Interesting concepts for strong but memorable passwords creation

Recently while doing my research around the topic of passwords, I came across a few interesting concepts. What makes those interesting is the fact that they intend to help us create a password that is tough to break but easy to remember. These concepts are namely Pass Phrase, Diceware, Password Haystacks & by now the very famous comic strip (see below) by xkcd. Don’t worry, the concepts are not as difficult to understand as they sound.

A pass phrase is a sequence of words or other text used to control access to a computer system, program or data.

Wikipedia, The Free Encyclopedia

 

In short, instead of using a difficult to remember and difficult to type passwords like H46R8TBXHY5D or iWb024#thM79, simply use a pass phrase “I Like 15th August 1947!” It is easy to remember and easy to type and almost takes the same amount of time to type. It also satisfies all the elements of strong password like upper case, lower case, numbers and punctuation.

Well, when it comes to memorable passwords, there is a long standing debate that pass phrases are easy to remember and difficult to hack. There are voices which do not really agree with this statement. They have some valid arguments as below

  • With pass phrases, the brute force attack will shift from character level to word level.
  • Users are more likely to pick up common phrases/quotes from books, popular movies or other proper nouns that are easily guessed, as the basic idea is to make those memorable. This makes hacking easier than ever.

You may be wondering how these concepts stated above are related. In order to take care of problems with pass phrases, experts have come up with solutions. The famous comic strips by xkcd shown below offers one such solution. In short, the idea is to choose random dictionary words instead of meaningful sentence. The random words are chosen from poll of common words which makes those easy to remember. If you are really interested in a nice and detailed explanation of it, I highly recommend you to read this article on agilebits blog.

xkcd : Password Strength
xkcd : Password Strength

Use your own brain to generate and manage passwords

Safest vault to store your passwords is your own brain. Now if you could use it to generate & re-generate strong & a unique password for each of the accounts, services and software, you are saved of all the hassles with password managers. You can try and design an algorithm to generate a long enough password, which includes all the ingredients (upper case, lower case, numbers & special characters) of a strong password.

Most such algorithms start with picking up a base component which will be used for all the passwords. Then the base component is mixed/padded/prefixed/suffixed with a component which is specific to site or account for which password is being generated. Base component can be created by connecting first letters of a phrase which is easy to remember.

One such simple, step by step algorithm is described neatly by Loren Baxter in this blog post. This will give you a good idea on how this can be done.

Yaara Lancet also describes some interesting techniques at her post on makeuseof.com.

Get creative and design your own unique algorithm that should be complex enough to generate a password that is difficult to decipher and simple enough to recollect and regenerate the same password again and again for a given website. One little problem with algorithm based passwords is that, some weakly managed sites limit the characters you can use in a password.

My recommendation if you’re going for this approach is to refrain from a few things:

  • Don’t design your scheme around a website URL. A URL may change down the line and you may not be able to recollect the password based on it.
  • Try to have at least 2-3 different schemes for different sites. You won’t like to be in a situation where a weak site leaks your passwords letting hacker access all your important account as they just know the only scheme you are using.
  • Try and not to base your scheme on keyboard motor patterns as it may be difficult to reproduce on different keyboard layouts on various devices.

Lastly, I will leave you with few videos from various security experts to help you design your own easy to remember password generation scheme.

Another video from abc7.com which explains Password Haystacks concept in under 3 minutes.

Paper based password management systems

What? Passwords on paper? Isn’t that a NO-NO? Well yes, but a couple of interesting password management systems could still be useful here. And where do you keep that paper? Well, in your wallet, if you are one of those people who are good at securing their wallet!

