Passwords – Strong or Memorable?

Passwords

In our modern internet connected world we are constantly told that we need to use long complex passwords to keep out the bad people who want to steal our information and money.

We are encouraged to use strong passwords, that is ones avoiding everyday words but including upper and lower case letters, numbers and punctuation marks.

Some commentators also suggest using passwords up to 16 characters in length.

This is all good and proper, but then we are told we must never write down these strong passwords in case they get into the wrong hands.

I can’t speak for other people  but I have tried remembering and using 16 character passwords.

The kindest thing I can say is that it was an exercise in frustration with constant failures to remember and enter them correctly.

How strong is strong enough?

At this point I took a different approach and spent some time researching password strength on the internet. This was an eye-opener

It rapidly became clear that a strong, as in containing upper and lower case letters, numbers and punctuation marks, 8 character password would take a hacker up to two years crack.

This was the light bulb moment.

The realisation was that security only has to be strong enough to make the hacker look elsewhere.

I quickly came to the conclusion that most hackers would would quickly move on to an easier target in the face of a strong 8 character password.

However coming up with a strong 8 character password that is easy to remember but hard to guess is still a challenge.

What I am sharing with you in this post are three ways of creating strong but memorable passwords.

Substitution

Before we look at the three methods we need to have a look at the technique of substitution.

Substitution in this case simply means changing one character for another according to a pattern.

The “pattern” bit is important because this is how you work out your password again if you forget it.

however it is important that the pattern is memorable to you, and that you do not share it with anyone else.

As examples you can change:

  • “a” to ^ (Lower case a only)
  • “b” to 6 (Lower case b only)
  • “e” to 3 (lower case e only)
  • “g” to 8 (lower case g only)
  • “i” to 1 (lower case i  only)
  • “o” to 0 (letter o to the number zero, lower case o only)
  • ” ” to & (space to ampersand)

Applying this my name, as an example, would change Bob Windmill to B06&W1ndm1ll.

OK, it’s still recognisable as my name but unless a hacker guesses that I’ve used my name and the pattern I’ve used they would be a long while guessing it.

In my example I have chosen to change lower case letters into the number that it most resembles, like changing i to 1.

The upside of this is that it is easy to remember but the downside is that it is easier to guess.

If you are not comfortable with this trade-off, just pick a less obvious set of substitutions.

OK, let’s see how we can apply substitution in three different ways.

Method 1: using a passphrase

A passphrase is just a phrase that means something to you. As ever, it shouldn’t be too obvious and you should keep it to yourself.

An example of an obvious pass phrase is the mnemonic used to remember the colours of a rainbow “Richard Of York Gave Battle In Vain” (Red, Orange, Yellow, Green, Blue, Indigo and Violet, if you are interested).

However, hackers have big databases of obvious words and phrases, so do pick something personal to you.

For this exercise we will use the phrase “Losing Baggage At The Airport”. Yes, I know it’s longer than eights characters, but we will sort that out later on.

Making the substitutions I gave earlier in this article change the passphrase to “L0s1n8&B^88^83&At&th3A1rp0rt”.

It’s starting to look like a good password, but is still to long for me, so the final stage is to pick a section of 8 characters.

The trick here is to pick a starting point that means something to you but will not be easily guessable by a hacker.

One of my starting point numbers is based on my old motorcycle racing number, from the year that I won my first championship.

The number is 34, 3+4 is 7, so I in this example I use 7 as my starting point. This gives a password of “B^88^83&”.

How long would you be guessing that?

Method 2: Combining common words

Some commentators recommend simply using to common but unrelated words joined together. An example of this technique is “herefordparticle”

These are a county in England (Hereford) and a small mount of a substance (Particle) so they have no connection at all

While hard to guess, this can be improved by using  substitution, as above to give “h3r3f0rdp^rt1cl3”. Definitely strong and hard to guess now!

And finally, starting at 7 and taking 8 characters gives “dp^rt1cl”, which I think a hacker would be a long time guessing.

Method 3: using a foreign language

While I have no evidence for this, I suspect that hackers will assume that your password will be based on English or your native language.

This suggests that basing your password on words in another language will make it harder to guess.

The only limitation is that your chosen language has to use Latin characters like these because the majority of computer systems require this, so no Chinese, Cyrillic or Arabic.

My native language is English, so any other language would work for me. Happily I speak French and German, with a smattering of of Italian and Spanish, so I have plenty of choice.

German is good for this because it has lots of long, complicated word like “vergangenheit” (the past) and “Kaffeelöffel” (coffeespoon).

Applying method 2 to these gives “vergangenheitKaffeelöffel” which with substitution becomes “v38^enh318htK^ffl0ffel”. Using my starting point of 7, my 8 charcter password becomes “318htK^f”.

Of course, there is nothing to stop you mixing languages. How about combining the German  “vergangenheit” with the Italian  “Maglietta” (T-shirt)?

With substitutions “vergangenheitMaglietta” becomes “v3r8^n3nh318htM^8l13tt^” and the password is now “h318htM^”

How long would you be guessing that?

Finally

I hope that you have enjoyed reading this post and found it useful. If you have thoughts on what I have written so far please leave a comment.

Also if you have an idea for another business topic let me know and I’ll be delighted to find a space for it.

Thanks again

Bob Windmill

2 thoughts on “Passwords – Strong or Memorable?”

  1. Smart!
    And people should consider using these technique.
    I personally substitute letters by numbers and use personal memorable phrases but I it’s usually more than 8 characters, but it works for me.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.