A Guide To Creating Strong but Memorable Passwords
By: Ryex
IntroductionPassword security has been on my mind for a while now. The industry has completely mislead it's users about what makes a a strong password. No doubt most of you have seen this XKCD comic on the topic
http://xkcd.com/936/Big companies are guilty of this, Netflix for example actually limit you to using no more than 10 charaters in your password, the example password in the comic has 11 and would only take 3 days. 10 characters drops the complexity by an order of magnitude to 2
24, so your average Netflix password could be guessed in just under 5 hours with an unintelligent brute force.
A better examination of the problem can be found on the XKCD explain wiki
http://www.explainxkcd.com/wiki/index.php/936:_Password_StrengthLong story Short Length ALWAYS beats complexity, but a little bit of complexity helps.
Sadly as explained on the wiki XKCD's analyses is slightly flawed in that dictionary attacks are still a problem. That, and my discussions with people about the problem that aren't tech savy has reviled to me that a password like "correcthorsebatterystaple" is hard to come up with and remember as well because of the nonsensical nature of it's origin, meas that we nee another solution.
The is one problem that the comic does not address, the problem of password reuse. Most people will use a small selection of passwords on multiple accounts spread all over and this is a big problem because not all site have the same security. gaining access to the database of one site cna give a hacker a table of email addresses and passwords to try elsewhere. Add to this the existence of pre hashed password tables (large databases of passwords and their known hash value with a specific algorithm) and a hacker doesn't even have to do much work. Get admin access to a somewhat obscure low security site and bam, more likely than not he has hundreds of account credential on site like Facebook and twitter, those accounts can get him more personal information, possible enough to steal an identity.
EntropyPulled from the explain page:
"In simple cases the entropy of a password is calculated as a^b where a is the number of allowed symbols and b is its length."
a^b gives you the number of possibilities, to get the number of bits you take the log base 2.
Entropy in bits = log2(a^b).
To put this in more relate-able terms if you have a password like "buddy" then that password entropy is 26^5=23.5 bits. 26 for all the lowercase letters int the alphabet, 5 for the 5 letters in buddy. Lets add a capital and make the password "Buddy" now the entropy is (26*2)^5=28.5 bits because now there are 26 more possibilities for the capital letters, add a number? "Buddy3" (26 * 2 + 10) ^ 6 = 35 bits. add 10 for the 10 possible digits. add a symbol and the entropy grows again. but this is an extremity simplified analysis. in the real world there is such a thing as a "dictionary attack" that basically reduces all common words (including Capitals and number substations for letters) to about 12 bits of entropy each, so "Buddy3"'s real entropy is more like 13 bits or lower.
SolutionHave no fear, I'm here to solve your problem. I'm going to give you a way to create unique easy to remember strong passwords for any thing and everything.
Step 1: Create a pattern/templateIf all your passwords have a similar somewhat predicable format that is filled in with unique information for each account it is easy for YOU (not the hacker) to recreate your password form readly available information even if you forget it.
and example of patterns you might use are:
<name><word related to site><significant number>@<word of personal significance> -> like an email, example: DogFoodShoping1492@TauOfFood
<related word><some name (city, pet, ect.)>:[<significant number> -> good for a location linked account, example: ApplesNewYork:[1851993
as you can see this quickly creates passwords over 20 characters long yet are easy to remember. The pattern should be unique to you, which means while you could use one of my example patters it's best to use one that will be easy for YOU to remember.
But wait, significant dates? pet names? you not supposed to use those in a password! you are correct good sir, that is what the prevailing wisdom has been for years. but the problem has never been with USING the information in the password, it's been with basing your password on it. lets be honest here, if your pet's name is buddy and your birthday is the 18th of may 1993 then buddy1851993 is a TERRIBLE password. But, if say your on amazon, and you made your password TreetsForBuddy185@93BestDay, that's an entirely different story because of HOW the information is used. It constructs a sentence that will be in your style of speaking. It's long and relatively complex enough that even some one who knew you and that information would have a very difficult time guessing the password as there are so many places to mess up.
Step 2: Fill in your Templateyou you have a template? good, now you just have to fill it in and your golden!
ask your self a few questions.
What is the account for,
Online Shopping? what do you plan to buy?
Social Network? Whats the general topic?
Bank? Whats important to you financially? What are you Saving for?
Need a number? Whats the month and year today? what are the last 4 digits of your License Plate? is this the 0001st time your doing this?
example: LittleNowMoreLater514;CollegeBaby
Something to notice is that I CamalCase the passwords in the examples. This is to make use of capitals, when you employ at least 1 capital letter you double the number of possible characters that could make up the rest of the password, doubling your entropy (aka strength) over a password of all lower case. whats more employing CamalCase means that I end up using a capital and I can get passed all the inain (you must use at least 1 capital and one digit) password security checks when signing up at websites. so long as they don't limit the number of characters you can use (NETFLIX) your golden. I also usual use some symbols like a semicolon in a predicable place next to a number. but your pattern should be your own.
Step 2: Your Done!You now have a password that is unique and related to the topic of the account, easy for you to remember or remake but impossible for a computer or your best friend to guess in any reasonable amount of time (aka a human lifespan). Yay!
Additional Notes
- As with all published password advice NEVER use a password that has been provided as an example, they quickly get added into search databases and effectively have no entropy.
- Some sites (Netflix ect.) limit you to a 10-13 character password, these sites are created by trained security monkeys and the caretaker leaves the keys under the front mat. Never trust these sites with any important information. use the maximum password length you can and hope for the best.
- I have done very little in terms of mathematical analysis on how strong my example passwords are, but the rules to keep in mind when you fill out a template are
- Use Uncommon Words (avoid Dog, The, Town, ect.) this breaks the usefulness of dictionary attacks
- Length is what matters
- you want to remember it
- I'm not a security expert, take my advise with a grain (or more) of salt
Comments? Critique? Complaints? Compliments? Post below!