Strong, Unique and Memorable Passwords: a Creative Approach
While the whole world is dealing with the aftermath of the Heartbleed Bug, major online services begin to forcibly log users out and encourage them to change their passwords as soon as possible. As a result, millions of people on the Internet will face the problem of coming up with new passwords for their favorite websites.
However, computer systems and humans nowadays have different opinions on what makes a good password (yes, of course I mean xkcd 936). Namely, many services would require you to provide a password that:
- Contains capital letters, digits, and/or symbols.
- Is not similar to any of the previous passwords you used.
- Is at least X characters long.
- Is at most Y characters long. While I believe there’s seriously a separate place in hell for those who do this, on the Internet you just can’t avoid it.
How We Deal With This Today
Depending on your experience and personal preferences, you might follow one of the approaches below:
- Using one “golden” password (or a couple of them) that fits the requirements of most of the websites. You remember the password well and can type it with the speed of light. But: whenever one of the websites gets compromised, you lead the strangers to your private data on other websites like a big red carpet.
- Generating random “gibberish” passwords for different services (like
ew3%10Dc+#320_g). Once you generate a password, you keep it in a safe place, such as a secure physical storage or some kind of password management software. But: whenever you need to log in, you must access your password storage and it might not be around at the moment. Needless to say, the more frequently you access the database, the bigger are the chances that it may become compromised at some point.
If that’s memorable, can I borrow 1 GB of your memory?
So, the Holy Grail of password management would be:
- To use a unique password for each service.
- To comply with the password complexity requirements of each service.
- To be able to create new passwords easily.
- To change all your passwords on a regular basis.
- To remember all your passwords well enough.
- Not to become overwhelmed by the whole process and keep it fun.
What is The Better Way Then?
Now I’d like to share my method that I’ve been using for more than five years. It’s based on three factors:
- Human brain sucks at remembering random character sequences.
- However, we’re good at remembering meaningful phrases.
- Associative memory works much better than “random” memory. Moreover, training your associative thinking improves your creativity.
Here’s the method itself:
- Whenever you register on a website, think of any phrase that strongly associates with the website:
- A quote from a movie.
- A line from a song.
- A proverb or idiom, etc., etc.
- Do some simple transformation over the phrase above to make it more likeable for computers, as well as to avoid dictionary attacks. All your passwords need to use the same transformation, that way you won’t forget it. An example of such transformation can be:
- Replace the spaces with underscores.
- Replace the last letter with a digit that denotes the number of words in the phrase.
- Capitalize the second letter of each word.
- Shift the first three letters alphabetically to the left, something like Caesar cipher. But good luck with that if you’re drunk.
- …or anything else you’re comfortable with.
- Store the password in a password management system (you’ll only be accessing the system in case you really forget the password).
- After, say, 12 months, think of a new password and repeat the steps 1 to 3.
Let’s say you need to create a password for your online banking system.
- You think for a minute and remember a quote from Léon (1994).
Tony: Hey, it’s your money. I mean, I’m just holding it for you, like a bank. Except better than a bank, ’cause you know banks always get knocked off. No one knocks off old Tony.
"No one knocks off old Tony"is now the base for your passphrase (bonus if you pronounced it with an Italian accent). Now, apply the transformation and you get something like
"No_one_knocks_off_old_Ton6"in the password management system.
What Just Happened?
- You’ve just created a unique password that is considered strong even by the most demanding robot.
- Your brain created an associative connection between the website and the phrase. Chances are high you won’t forget your passphrase if you use it at least two times. Well, I don’t in 95% of the cases, and I have more than 50 accounts online.
- It will happen the same way for other websites you visit. It’s your brain, your associations. Whenever you need to change the password, you just think of a new relevant phrase.
- You gave your associative thinking a nice workout (and remembered a lot of good movies you need to watch later).
- Because it’s just words, you’ll be able to type such a long password quickly and elegantly. And when you do it in front of another person, they’ll look at you as if you’re completely crazy. Trust me!
Stay safe online, and have fun!
Yuriy Guts is an R&D engineer, .NET architect and simply an übergeek at ELEKS. Being a polyglot programmer, he’s been dealing with code for the biggest part of his life. Some witnesses even claim his first words were “Hello world!\n”. Yuriy enjoys designing complex cloud solutions for various companies across the globe. When not at work, he can often be seen (and heard by his neighbors) jamming on his guitars.