Password Card
Password Card

Password Card Generator is a tool which allows you to generate a password card which is about the size of a credit card. It contains 12 rows and 26 alphabets as columns. To create a password, take each letter of the account\website you want to create a password for and then take the corresponding code from the table. You can design any scheme for yourself. For e.g. you can combine your account\website name + user name to generate a password. Say you want to generate a password for your amazon account and your username\login is [email protected], you can take your base string as “amazonxyzabc“. Now for each letter in this base string, pick up a character from each row in the above table. So our password will be “&BWL:ttogA{n“. Alternatively you may just pick up any single character of your website/account or username, say ” a” for amazon and pick up characters in each row diagonally starting at A, so your password will be “&rR8″On:1RKI“. Follow the edge if you hit the edge or go in another direction until you pick a character from each row. If you’re worried about losing the card and exposing your passwords, you may mix it up with a string known to you only. For e.g. &BWL:ttogA{n + 250189 (some random date you can easily remember), you can create something like &B2WL5:t0to1gA8{n9 which is created by adding each character in 250189 to &BWL:ttogA{n after every 2 characters. As you can see we’ve got ourself a very strong password. If you lose your password card, you can recreate it by visiting Password Card Generator tool just by entering your master password again. The random characters are generated in your browser and no data is transmitted.

Another advanced technique described by John Graham-Cumming involves printing Tabula Recta on a piece of paper. Once you have that, you can design your own scheme to generate password for a given account. His post describes this technique in detail.

Password Chart is another easy to use and effective tool which falls into this category. With options to include numbers and symbols, all you need to do is to enter your pass phrase or master passwords and a chart like the one shown below will be instantly generated for you. Everything is done in your browser and no passwords are sent over the Internet. Again, it’s up to you to decide how you want to use this chart. You can simply substitute characters in your account name with characters in password chart against that alphabet. So if you want a password for your Facebook account, you get “+87r6Wmf#vB8B8n7” which offers high entropy.

Password Chart
Password Chart

Generate and manage passwords without master password

A tool called iPassword Generator offers an interesting alternative for password generation and management. Guess what! If you choose so, you do not have to remember even a single password. This tool uses a key file to build Tabula Recta that in turn acts as your master password.

The tabula recta is a square table of alphabets, each row of which is made by shifting the previous one to the left.

Wikipedia, The Free Encyclopedia

 

A key file could be any file including images, audio or video whose size is more than 50 KB. Apart from key file, all you need to enter is your account\service\website name and you are done. If you are worried about the multiple account problem, you may choose to enter your user name as well but it is optional. You may also choose desired length of your password. You can always go overboard by specifying a master password as well but this is completely optional. Want more? It also helps you encrypt your key file using AES-256 algorithm.

Let’s quickly see how to use this tool

    • You can simply select a key file that is more than 50 KB, enter Application/Website’s name, choose desired length and you are done.
Generate password with iPassword Generator
Generate password with iPassword Generator
    • Alternatively, you may encrypt your Key File first as shown below.
Encrypt key file with password
Encrypt key file with password
    • Then, you mount the encrypted key file created in above step, enter Application/Website’s name, choose desired length and you are done.
Mount encrypted key file with encryption password
Mount encrypted key file with encryption password

A popular password management tool, KeePass also allows you to use a key file to protect your password database.

Password generation using master password

Some of the tools that we are going to discuss today not only help with password generation but also act as simple and easy to use password managers. All you need to do is remember single master password or pass phrase. These tools help you generate strong password on the fly so that you do not actually have to remember passwords for your individual accounts.

Password Generator is a simple online tool that works in the exact same manner. Enter your master password and site name and it will generate the same 8 character password for you. They also have a bookmarklet version which picks up the domain / site name once you use it on the site you want to login to and populates generated password for you automatically in the password field. There is another tool called SuperGenPass based on similar idea. Unlike Password Generator, it allows you to build a custom bookmark by choosing your browser, the level of security for your master password and length (default is 10) of password to be generated. The problem with these bookmarklets is that if you have more than one account with different passwords for a given site (e.g., multiple Gmail accounts), it will not be able to make a distinction between two accounts and always generate the same password for both which may not be desirable.

