Tips for memorising a strong password

Recondite49 · 09-10-2014 4:39pm #1

As most of you technically competent folk will be aware, there's a continuing war going on between those who have short passwords for the sake of convenience and those who want longer more secure passwords.

The generally accepted compromise is to choose a passphrase as opposed to an individual password. Although people shy away from using words you can find in the dictionary, this is actually counter intuitive.

One of my favourite websites Diceware, of which no doubt you've all heard involves using five dice to randomly select words from a pre-prepared list.

Generating a list is as easy as ABC, just roll the dice and use the search function on the list to find the corresponding words, here's one I cooked up earlier:

Hun
bop
Euler
lisle
rinse
arid
skit
cafe
prom
hose

All well and good so far. Two different websites say as a passphrase this will protect your data from brute force cracking long after you're pushing up the daisies.

The issue is how to remember a long list of passwords like these?

The answer is to employ your spatial and visual memory to reinforce these images in your mind. This is by no means a new idea, I got this from Derren Brown's book Tricks of the Mind and there are several websites on the subject.

I did this at first with a list of a few everyday nouns which I found was a little too easy. This is something I like about the Diceware list in that some of the words are relatively obtuse and seem harder to remember.

For those who don't know, Euler was a pioneering 18th Century Mathematician and Lisle is a type of soft fabric.

The idea is to simply find a way of linking one word to each other by way of a story.

In this case, I came up with the following:

Atilla the HUN is standing in a desert with bright red Dr Dre Headset on as he BOPs to the beat, waving an axe menacingly over the head of poor EULER the Mathematician who has been tied up with very white LISLE thread from feet to the bottom of his neck, so he's cocooned in it.

Atilla cuts him out of the thread and gives him a very shiny basin of water to RINSE his face, but the desert in which they are is so ARID, the Mathematician drinks it down and throws it to the ground.

Atilla takes the basin and places it on his head, doing a comedy SKIT for the mathematician who laughs hard. Atilla takes the basin off and asks him if he’s still thirsty - being Swiss the Mathematician asks for a frothy CAFE au lait.

Atilla produces a large green dress and says Euler can have one, provided he go as his date to the PROM.

Euler faints as he’s so appalled at the idea and Atilla rushes over to revive him by spraying him with a flowery garden HOSE.

It helps to concentrate on feelings as well as images ; also to make sure the image is very ludicrous so it stands out in your mind.

There's no reason you can't take this further of course and add more words to your passphrase, or possibly some numbers or symbols, the only limit is your imagination!

MarkR · 09-10-2014 4:46pm

I went to one of those random password generating websites, one that allows you to choose the length required, types of symbols, etc. Then kept clicking til I found one somewhat memorable. Used that for a a while, then read a suggestion online about using the first letter from each word from the line of a song, so instead of Fd&2l£ (not the actual password, but similar format) I added hmbomt (hit me baby one more time - also not the real song I chose!) to give me hmbomtFd&2l£

According to https://howsecureismypassword.net/

It would take a desktop PC about
4 billion years
to crack your password

Recondite49 · 09-10-2014 5:24pm

MarkR wrote: »

I went to one of those random password generating websites, one that allows you to choose the length required, types of symbols, etc. Then kept clicking til I found one somewhat memorable. Used that for a a while, then read a suggestion online about using the first letter from each word from the line of a song, so instead of Fd&2l£ (not the actual password, but similar format) I added hmbomt (hit me baby one more time - also not the real song I chose!) to give me hmbomtFd&2l£

According to https://howsecureismypassword.net/

Good man, sounds good. I like the fact it's not a dictionary word. Perhaps someone could use these in conjunction to have an ultra secure password, I agree with you, would be good to have some numbers and symbols too!

I think it would be a good idea if you did this to select a song from a genre you don't listen to, or better yet at random. I mentioned in a previous post for instance I like to use lines from a book - one of the ones I used formerly was from a football annual as I have zero interest in the sport.

Gatame · 11-10-2014 3:46pm

This is how I make my passwords: Pick 5 words randomly from the dictionary and put them together. These passwords are way more complex than combinations of characters/numbers/symbols. Using https://howsecureismypassword.net/ I'll show an example.

