show_menu logo_rd
Yuriy Guts

R&D engineer and .NET architect at ELEKS

Strong, Unique and Memorable Passwords: a Creative Approach

2

While the whole world is dealing with the aftermath of the Heartbleed Bug, major online services begin to forcibly log users out and encourage them to change their passwords as soon as possible. As a result, millions of people on the Internet will face the problem of coming up with new passwords for their favorite websites.

However, computer systems and humans nowadays have different opinions on what makes a good password (yes, of course I mean xkcd 936). Namely, many services would require you to provide a password that:

  1. Contains capital letters, digits, and/or symbols.
  2. Is not similar to any of the previous passwords you used.
  3. Is at least X characters long.
  4. Is at most Y characters long. While I believe there’s seriously a separate place in hell for those who do this, on the Internet you just can’t avoid it.

Passwords on sticky notes

How We Deal With This Today

Depending on your experience and personal preferences, you might follow one of the approaches below:

  1. Using one “golden” password (or a couple of them) that fits the requirements of most of the websites. You remember the password well and can type it with the speed of light. But: whenever one of the websites gets compromised, you lead the strangers to your private data on other websites like a big red carpet.
  2. Generating random “gibberish” passwords for different services (like ew3%10Dc+#320_g). Once you generate a password, you keep it in a safe place, such as a secure physical storage or some kind of password management software. But: whenever you need to log in, you must access your password storage and it might not be around at the moment. Needless to say, the more frequently you access the database, the bigger are the chances that it may become compromised at some point.

If that's memorable, can I borrow 1GB of your memory?

If that’s memorable, can I borrow 1 GB of your memory?

So, the Holy Grail of password management would be:

  1. To use a unique password for each service.
  2. To comply with the password complexity requirements of each service.
  3. To be able to create new passwords easily.
  4. To change all your passwords on a regular basis.
  5. To remember all your passwords well enough.
  6. Not to become overwhelmed by the whole process and keep it fun.

What is The Better Way Then?

Now I’d like to share my method that I’ve been using for more than five years. It’s based on three factors:

  • Human brain sucks at remembering random character sequences.
  • However, we’re good at remembering meaningful phrases.
  • Associative memory works much better than “random” memory. Moreover, training your associative thinking improves your creativity.

Here’s the method itself:

  1. Whenever you register on a website, think of any phrase that strongly associates with the website:
    • A quote from a movie.
    • A line from a song.
    • A proverb or idiom, etc., etc.
  2. Do some simple transformation over the phrase above to make it more likeable for computers, as well as to avoid dictionary attacks. All your passwords need to use the same transformation, that way you won’t forget it. An example of such transformation can be:
    • Replace the spaces with underscores.
    • Replace the last letter with a digit that denotes the number of words in the phrase.
    • Capitalize the second letter of each word.
    • Shift the first three letters alphabetically to the left, something like Caesar cipher. But good luck with that if you’re drunk.
    • …or anything else you’re comfortable with.
  3. Store the password in a password management system (you’ll only be accessing the system in case you really forget the password).
  4. After, say, 12 months, think of a new password and repeat the steps 1 to 3.

Example

Let’s say you need to create a password for your online banking system.

  1. You think for a minute and remember a quote from Léon (1994).

    Tony: Hey, it’s your money. I mean, I’m just holding it for you, like a bank. Except better than a bank, ’cause you know banks always get knocked off. No one knocks off old Tony.

  2. "No one knocks off old Tony" is now the base for your passphrase (bonus if you pronounced it with an Italian accent). Now, apply the transformation and you get something like "No_one_knocks_off_old_Ton6".

  3. Store "No_one_knocks_off_old_Ton6" in the password management system.

What Just Happened?

  1. You’ve just created a unique password that is considered strong even by the most demanding robot.
  2. Your brain created an associative connection between the website and the phrase. Chances are high you won’t forget your passphrase if you use it at least two times. Well, I don’t in 95% of the cases, and I have more than 50 accounts online.
  3. It will happen the same way for other websites you visit. It’s your brain, your associations. Whenever you need to change the password, you just think of a new relevant phrase.
  4. You gave your associative thinking a nice workout (and remembered a lot of good movies you need to watch later).
  5. Because it’s just words, you’ll be able to type such a long password quickly and elegantly. And when you do it in front of another person, they’ll look at you as if you’re completely crazy. Trust me!

Stay safe online, and have fun!

Yuriy Guts

Yuriy Guts is an R&D engineer, .NET architect and simply an übergeek at ELEKS. Being a polyglot programmer, he’s been dealing with code for the biggest part of his life. Some witnesses even claim his first words were “Hello world!\n”. Yuriy enjoys designing complex cloud solutions for various companies across the globe. When not at work, he can often be seen (and heard by his neighbors) jamming on his guitars.

tags

Comments: 2

  • L33t L33t

    Standard brute force engines and password lists actually adapted to break passwords like this a while back. This is the reason the XKCD cartoon suggests four pseudo random words. It might be more secure than 90% of the passwords out there but I’d bet “No one knocks off old Tony” is in a list somewhere! There’s always going to be a toss up between complexity and memorability but the best way to stay safe is still completely random (yes, yes I know, true randomness is statistically improbable but you know what I mean) password and a password management application.

  • Norman Sweeney

    Great article, nicely written. I could not be without without soem password manager aby more. I have tried almost all of common password managers I have ended up with Sticky Password (http://www.stickypassword.com) because they don’t force you to put everything into the cloud and on their servers, you can have your database on your PC locally. And their mobile versions are for free. My advice to everyone is to use any password manager available which fits their needs and to use different and super strong passwords for every site they have an account on. Or maybe if their memories are that great that they can remember passwords like brKir7j&^@RC7&IK, they can use their brains :)