Secure Password Generator
Secure Password Generator

A simple yet powerful tool that solves above problem is Secure Passwords from Digital Inspiration. Along with master password (pass-phrase), length and domain name, it also takes a user name as input to generate a strong, unique password for a given account. This automatically solves multiple account problem mentioned above. The source code is available on Github. You may download and host it on your machine if you are skeptical about generating your password online. The password is generated in your browser itself and no data is transmitted.

Lastly, if you are looking for something overwhelmingly comprehensive, do check out PasswordMaker as well.

Simple tools to generate strong password

In my last post we discussed about why one should have strong and unique password for every important account. Today we will discuss some simple tools and techniques to generate strong password.

There are a number of ways to generate strong password. There are simple tools like Secure Password Generator, which allow you to choose length and character sets (uppercase, lowercase, numbers, symbols) and randomly generates a strong password for you. It also tries to suggest a phonetic pronunciation to help you remember your password with the first letters of the words in the sentence. If you are dealing with just a couple of passwords or using some sort of Password Manager to manage your password then this could be useful.

Computational Knowledge Engine Wolfram|Alpha also allows you to do the same. All you need to do is to type something like “password of 15 characters” and you’re done. A random 15 character password using ‘typical password rules’ will be suggested for you. You can always modify these password rules to suit your needs. But it does not stop there. Along with password, it also suggests a phonetic form to help you remember the password. It also generates some additional passwords based on same input criteria.

Generate strong password using Wolfram|Alpha
Generate strong password using Wolfram|Alpha

If this is not enough, it also serves you some geeky details of your password. For a given input criteria, possible number of password combinations, time required to enumerate through all those passwords at 100000 passwords per second (Brute-force attack) is also suggested. Security experts suggest that you should have minimum 80 bits of entropy (in simple words a quantification of how random and how unpredictable) for a strong password, and what we got here is 110 bits which is due to the fact that we choose long passwords from a wide variety of characters.

Properties of password type
Properties of password type

Why you should have strong and unique passwords?

As life is transforming more and more digital, literally every passing day, the acquired convenience comes with a big concern. The concern is to protect your digital life. Today, a normal (non-geeky) person deals with at least 10-15 web services or applications. Internet savvy people like me deals with over 100 different services on the Internet and it keeps growing. You have accounts for online banking, shopping, utility payment, email, social networks, and cloud storage to count a few. All of these services require you to enter a password to obtain access. In-fact you have to protect your office computer with a password and its highly recommended that you do the same for your personal computer as well. All the personal devices like laptop, tablets, and smart phones should have strong & unique passwords/pin. One should also protect their Wi-Fi network key by a pin or password. The point is, one has to deal with multiple services and devices and mostly forced to have passwords to protect those.

Weak Passwords
Is your password this weak?

Not many would disagree with me when I say that your life may turn upside down if any of these accounts are compromised. For an entry-level hacker, it is a matter of minutes to crack average or rather weak passwords like “Password” or “12345” or “qwerty”. Having passwords which contain easily discoverable (social engineered) personal information are also equally vulnerable. A password that contains dictionary words (in any language) will not help either. Even the variations like reversing the letters in that dictionary word or using common misspellings pose an equal threat. Equipped with advance computers, hackers can exploit enormous computing power to launch a dictionary attack and crack such passwords in a matter of minutes. We hear stories about individuals and big enterprises like Sony, LinkedIn, Adobe, Evernote and many others being hacked every now and then. In short, you are up against major challenge and lousy passwords simply will not do.

Another important aspect is to have unique password for different accounts or at-least for the important ones. It is OK to have the same password for rather less important services that do NOT store personal (social network, photos, and files) or financial (credit card) information like your pizza delivery or free on-line newspaper. However, all your banks, email, social network, photo sharing, cloud storage accounts individually must have strong and unique passwords. This ensures that even if one of these accounts is compromised due to poor security practice of the service provider, you are still in control of the other accounts and damage is limited. Imagine all these services having same passwords and what could happen when someone gets access to all your accounts at once.

Here is a simple checklist of things to avoid to ensure that your passwords do not fall into “weak” category

Finally, a poster of the 500 worst passwords for you to chew on.