Example: Ta54P@gte19 - 4 thousand years
Example: black cat tango charlie gazebo - 48 quintillion years

gugleguy · 11-10-2014 3:53pm

if there is a lost password facility for you read on,
if not stop read my post now.
put your smartphone into camera mode.
now, write down on white paper a password about 9 letters on length.
now photograph it with your smartphone.
now, destroy the piece of paper.
next look at the photo on your smartphone until you know it off by heart.
tbhen delete the photo on your smartphone

11-10-2014 10:24pm

gugleguy wrote: »

if there is a lost password facility for you read on,
if not stop read my post now.
put your smartphone into camera mode.
now, write down on white paper a password about 9 letters on length.
now photograph it with your smartphone.
now, destroy the piece of paper.
next look at the photo on your smartphone until you know it off by heart.
tbhen delete the photo on your smartphone

Why photograph it with your phone? Just carry the piece of paper until you know it. Why introduce another unnecessary link?

syklops · 12-10-2014 3:50pm

gugleguy wrote: »

if there is a lost password facility for you read on,
if not stop read my post now.
put your smartphone into camera mode.
now, write down on white paper a password about 9 letters on length.
now photograph it with your smartphone.
now, destroy the piece of paper.
next look at the photo on your smartphone until you know it off by heart.
tbhen delete the photo on your smartphone

Oh dear oh dear oh dear.

This is how I make my passwords: Pick 5 words randomly from the dictionary and put them together. These passwords are way more complex than combinations of characters/numbers/symbols. Using https://howsecureismypassword.net/ I'll show an example.

^^ This.

Recondite49 · 12-10-2014 5:51pm

Gatame wrote: »

This is how I make my passwords: Pick 5 words randomly from the dictionary and put them together. These passwords are way more complex than combinations of characters/numbers/symbols. Using https://howsecureismypassword.net/ I'll show an example.

Example: Ta54P@gte19 - 4 thousand years
Example: black cat tango charlie gazebo - 48 quintillion years

Good man - how do you select them randomly from the dictionary? Do you just close your eyes and point at a section of a random page?

Did you see my original post about the Diceware page? This involves using dice to select a dictionary word from a list.

Choosing the words though is only half the battle. You also need to be able to recall them each time in the correct order.

I think if you use the linking method we discussed though, it wouldn't be too difficult.

For instance it's not too difficult to imagine a black cat, I would probably imagine one though on top of a huge orange can of Tango, leaping down into the arms of that weird blonde kid from Charlie and the Chocolate Factory who then retreats into a wooden gazebo holding it.

Recondite49 · 12-10-2014 5:53pm

gugleguy wrote: »

if there is a lost password facility for you read on,
if not stop read my post now.
put your smartphone into camera mode.
now, write down on white paper a password about 9 letters on length.
now photograph it with your smartphone.
now, destroy the piece of paper.
next look at the photo on your smartphone until you know it off by heart.
tbhen delete the photo on your smartphone

Can't say I agree mate, we've already discussed a linking method that allows us to visualise and remember these in your head. If it helps, you can imagine the items in question being placed somewhere familiar, like within rooms of your house. The method of loci not only allows you to remember passwords but huge amounts of information e.g I used it to remember the titles of Shakespeare's complete works in less than 20 minutes.

AdNet · 13-10-2014 10:41am

LastPass - this should be quite good alternative!
The best plugin within this tool is 'password strenght checker' that will analyze all you passwords, check for duplicates and mark all 'weak' passwords.

biko · 13-10-2014 10:48am

The length of the password is also important.

The easiest way I know to create a long password is to have a sentence including an address

My name is John Smith and I live on 34 Main Street, New Jersey Shore
becomes
MniJSaIlo34MS,NJS 17 chars
"It would take a desktop PC about 2 quadrillion years to crack your password"

Recondite49 · 13-10-2014 11:12am

AdNet wrote: »

LastPass - this should be quite good alternative!
The best plugin within this tool is 'password strenght checker' that will analyze all you passwords, check for duplicates and mark all 'weak' passwords.

