<

Strong (but Easy-to-Remember) Passwords

Published on
24,414 Points
11,614 Views
33 Endorsements
Last Modified:
Awarded
Community Pick
You need passwords for many websites and you know that it's unwise to use the same password everywhere.  You have also heard that it's important to use "strong" passwords -- but they can be hard to remember.  This article describes several options that will let you use, and easily remember, a hard-to-crack password that is different for every website where you login.
 

Background

Some network security folks go overboard when they talk to users about passwords.  For instance, we hear "It must be 14 characters long" Oh, puleeeezzze!  Nobody is going to remember a 14-character password, let alone the dolts that you need to be talking to about passwords.

When you set an "impossible" criterion for a strong password, guess what?  The user will invariably write it on a post-it note and stick it to his monitor.  Then, when caught and reprimanded for doing that, he'll use his name and address -- something that he might not forget.

Both scenarios are much more dangerous than letting the user select a "weaker" password that meets reasonably-sound complexity policies.  

We also hear miscellaneous advice that sounds good, but is meaningless... "Never start your password with a digit -- they are much easier to crack (10 rather than 42 options)."  I don't know what cracking system that adviser is using, but I am certain that no log-in system on earth comes back with...

    "Incorrect login: Only the first character is correct."

Nope.  Password-cracking systems that show the first character cycling and then "locking-in" and then cycle the second character until it "locks in", and the nerdy guy says "...only five minutes until I have it..."  Well, that's TV-Trope fiction, like the exploding car and the details revealed from "enhancing" a telephoto blowup of a reflection from a wristwatch.
 

Stars in the Galaxy

Brute-force password cracking software must exhaustively try every combination.  It might start with the digits, but then it still needs to try the letters.  A specific combination of eight characters (letter, digits, symbols) comes up one in 96^8 random tries.  That's 1 in 7,213,895,789,838,336 (1 in 7.2 Quadrillion).  If the first character is a digit, and if the software happens to start with combinations beginning with digits (why?), then it will need to try only 750 Trillion combinations.  Ahem.  Don't start with "A" either, I guess.  If "A" is weak, then "B" is almost as weak... best to always start your passwords with "Z" ... right?

Any reasonable website login system won't allow more than a few consecutive failed tries, but let's imagine a TV-Trope world where it allows the cracking software to try combination after combination and it takes half of a second to respond to each try. That's 117,267,084 years to try all combinations (think: dinosaurs and fossils).  

OK... let's make it a really, really bad login system that allows you to try a million combinations per second.  It will still take over 200 years.  But BEWARE!  On average, it will need to try only half of all combinations.  So, using an 8-character password is way too risky!  Your great grandchildren are in serious danger that your password will be cracked!
 

Dictionary Attack!

However, password cracking software doesn't sequence through all combinations.  Instead, it knows that people use real words and names in their passwords.  So it does a "dictionary attack" in which it tries all of the words in the dictionary, then each word plus one digit, and so forth.  Then one digit plus each word, and so forth.  Then two words...

It can start with short words, so it won't need to cycle all 200,000+ English words and common names.  Dictionary attacks do succeed -- on login systems that allow unlimited immediate retries, but those are rare.  And you can usually foil a dictionary attack by using "mangled" words that are not in the dictionary.
 
Note: Any cracker's standard "dictionary" includes "words" like qwerty, op[], qaz, sdfsdf, and other keyboard-location mnemonics.  They also include common words and names in which a 3 has been substituted for an E and 0 (zero) has been substituted for o (oh) -- such as l33thax0r and s0rdph1sh  -- will quickly fall to a dictionary attack.  So some kinds of "mangling" are not as safe as they might seem.

Personal Data Attack!

Who hasn't seen the TV show in which the safecracker gets the loot by using somebody's birthday or wedding anniversary as the combination?   He's smart:  He knows that people use numbers that they can remember.  

Password crackers do the same thing.  They can look up all kinds of personal information about you and try variations of your Mother's maiden name, your birthday, the street where you live, your brothers and sisters, the date of your gall bladder operation, etc.  Even so, if you mangle it sufficiently, it can be easy for you to remember, and all of that personal data will be useless to the evil-doer.  If the cracking software must try every mangled variation of every name, address, ZIP code, pet name, and restaurant that you know, it's nearly as bad off as if it had to do a brute-force (all-combinations) scan.
 

Some Good Advice from Microsoft

Microsoft advises the following when setting a password policy for access to a sensitive SQL Server database:
 
Don't use all or part of the username
(I'll add:  Don't use words that are in the dictionary)

It must be at least eight characters long

It must contain characters from at least three of these groups:
  -   Uppercase letters (A-Z)
  -   Lowercase letters (a-z)
  -   Digits (0-9)
  -   Special characters, such as #^$!.*()~ etc.
Cracking software has an easy time with long passwords if they contain dictionary words or repeated sequences.  Password length, by itself, is not a particularly good criterion.


Note:  Some sites won't let you use a too-short password.  A common requirement for banking logins is a minimum length of eight characters.  So size is important, if only to avoid the hassle of remembering special rules at some sites and not at others.
What you need to focus on is complexity.  You need a jumble of characters that do not spell anything, can't be guessed from your personal information, and is just long enough so that a brute-force attack will take too long to complete.

And it has to be easy to remember.  If you write it down, you'll need it to be handy (e.g., in your desk drawer or in a thinly-disguised disk file named "pswds.txt"), and someone can find it.  If you use the same password everywhere, then if you get scammed even once, then all of your secure logins are compromised -- that includes your on-line banking.
 

You Need a SYSTEM

What you need is a "mental algorithm" -- a versatile, repeatable, password-generating system.  You need a technique that generates different passwords for each website, but is easy to produce from memory when you need it.  

