How to Remember Passwords That Are Easy And Secure
Forget everything you ever learned about choosing a password. From now on, you’ll choose passwords that are easy to remember, but hard to crack. You won’t even need mnemonics. Just common sense.
You might think that a “strong” password needs to look like gobbledygook. Actually, the opposite is true. You can choose very strong passwords, really “passphrases”, by using several common words.
(Bonus at the end: an xkcd comic that explains this perfectly.)
Typical “Secure” Passwords Look Like Gobbledygook
It’s true that a short password like Carnival123 is much too weak.
It’s just a common word with a couple of numbers. It’ll get cracked
faster than, say, CoamIlt4Orr5.
Choose Several Common Words
However, what about these two:
CoamIlt4Orr5carnival louse drier claw
Which is more secure? Surprise! The four common words make a much stronger passphrase than the shorter string of gobbledygook.
If you don’t believe me, paste each one into this
password checking tool.
CoamIlt4Orr5 has an entropy of 56.9 bits, while carnival louse
drier claw has 96.1 bits. Higher entropy means a stronger passphrase.
Add a Word, Not Punctuation
Notice that carnival louse drier claw has no capital letters,
numbers, or strange punctuation. Many web sites suggest or even
require that you include such things. But adding an entire extra
word is often much easier to remember. That extra word adds at least as
much, if not more, security as throwing in a hard-to-remember comma.
How Computers Crack Passwords
Think about how a computer program cracks a password. The program may run through common single words first. Then deviations of those words. Eventually, it will need to test every possible combination of every character. Like this:
aaa
aab
aac
aad
For every single letter you add to your password, the program has to try every single possibility over again, once for every character that the final character might be.
aaaa
aaab
aaac
...
[much later]
aaba
aabb
aabc
...
No luck? Now it tries a fifth character:
aaaaa
aaaab
aaaac
...
You can see how adding an entire word makes a huge difference.
Putting spaces between the words also helps. You add a few extra characters, and the words are much more natural to remember and type.
Choosing Random Words
However, for these passphrases to work, you do need to choose random words. Your name and your birthday aren’t the best choice.
If you’ve got a few dice, try Diceware. “Diceware” sounds exotic, but it’s actually a simple list of several thousand words. Each word is paired with a unique, five-digit number. Those five digits stand for five dice rolls. You roll the dice, and add the word to your passphrase.
For instance, if you roll 2, 1, 1, 2, and 6, you look up 21126. That
word is cloak.
Cloak is a common word. But unless you regularly dress like a
hobbit, no one would ever think to try this particular word in your
passphrase.
If You Don’t Feel Like Rolling Dice
Rolling dice can be a fun way to break up your workday. But if you’re in a hurry, you can try this password generating tool.
Yes, you might not want to use an online tool to choose a passphrase
for your Swiss bank account. But even if you did, it would be much
better than the old Carnival123 or even CoamIlt4Orr5 you’re
probably using.
Look, Mom! No Mnemonics!
It’s surprising how easy it is to remember a random string of four or five common words.
If you really need to, you can try to make them into a striking picture. But visualizing and hearing the words are often enough. No mnemonics required.
For passphrases you use frequently, your problem is now solved. You’ve got a long passphrase that is both easy to remember and very hard for a computer to crack. Because you use it often, you’ll soon cement it into your mind.
Store Passphrases Somewhere Safe
Of course, most of use have passwords we don’t use as frequently. Even if a passphrase is easy to remember, we won’t remember it without review. How do you store passwords safely?
A Passphrase Memory Palace?
If you’re truly paranoid, you can use mnemonics and store your passphrases in a “memory palace” with the loci method. They’ll exist only in your own mind (and the databases of the websites you visit).
I’ve never heard of anyone actually doing this. But I’m sure someone’s done it somewhere.
The problem, aside from the extra work, is that without review, you could find yourself forgetting these passwords rather quickly. You’d have to develop a flashcard system that tested you on these passwords without, of course, actually including them in your deck.
Passphrases on Paper?
So, you’ll probably have to write down your passphrases, either on a piece of paper or in an encrypted file.
Paper gets a bad rap, but as long as it’s not a sticky note on your monitor, someone has to actually burgle your house or office to find it. No one can crack into your notebook from Sweden.
Encrypted Files?
If you prefer your computer, encrypting your files is a big improvement over a plain text file. An encrypted file is stored as gobbledygook. But remember that the file needs to unencrypted (decoded) for you to look at it. This means that it gets copied, unencrypted, into your computer memory. In theory, the file is vulnerable to attack for as long as you have it open.
In the real world, that’s probably okay.
Frequent Use = Soon Remembered
Again, for sites you visit every day or even every week, you’ll find these easy passphrases stick in your mind. You’ll only need to consult your Super-Secret Storage Facility for passphrases that you don’t use as often.
No More “Guess the Password” Scenes!
One side effect of your improved passphrases: you’ll never again be able to sit through those movie and TV scenes where the hero “guesses” a password. I’m seeing these scenes more often these days, not less, and they just get worse every time.
Come on, guys. Even a “weak” password takes a computer thousands of guesses. Give it up.
Xkcd Comic: Password Strength
And now, as promised, a brilliant summary from xkcd:
Interestingly, the password checker I mentioned rates correct
horse battery staple with a higher entropy than xkcd does: 104.2
bits, not ~44.
Anyhow, why not visit that password generator and give a few passwords a tune-up?