Thanks Adnet. LastPass has the advantage of working with your Yubikey if you have one to log in. My only worry is do you think they'd cooperate with a request from Law Enforcement for your passwords?

oscarBravo · 13-10-2014 3:33pm

Recondite49 wrote: »

My only worry is do you think they'd cooperate with a request from Law Enforcement for your passwords?

...which in turn depends on the question "do they have access to your passwords?"

They claim not. They've left no room for quibbles: either they don't have access to your passwords, or they've been straight-up lying through their teeth from day one and fraudulently advertising their product.

messrs · 13-10-2014 3:43pm

biko wrote: »

The length of the password is also important.

The easiest way I know to create a long password is to have a sentence including an address

My name is John Smith and I live on 34 Main Street, New Jersey Shore
becomes
MniJSaIlo34MS,NJS 17 chars
"It would take a desktop PC about 2 quadrillion years to crack your password"

I also use a sentence, for eg, ihavetogetthebustoworkeveryday (never acutally used this one) , however I didn't think of using a longer sentence and taking the first letter of each, that's a good idea , will defo use that next time, thanks

Recondite49 · 13-10-2014 3:45pm

oscarBravo wrote: »

...which in turn depends on the question "do they have access to your passwords?"

They claim not. They've left no room for quibbles: either they don't have access to your passwords, or they've been straight-up lying through their teeth from day one and fraudulently advertising their product.

...Which in turn leads to the question whether we can take them at their word...!

It's the same dilemma I had when using SpiderOak and more recently Wuala who also use closed source software. I suppose we can rely on their self interest not to rubbish their own business model by ending up as the next Hushmail but of course refusing to release the code also means it can't be reviewed and patched by the community. The debate continues.

However you can download KeePass which is open source and even has a plugin for OATH authentication with a Yubikey as with LastPass. The Windows version will run happily enough in Linux under Wine but there're also ports for Linux and Mac OS.

The beauty of this is that you can keep your Keepass database on a secure drive. Also you can generate and use keyfiles ; my only concern is that if anyone were to work out that one password you use, without two factor authentication you could be in hot water. :-D

Chance The Fapper · 13-10-2014 3:50pm

If you want a different password for each site, I find it useful to do the following.

Use the first few letters of the site to think of a few words. So for boards:

Bad orange animals run dinosaur

If you want extra security you can use spaces, and then at the end or beginning of the string throw in a . and a multiple of the number of letters in the url. So you could have
Bad orange animals run dinosaur.15

Recondite49 · 13-10-2014 5:35pm

Chance The Fapper wrote: »

If you want a different password for each site, I find it useful to do the following.

Use the first few letters of the site to think of a few words. So for boards:

Bad orange animals run dinosaur

If you want extra security you can use spaces, and then at the end or beginning of the string throw in a . and a multiple of the number of letters in the url. So you could have
Bad orange animals run dinosaur.15

This seems to me an excellent way to remember the order of the nouns in question!

Re: numbers there is a method for remembering these individually, Derren Brown mentions a method for doing this individually e.g the number 16 is represented by the word 'lip'.

As such if you wanted to make your password 'Wallet16' you could imagine a wallet with a lipstick imprint on it.

Personally I just convert one of the words into numbers e.g EAR would become 050118.

The way I remember whether a word should be represented by a number is by the object being on fire. This isn't a perfect system as it's something extra to remember and also it means I can't use any visual clues that involve flames e.g candles but whatever works...

Rucking_Fetard · 15-10-2014 3:24am

squiggly lines

https://www.grc.com/sqrl/sqrl.htm

Rucking_Fetard · 18-10-2014 8:08pm

gugleguy wrote: »

if there is a lost password facility for you read on,
if not stop read my post now.
put your smartphone into camera mode.
now, write down on white paper a password about 9 letters on length.
now photograph it with your smartphone.
now, destroy the piece of paper.
next look at the photo on your smartphone until you know it off by heart.
tbhen delete the photo on your smartphone

I just write mine down on a bit of paper.

Rucking_Fetard · 18-10-2014 8:08pm

https://haveibeenpwned.com/

Rucking_Fetard · 18-10-2014 8:53pm

Towards reliable storage of 56-bit secrets in human memory

obsidianclock · 28-01-2015 4:18pm

Anyone using DiceWare, I'd recommend using the Beale list, available from the FAQ. Contains less Americanisms.