Here are three examples, some better than others, but this is really just to get you started thinking about your own system.
 

1. Secret Sentence

As an example at the Microsoft password advice page they suggest that you make up a long sentence -- or a string of words that you can remember.  Maybe something like:

     "My mother told me there would be days like this"

Now to generate the password, process that text with your "mental algorithm."  For instance, the most trivial example is to take the first letter of each word:

      Mmtmtwbdlt

To satisfy the "special characters" requirement, your algorithm might include some substitutions.  When you would normally type S, type 5 or %.  Or use 1 (one) instead of l (ell).  You could make every third character uppercase.  That sort of thing.  That Microsoft page shows several ways to add complexity to the password without adding a heap of mental strain to your often-overworked neurons.

2. Say the Secret [i]Woid[/i]

This is similar to the last one, but instead of a sentence, choose a word or very-short phrase that you will never forget and that you can easily visualize without writing down (never write it down).  For instance: "LADYGaga!"

Now you will use only the letters of that word in your passwords, but you will put them in various, scrambled sequences.
 
   LADYGaga!
   123456789

Open in new window

Example: You choose the order 1,3,5,7,9,2,4,1.  So your password is the first, the third, the fifth, etc. letters of your secret word:

      LDGg!AYL

That looks like it would be hard to remember.  It is!  So with this algorithm, you write it down!  You write down the website and the sequence numbers on a post-it note and stick it on your monitor.  You can decode it, but nobody else can. (Reminder to the security-impaired:  Write down the numbers, but type-in the matching letters.  Oh, and don't write the secret-word key on the back of the paper.)

3. Cook Up a Sequence

Your base password will be a combination of some (apparently) arbitrary characters, digits, and symbols that you can remember, using your own mnemonic that you never reveal.  Here, you can use personal data to help you remember the "cooked" portion, as long as it is scrambled and sautéed enough.  

For instance, here is something I'll easily remember: My cat, Chocolate Chip, was 13 years old when we lived on Quincy Avenue.

So my "root" password is:  CC13Qy
 

Adding Salt -- Per-site Uniqueness

Algorithms #1 and #3 above describe how to generate a "base" password.  But ideally, we'd like to have a password that is different for each website where we need to log in.  Different, but also easy to remember!

One possibility is to insert something at the beginning or tack something on the end... a so-called "salt" value.  I've seen the suggestion to use the first three characters of the site's domain name.  For instance, my EE login (domain name is Experts-Exchange.com) might be:

    CC13QyExp    
...or...
    MmtmtwbdltExp

That algorithm would not protect me as much as I'd like.  It's better than using the same password everywhere, but any good hacker could recognize the pattern -- if he scammed one password from me, he'd be able to figure out others.  

Some variations I've heard include: The first few letters of the domain in reverse order; the three characters at the top, rightmost corner of the login screen; the second, fourth and last letter of the domain name; some sequence of letters directly below the password input box., etc.  

You can go pretty far with this.  Most people are quite visually oriented and when you get to the login-prompt, you'll probably be instantly reminded where you "hid the salt."  

In practice, this works quite well.  It is a secret that only you know, based on an algorithm (a set of visual cues) that only you know.  Will a hacker guess that your salt was "The last character of the domain name, plus the number of letters in the word below the password input box, plus the gender (M,F or ?) of the person pictured"?   Probably not, and anyway, the salt comes into play only if a hacker gets your base password somehow.
 

Summary

Using strong passwords is important, both in business and in your personal life.  An easy-to-crack password could open up your bank account to various evil-doers who lurk in the dark, terrifying recesses of the venomous snake pit that is the Internet.  Be sure to scare your kids with that, because it might save them from being embarrassed on FaceBook.  And scare yourself (at least a little bit) because it also happens to be true.

But you don't need to make a password so complex and hard to remember that you find that you need to write it down.  Don't make it so long that you need to use personal data in order to remember it.  Eight characters (including a mix of character case and digits, etc.) are probably "strong" enough for nearly any purpose.  And it's not hard to come up with a "mental algorithm" that's easier to remember than the actual password.

I fully expect to take some heat (and "No" votes) from self-proclaimed security experts who will tell me I'm giving out bad advice and that everybody must use 14-character passwords for everything.  So, I'll reply in advance:  When your 85-year-old grandmother asks what she should use as her password, do you tell her,

   "Well, grammy, you should always use: %wE7*45#Bb[g^vJ"  

??? I doubt it -- she doesn't know what a circumflex is.  You need to give her a simple password that is easy for her to remember (so she won't write it down), but hard to guess and hard to crack.  And be sure to remind her not to use her grandchild's name!
 

Bold Caveat

No password-generating algorithm is perfect.  Any system that is trivially easy (say, appending ten Xs) will be easier to crack than a system that employs truly randomly-selected characters, but writing passwords down on paper or putting them in a file on your hard disk presents an actual, not imaginary or overblown, risk.  So work out a way to keep it in your head.
 
I heartily invite comments from everybody.  I'd especially like to hear of other "mental algorithms" that you have used or have advised others to use.  What works?  What does not work?

Related links:


Password Recovery Speeds
http://www.lockdown.co.uk/?pg=combi

SQL Server 2008 password Policy
http://msdn.microsoft.com/en-us/library/ms161959.aspx

Microsoft SQL Server Strong Password Requirements
http://support.microsoft.com/kb/965823

Strong Passwords
http://msdn.microsoft.com/en-us/library/ms161962.aspx
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If you liked this article and want to see more from this author, please click the Yes button near the:
      Was this article helpful?
label that is just below and to the right of this text.   Thanks!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
33
Author:DanRollins
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free