risks and applicability gaps that I can see, excepting a tendency to forget rule-based knowledge.
Combined with OpenID, this password formula loses the need for a uniqueness element, but is less prone to discovery through third-party negligence or unforeseen attacks. Adding to that the OAuth-enabled applications that will soon come online, and that single, strong password will stay close to your chest while it opens doors around the world to you. Hopefully the method I describe here helps you make more secure and humane, i.e. memorable passwords. If you think of risks or improvements not covered here, please add them to the comments.
Leave a Comment
Changing your password frequently would just be a matter of changing the first dictionary/foreign word.
The true enemies of secure passwords are restrictive and inconsistent policies. The example password above would qualify for most password policies but not for all. I have seen policies that state that the password must be in between 5 and 8 characters. I have also seen many systems where only the first 8 characters were used, regardless of the true length of the password.
In my own workplace we have several inconsistent password policies. (There’s actually only one, officially mandated policy but every department implements it differently.)
Some passwords must be changed monthly, some every three months. Some are unrestricted, some must have at least one capital and at least one number, one must have **two** numbers… no more, no less and won’t accept any “special” characters although no one has defined what “special” characters are and finally some must have all of the above **and** special characters.
My only saving grace is that I **can** remember lots of horribly complex passwords.
Anyway, enough of my rant. Nice suggestions and a very good password choosing guide for anyone with a sane workplace.
So hackers can’t access foreign dictionaries? Instead take a memorable line from a song/poem/simpsons quote/whatever. Use the first letter of each word. Eg, “Alas poor Yorrick I knew him well” Apyikhw.
What is wrong with password1?
Very good article! One addition to a foreign language word is pick a word that means something to you and alter the spelling (ie. I use an old misspelt street address backwards). Easy for me to remember. I also find after a little while your hands can almost type the passwords themselves (scary I know!). Anyway that’s my 2c worth
Great thing about password1 is that you can use it again next quarter by changing it to password2
The fun rolls on!
I always use temp1234, is that secure enough?
I allways use a bit of leet-speak. Changing o’s to 0’s (zeros), I to 1, T to 7, and so on
H3ll0W0r1d
my password:
turtles
or for my banking account
turtles1
the only password that i don’t use turtles in is for my turtles account. It is a website where people gather to talk about what species they have, what activities they do with their turtles and such.
password there is
mysecretpassword
(16 characters, pretty secure huh?)
['turtles' would be too obvious there]
How about this:
[Black Metal band] + [times per week has sex] + [insert meme]
satyricon0000bag-o-dicks
win.
Best of all: use passphrases, not passwords. Spaces are the most annoying characters for any password cracker, human or software…
It’s also easier to remember and type phrases than passwords.
[name] + [stardate] + [captains log]
When I’m choosing passwords I usually use the name of my favorite pet then the month (abbreviation)and day exp: “dixiemar16″
I usually just use a punctuation-based form of leet on a phrase in a foreign language – oh, and the phrase itself has to not make sense in the other language, just in case.
Somehow, always winds up being easy to remember. Especially the ones in tagalog or korean.
For the average person this is good. Especially for those that have even simpiler passwords as a default.
For any person really worried about security, random and long passwords are better.
Two factor identification is becoming more common place. (something you know and something you have) For example, through Verisign or Paypal you can get a security dongle about the size of a flash drive. It displays a random 6 digit number ever 30 seconds that must be added at the end of the password field.
Bob Loblaw’s Law Blog?
Get a good random password generator – the one we use creates strong passwords that you can still remember easily by including lots of vowels. Like this one:
mopErsolath4
Highly secure and if you use it at least once a week you won’t need to write it down to remember. We currently have 5 of these at work and I remember several more for personal use.
Of course the reality is that most people will just write the password on a piece of paper. And why not? The VAST majority of attacks on your passworded accounts will be via the internet, not a physical attack. Of course if the attacker has physical access he’ll easily get past any password system anyway (e.g. by just taking the HDDs)
So seriously people, it’s OK to write your password on a piece of paper. Much better than making it something stupid like ‘admin1′.
my password is in binary form of my favourite number so is just a big confusing mix of 1’s and 0’s. even if someone were to watch me type it, they would instantly forget it anyways.
not that easily cracked by software anyways as it would take so long to get the correct combinations of 1’s and 0’s… and the chances of someone assuming your pass is in binary is low anyways.
not to mention is has a few letters before it
I take a sentence ans use the first letters of the words and add some numbers.
pe.
My mother was born in los angeles in 1956 !
=> Mmwbilai1956!
Good to remember hard to hack.
simple work but mix letter symbol number.
angel — > @ng=1
flower –> f10w=r
Make a strong password even stronger; use an offset on your keyboard. That is, if your password was “turtles”, type the letters one row above each letter, or “5745o3w”, wrap around if you already include numbers/punctuation. It seems hard, but your fingers get used to it fairly quickly.
Also, if you’re multi-lingual, you can attach suffixes or prefixes across languages, such as “cook-mashita” (“mashita” = Japanese past tense polite verb ending), or “zer-shuffle” (zer = German for “do X to death/destruction” (IIRC))
This is my password
Ahh, he’s using a Mac!
Yes, the key is strong for John the ripper, but:
Decript HASH of passwords with John the ripper
I’m with “acronyms.” Think of a long phrase, then take the first letter of each word. Either mess with it a bit (throw in some 1337), or use a sentence or phrase that has numbers in it.
‘escalier1969Digg’ is overall an acceptable password, but you must also remember that some old systems are still using crypt(), which in many cases will truncate the password to 8 characters and ignore the rest.
In this case, you’d end up with ‘escalier’ which, while in a different language, is still very vulnerable to a dictionary attack.
I’d suggest putting something cryptographically challenging within the first 8 characters – maybe put the year first. ‘1969esca’ is harder than ‘escalier’.
(You might remember that AOL just got burned by this in May of this year: http://blog.washingtonpost.com/securityfix/2007/05/aols_password_puzzler.html )
i like your tip. thanks for that.
i use a latin translation of a quote i like as a password in one of my accounts. it contains uppercase and lowercase letters, and a punctuation mark. but there are no special characters and numbers. and your tip for more secure passwords can most likely strengthen my passwords.
again, thanks for this useful tip.