Mr. G · 30-01-2015 3:32am

Not sure if this has been mentioned but if your password is complicated as it is just move everything to the right for example.

So querty would be wertyu. And then change it differently but to something that you can make sense of.

obsidianclock · 30-01-2015 5:13pm

Mr. G wrote: »

Not sure if this has been mentioned but if your password is complicated as it is just move everything to the right for example.

So querty would be wertyu. And then change it differently but to something that you can make sense of.

Hi Mr. G,

Certainly an excellent idea to avoid a dictionary attack!

This may be overkill but I would recommend also that anyone using DiceWare to generate your passwords, use real dice not an online RNG. I have a couple of dice from a Casino which I use, as they're supposed to be slightly fairer.

Mr. G · 01-02-2015 1:51pm

Also use 2 step authentication and never store passwords on a PC, especially cloud password storage services.

obsidianclock · 02-02-2015 5:49pm

Mr. G wrote: »

Also use 2 step authentication and never store passwords on a PC, especially cloud password storage services.

Excellent suggestions Mr. G.

I know the likes of Bruce Schneier aren't really that keen on 2 Factor Auth (sadly I cannot post links yet!)

Nevertheless, the threat models he describe are quite specific and apply to banking transactions.

Also I'm rather ratty about how Google authenticator (used to verify two step auth) is now closed source on the client side - fortunately there are freeware apps like FreeOTP Authenticator which can get around this issue.

Keyzer · 05-02-2015 10:15am

Why remember complex passwords? There are plenty of tools out there that can do it for you.

Check out Dashlane (I'm in no way affiliated with them, just a customer) - excellent tool for password management and strong password creation.

Also, I use two form authentication wherever possible for an added layer of security.

obsidianclock · 05-02-2015 11:03am

Keyzer wrote: »

Why remember complex passwords? There are plenty of tools out there that can do it for you.

Check out Dashlane (I'm in no way affiliated with them, just a customer) - excellent tool for password management and strong password creation.

Also, I use two form authentication wherever possible for an added layer of security.

If you want to rely on a third party tool that's fine - no harm in protecting it with a strong password though!

Keyzer · 05-02-2015 11:12am

obsidianclock wrote: »

If you want to rely on a third party tool that's fine - no harm in protecting it with a strong password though!

Sure, agreed.

Dashlane also does that for you i.e. creates a strong password and saves it then protects it with AES-256 encryption (10,000+ rounds of PBKDF2 salt).

obsidianclock · 05-02-2015 3:12pm

Keyzer wrote: »

Sure, agreed.

Dashlane also does that for you i.e. creates a strong password and saves it then protects it with AES-256 encryption (10,000+ rounds of PBKDF2 salt).

I believe KeePass does something similar which is excellent as far as it goes - I just think that you should use a complex password (and possibly a keyfile) if that's the way you want to go.

My worry would be using these kinds of apps, is that once someone has the one password, all of them are available to an adversary.

If you take the time to memorise strong passwords for all your different apps it requires more leg work but I'd say it's safer.

With regard to Dashlane and any online service, I suppose we have to take their word for it that they're not storing the Master Password.

Anyone interested in reading up on Dashlane's Security can see the white paper below and decide for themselves:

https://www.dashlane.com/download/Security-Whitepaper-V2.6.pdf

Blowfish · 05-02-2015 6:35pm

obsidianclock wrote: »

If you take the time to memorise strong passwords for all your different apps it requires more leg work but I'd say it's safer.

It's not really realistically possible though in all cases. I've 100+ passwords for different things, there's no way I could memorise unique strong passwords for all of them.

A combination of both is best, have a few 'core' services that you memorise strong passwords for and let a password manager handle the less important stuff.

obsidianclock · 05-02-2015 11:30pm

Blowfish wrote: »

It's not really realistically possible though in all cases. I've 100+ passwords for different things, there's no way I could memorise unique strong passwords for all of them.

A combination of both is best, have a few 'core' services that you memorise strong passwords for and let a password manager handle the less important stuff.

Sounds very sensible! I have been experimenting with memory techniques, it's great fun but hundreds of passwords is pushing it!

