Wednesday, November 10, 2010

Creating Strong, Usable Passwords

Ah, passwords. Every system admin hates weak passwords, and every user hates having to remember 35 million strong passwords in their heads for every tiny little website that they use, and never the twain shall meet. Or will they?

I've got a lovely little system that ensures I have a strong, unique password for every website/service I use, but almost never forget a password.

Full disclosure: most of these ideas probably aren't mine. I'm sure I've compiled this system from a lot of people I've talked to and things I've read over the years. I've just been using it so long that I don't quite remember how the hell I came up with it. But I'm gonna share it all with you just the same.

The secret is to keep some knowledge in your head and some knowledge in the world, allowing you to lessen your cognitive load. Instead of remembering a bunch of passwords, you're basically going to remember a formula for deriving your passwords. The basic formula is like this:

[remembered passphrase] + [connector] + [service-specific abbreviation]

Here's how to do it:

1. Create Your Passphrase
It's cleverly called a passphrase as opposed to a password because it's a single, made up word generated from a phrase as opposed to a real word slightly jumbled. It's a bit safer as someone attempting a dictionary-based attack will have a harder time guessing the passphrase.

Doing this is pretty simple. Just write down a phrase that's relatively easy to remember. Perhaps it's a favorite quote, or about a summer you spent in France. It really can be anything that you're fairly confident wouldn't be hard for you to recall (and, if at all possible, wouldn't be something people would easily associate with you). For instance, let's say you choose the now-famous Spiderman quote "With great power comes great responsibility."

Now that you have your phrase, represent each word with a character (or series of characters) and eliminate the spaces. A very simple way to encode the above phrase would be:


This isn't a word in any dictionary, so you're already ahead of the curve if you stop right there. But, if you can, try and make it a little more complicated. A good strong passphrase will have at least one of each of the following:
  • an uppercase character
  • a lowercase character
  • a "special" character
  • a number

Using a leet alphabet you can easily translate letters to numbers or special characters. Here's another pass at translating the phrase "With great power comes great responsibility", but applying the guidelines above:


In addition, I shortened "power" to "pwr" instead of just "p" to make the passphrase a bit longer. Shoot for somewhere between 6-8 characters for this phrase since 8 characters is about as long as you can be reasonably expected to remember (also some archaic systems - most notoriously university systems - still have the "type a password between 6-8 characters" limitation, and in those cases you can simply use the passphrase instead of the full password system we're generating here).

2. Create a Connector
The connector is the thing you use to bridge your passphrase with the abbreviation (discussed in the next section) to create your full password. This can be as simple as a dash ("-") or a plus sign ("+") or whatever you want. Have fun with it. It's just got to be a  character (or series of characters) you can remember. If you're stressing out about this, I'd highly recommend just going simple, as the end result of this process will be a very strong password no matter what you choose here.

For our running example, I'll choose something relatively simple to be our connector, the dash


3. Thinking up Abbreviations
The last part of this is to think up a prefix/suffix to your passphrase that's based on the site or service you're using. It doesn't need to be complicated. it just needs to be something that is strongly associated with the service and something you can remember. Go with the first thing you think of. As a simple, example, let's say your email password prefix/suffix is "em", or "@" if you're feeling clever. Again, the key to here is the ability to keep this knowledge in the world - it should be immediately recallable when you're sitting at that website and about to type in your password.

Our running example will use the example of an email password, using the abbreviation:


4. Putting it All Together
Alright! You've got your passphrase, you've got your connector, and you've got a service-specific abbreviation. To put it together, you've got a few options. You can use your abbreviation as a suffix:

passphrase + connector + abbreviation

a prefix:

abbreviation + connector + passphrase

or you can use both in some creative ways. Here's a few ideas:

abbreviation + connector + passphrase + connector + abbreviation
1st half of abbr + conn + pass + conn + 2nd half of abbr

Let's make this concrete. Remember, our encoded passphrase is wGPwRc(4, our connector is -, and our abbreviation for our email program is em

Here are the possible passwords that result from the formulas above.
  • Suffix formula: wGPwRc(4-em
  • Prefix formula: em-wGPwRc(4
  • Prefix and suffix formula: em-wGPwRc(4-em
  • Half-and-half formula: e-wGPwRc(4-m

Just make sure you pick one formula and stick with it. If you keep switching the formula, it'll just be self defeating. See? Using this method you can have your cake and eat it too. And I'm ending this blog post here because now I want cake.

No comments:

Post a Comment