Passwords irritate the hell out of me. While I know they are a necessary evil, it is so easy to lose track of what password was created for what account, and this is even worse if I am on the road with a laptop. Unfortunately, I tend to become dependent on having the same computer remember my passwords, which is fine until I have to use another computer, and then my own lost memory system kicks in and sometimes I’m SOL.
On top of that is the growing problem of insecure and aging passwords. Ordinary names and phrases suck, as they can be easily defeated by a standard dictionary attack. So, converting part of the text to numbers or symbols is usually enough, but maybe not always.
Especially these days. Recently there have been a number of helpful columns featured in the online news, chiding the careless and offering friendly advice on how to create good passwords.
There are, of course, lots of random password generators like this, which just served up the following 8 character password for me:
Re4ASpuh
Which is fine but only as long as I can remember it. It seems that there ought to be a good way to use an easy-to-remember password to make a much more secure password, one which looks like gibberish, but is easily reconstructed from scratch if you forget it. So I thought if you just take a word, and use an easy to remember formula for encrypting it by hand, then change the resulting word with the usual symbol and number substitution, you’d have something which might not be bulletproof, but would at least survive the most common forms of attack.
To illustrate, take the easiest 8 character word to remember:
password
The easiest formula for scrambling the letters would be to substitute for each letter the one before it (going backwards). “password” becomes,
ozrrvnqc
Then by substituting numbers and symbols in whatever manner you use, that can be changed to
02rr^nq(
The only problem with using the alphabet letter just before each letter is it’s a relatively easy cypher — the so-called “Caesar Cypher” — and it could be easily decrypted. Repeated letters (like the rr) are bad too. A more secure approach (only slightly more difficult to, but still easy to remember) would be to use longer replacement positions in the alphabet, but not all the same distance away. So, if there are eight characters, use eight away for the first one, seven away for the second one, and so on. And Zigzagging backwards and forwards would add to the random appearance. So it would be eight before, seven ahead, six before, and so on.
“password” then becomes:
xtynaltc
Even though “password” is commonly used to create cyphers for demonstration purposes, the above does not show up online as a cipher, and seems relatively secure in and of itself.
But if you’re paranoid, you can add security by replacing the more obvious characters with their corresponding numbers and symbols, so it then becomes
xtyn@1t(
It looks random (it appears nowhere online), but it isn’t. And if you forget it, the “formula” is easy to remember.
FBFBFBFB
87654321
password
I’m sure it’s crackable, but I think the above method would be sufficient for everyday use, especially if you’re using a favorite word or phrase that’s easily remembered but not easily guessed.
Comments
7 responses to “And the password is…”
There’s a fairly easy way to create safe, unique, and memorable passwords for websites, so that if any one is exposed, all of your other sites are safe. I have written about it on my company’s blog here.
Great essay, and a really good point.
XKCD Number 936 encapsulates this neatly.
Just use a memorable phrase of a reasonable length. Type it in as a single word, with no breaks. For extra stregth, add capitals, number substitutions, and punctuation. As the comic argues, far stronger than your typical 8-character-min string.
Lather, rinse, repeat for all sites you find worth getting an account for.
M
I typically use the first letter of phrases, and years that are significant to me. For example (something I no longer use because I cite it)… the first letter of each word of a phrase:
The hot fudge sundae falls on Tuesday. I use the capital letters, and will then add a character like “.” or “!” and a year – no not my birth year, but like the year I graduated from college.
So: Thfsfot!1990
You are working Way Too Hard.
Easy passwords with great strength are easy.
1) long phrase ==> Now at that time there were many tiggers in the woods
Tell me you can’t remember that.
2) short sentence ==> Way2lonG (capitals, number, 8 char minimum)
It’s really easy. Just don’t listen to those who want to make it hard.
Problem with passwords is the inconsistancy between requirements.
More than 6 characters.
Less than 8 characters.
More than 6 with one numberal.
More than 6 with 1 capital letter and 1 numeral.
Less tha 12 characters.
Less than 10 characters.
With 1 numersal and 1 of the following symbols …. .
With one capital, but not the first letter.
With a numeral, but not as the last character.
I am just saying, that if there was more consistancy across sites, it would make it much easier for all of us.
I’ve made good use of the (GPL-licensed) software called PasswordSafe.
http://www.schneier.com/passsafe.html
It was originally designed by crypto-and-security expert Bruce Schneier, and is currently managed by a team of open-source coders.
One special option from PasswordSafe is the ability to generate random passwords matching specific length requirements.
And you can set up a version that lives on a thumb-drive, if you want to use it on any machine.