Very fond of your namesake cipher Blowfish.

Keyzer · 06-02-2015 9:58am

obsidianclock wrote: »

My worry would be using these kinds of apps, is that once someone has the one password, all of them are available to an adversary.

Thats why I setup two factor authentication on dashlane !!!

obsidianclock · 06-02-2015 11:14am

Keyzer wrote: »

Thats why I setup two factor authentication on dashlane !!!

Two factor authentication to access data they already own? Don't we have to take their word for it that the data is encrypted and they don't have access to it?

Do they have a warrant canary? If so how do we know they can't be subpoenaed to gather user data? There is a precedent after all!

Nothing against storing passwords in the cloud in principle but perhaps open source software like KeePass might be a better idea? You can encrypt with keyfile which can be stored offline and I believe there's also a plugin for OTP authentication.

Update : It also seems Two Factor Authentication is done by Google Authenticator which is closed source - cringe. Do you know if it's possible to use an Open Source authenticator like FreeOTP Authenticator ?

Keyzer · 06-02-2015 5:42pm

obsidianclock wrote: »

Two factor authentication to access data they already own? Don't we have to take their word for it that the data is encrypted and they don't have access to it?

Do they have a warrant canary? If so how do we know they can't be subpoenaed to gather user data? There is a precedent after all!

Nothing against storing passwords in the cloud in principle but perhaps open source software like KeePass might be a better idea? You can encrypt with keyfile which can be stored offline and I believe there's also a plugin for OTP authentication.

Update : It also seems Two Factor Authentication is done by Google Authenticator which is closed source - cringe. Do you know if it's possible to use an Open Source authenticator like FreeOTP Authenticator ?

I'll ring them now and find out...

obsidianclock · 06-02-2015 5:45pm

Keyzer wrote: »

I'll ring them now and find out...

I prefer to frame things in the form of a question as it's less hostile than saying:

- You can't take a third party's word for it that your data is safe.
- There is no warrant canary.
- Google Authenticator is closed source and can't be trusted.
- Therefore Dashlane or indeed any third party service can't be trusted with your personal data unless they use open source software which is encrypted client side, and even then...

Khannie · 06-02-2015 6:29pm

obsidianclock wrote: »

- Google Authenticator is closed source and can't be trusted.

Not so.

https://github.com/google/google-authenticator-android

obsidianclock · 06-02-2015 7:36pm

Khannie wrote: »

Not so.

https://github.com/google/google-authenticator-android

It would seem to be closed source these days, apparently they made a switch.

I have a lovely article from Chris Drake where he releases a scathing attack on it, also a lively discussion on the matter available here.

I can't summarise it better than Wikipedia:

"Open Source status on Android

The Authenticator app as available on Google's Android app market is proprietary, as explained on the project's development page:

"This open source project allows you to download the code that powered version 2.21 of the application. Subsequent versions contain Google-specific workflows that are not part of the project."[30]

An independent fork of the Android version of the software named OTP Authenticator[31] has been created, which is based on the last version of the open source code that had been provided by Google. Another Open Source fork named FreeOTP[32] has been published by Red Hat."

I suppose though there's no reason you couldn't compile your own Android version of the open source tool as it was, provided you know what you're doing.

obsidianclock · 06-02-2015 7:40pm

Summary of Chris Drake's comments re: Google Authenticator:

(The "exchanges" he's referring to are those who hosted Bitcoins.

Google Authenticator (GA) is not open source (only same antique version no longer in use ever got released)

They store their bypass codes in plaintext on the server (any serverside break-in grants the attacker full ability to authenticate as you)

Their bypass codes have insanely low entropy (7 numeric digits only - guessable in a mere 5 million attempts on average)

Their app provides QR code enrollment - and the QR codes are generated by putting your (supposed to be secret) private key into the HTTP GET parameter of a google-owned URL: or in other words - regardless of where you enroll with GA, they're sending your private keys to google.

"HTTP GET" parameters get stored in log files (granting access to your secret keys to anyone who can get the logs - such as by hacking, or legal subpoenas, or intercept)

The GA app uses a 3rd party QR code scanner to read your secret keys. This 3rd party tool is a supermarket barcode app, designed to send all scanned codes to their server. This is all "closed source", so it's impossible to tell if they're recording your secret keys. Even if they're not, the author (which is not Google, and not under their control) merely has to make an update to grab GA keys if he wants.

