Ultra-secure passwords for the rest of us

Recently, the Jack O’Spades wrote an interesting article about passwords and how NOT to create them. He’s, of course, absolutely right in that, when it comes to passwords, longer doesn’t mean better. Complex is always better.

The problem, it seems, isn’t coming up with a complex password, it’s remembering it when you really need to. How exactly do you remember a password that has both numbers and letters in it?

Take for example, the following secure password : tlpwtm201216232013

Believe it or not, I can reproduce that password, on command, whenever I want, without even memorizing it. How, prey tell?

The solution isn’t to remember the password itself, but to remember how to create the password. I.E. Remember the algorithm that originally produced the password to recreate it on demand. In simple terms, this is no different than encryption algorithms that produce the same output when provided the same input. Fortunately, our algorithm is much simpler than encryption algorithms. And if our password is small enough, we could probably do it all in our head.

The password, tlpwtm201216232013, was created using the phrase “This Little Piggy Went To Market“. We now take the first letter of each word in the phrase :

This Little Piggy Went To Market”
t  l  p  w  t  m: We now have the first “letter part” of our password. Unfortunately this isn’t secure by itself as it will only take a short while to crack it with a brute force attack. Then we must also add a few numbers to it to make this much more difficult to guess. However, the numbers don’t need to be random at all and can be quite long…

Let’s consider the following list :

  1. A
  2. B
  3. C
  4. D
  5. E
  6. F
  7. G
  8. H
  9. I
  10. J
  11. K
  12. L
  13. M
  14. N
  15. O
  16. P
  17. Q
  18. R
  19. S
  20. T
  21. U
  22. V
  23. W
  24. X
  25. Y
  26. Z

Each letter of the alphabet has a corresponding number which denotes it’s place. We have already selected our letters, t  l  p  w  t  m, now we need to match it to the numbers…

T = 20
L = 12
P = 16
W = 23
T = 20
M = 13

Now put those numbers together : 201216232013 … We now have the number portion of our password.. Put it all together : tlpwtm201216232013 And now we have our password completed!

To make this even more secure, you have the option of capitalizing every other character and, perhaps, add special characters here and there : =tLpWtM%!?201216232013. As long as you maintain the same pattern throughout all your passwords, you won’t have to worry about which special character goes where.

Let’s take a look at a few more phrases and passwords derived from them :

“Now is the winter of our discontent”
nitwood149202315154

“What a piece of work is man”
wapowim231161523913

“Have patience, and endure”
hpae81615

The best thing about this method is that you don’t have to limit yourself to popular phrases. It could be something you were told as a child, some phrase in a book that has been out of print for a decade, a Latinized phrase from a non-English book… Your imagination is the limit. And since the method of formulation is so simple, now you don’t have an excuse not to come up with a complex and unique password for every occasion.

8 thoughts on “Ultra-secure passwords for the rest of us

  1. Nice technique. It works better than the use of “L33t”-like I was employing. It becomes rather difficult to remember what letters or numbers substitute what characters. This already wastes a lot of my valuable memory, even before adding additional complexity.

    Of course, its still vulnerable to forgetting what phrase you used, and for which purpose. I’d still recommend a tool like keepass if you have to remember multiple passwords.

  2. Ah, I remember studying password security in my younger admin days. I used to do stuff like this too. Or I would literally force myself ot memorize long-difficult random passwords.

    Later, I came up with techniques like using passphrases (with good obfuscation), but not all authentication systems can handle passwords that complex, sad to say. :(

    I am not an admin anymore, just a luser, so my password constraints are more lax these days.

    Oh, I miss doing security sometimes… :)

  3. The complex passwords are great but what do you do if you have many accounts? You can’t very well reuse that same password. And if you are clever enough to think of 25 original passwords for 25 accounts, where do you keep them stored?

    http:// tinyurl.com/38jxny

    This is a link to a product blog. Hope you find it useful.

    L (PassPack)

  4. Jack, I agree, remembering the right pass could be difficult.
    But easily mitigated by using a phrase that makes sense for each occasion.

    E.G.
    “This little piggy went to market” could be a bank password
    “Never write a letter while you are angry” could be your email
    “Home is not where you live but where they understand you” Home computer password etc.. etc…

    GF, considering how hard it is to get users to follow best practices, I envy your situation ;)

    Louise, the reason I would avoid password managers is that, there’s no gurantee that I would have access to a computer that I had it installed.
    What if I’m standing with just a pen and piece of paper at a bank and my phone (that has the pass manager software installed) is low on batteries?
    But I understand that my way of doing things isn’t for everyone.

    This way, I could be carrying just the shirt on my back, but still have access to secure passwords.

  5. Song lyrics of favorite (but obscure) songs of mine have worked well, and obfuscating them further by making them look like function calls. Add in C-style underscores of Java-style capitalization, along with pointer syntax and even a favorite number here and there, and that seems to work pretty well. :)

    I like this method, though. Having a variety of methods for secure and easy-to-remember password generation is awfully nice when the institution one attends requires new passwords every 60 days! :P

  6. Pingback: The changing face of spam « This page intentionally left ugly

  7. Pingback: Transparent Evangelism no longer Transparent « This page intentionally left ugly

  8. Pingback: Ultra-secure passwords part II « This page intentionally left ugly

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s