GA uses TOTP, which works with "shared secrets". This is a horrifying mistake. Again - anyone who can crack either end of the channel can forever impersonate the other end (read: a serverside breakin can own your client side auth). I am gobsmacked google were so stupid on this one. Asymmetric crypto was invented to stop that kind of problem - did they choose not to use it on purpose ?

In the limited source that's available, there is a race-condition error in their brute-force-prevention code: you're supposed to only be able to guess 3 codes, but if you open 2+ channels for guessing, only 1 of those channels gets blocked - all the other ones can keep on indefinitely guessing new codes without getting blocked.

And of course - to state the bleeding obvious - most of the exchanges that have already been looted were also "protected" by GA, with many of the victim operators publicly announcing that the hackers just bypassed it.

It's cool that GA costs nothing, but that's pretty much all it's worth!

Source : http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

Khannie · 07-02-2015 11:29pm

Interesting read. Thanks for that.

Keyzer · 09-02-2015 11:13am

obsidianclock wrote: »

I prefer to frame things in the form of a question as it's less hostile than saying:

- You can't take a third party's word for it that your data is safe.
- There is no warrant canary.
- Google Authenticator is closed source and can't be trusted.
- Therefore Dashlane or indeed any third party service can't be trusted with your personal data unless they use open source software which is encrypted client side, and even then...

I get where your coming from but I don't consider Dashlane combined with google authenticator as the be all and end all in regards password protection. I use both as a layer of extra protection for protecting my passwords.

Yes, I'm afraid I do put my trust in Dashlane that the service they provide is what they advertise as. That's my own personal decision, if it turns out they don't then whatever fallout occurs will be on me an me alone.

Risk can never be 100% eradicated, we can only manage it to an acceptable level.

obsidianclock · 09-02-2015 11:23am

Keyzer wrote: »

I get where your coming from but I don't consider Dashlane combined with google authenticator as the be all and end all in regards password protection. I use both as a layer of extra protection for protecting my passwords.

Yes, I'm afraid I do put my trust in Dashlane that the service they provide is what they advertise as. That's my own personal decision, if it turns out they don't then whatever fallout occurs will be on me an me alone.

Risk can never be 100% eradicated, we can only manage it to an acceptable level.

I am pleaed to hear you have another level of obfuscation Keyzer.

Of course having a strong password in and of itself isn't the best form of protection and I applaud the idea behing using Two Factor Authentication - even if google-authenticator has its foibles, there are plenty of open source solutions out there.

The advantage of a service like LastPass or Dashlane is of course your passwords are more conveniently to hand and can be used to populate forms in your browser - a classic example of the balance that has to be struck between security and convenience.

I think so long as you wouldn't mind the authorities having access to the data it protects e.g your e-mails then there's no cause for concern with using services like these but speaking for myself I'd rather use memory techniques to keep one or two more vital passwords in my head only.

Khannie · 09-02-2015 1:06pm

obsidianclock wrote: »

The advantage of a service like LastPass or Dashlane is of course your passwords are more conveniently to hand and can be used to populate forms in your browser

I achieve this with keepass and a browser plugin. I used to use lastpass, but I put myself in the shoes of the big security agencies (a useful thing to do) and decided that they would be mad not to force lastpass to back door the system and get a shed load of passwords.

Keepass is open source and so are the browser plugins. I know this doesn't guarantee much, but it is better than using closed source solutions IMO.

obsidianclock · 09-02-2015 1:26pm

Khannie wrote: »

I achieve this with keepass and a browser plugin. I used to use lastpass, but I put myself in the shoes of the big security agencies (a useful thing to do) and decided that they would be mad not to force lastpass to back door the system and get a shed load of passwords.

Keepass is open source and so are the browser plugins. I know this doesn't guarantee much, but it is better than using closed source solutions IMO.

I think you have cracked it Khannie, much safer than trusting to a third party.

Anyone interested in seeing the plugins available for Keepass can visit:

http://keepass.info/plugins.html

Tips for memorising a strong password

Comments