Home / Blogs / Technology / Thinking Tech
Follow this blog:
RSS

How to create an easy-to-remember, ultra-secure password

By | September 7, 2011, 6:51 AM PDT

Credit: Stock.xchng

Credit: Stock.xchng

It’s a perpetual dilemma. We all instinctively know that passwords comprised of simple numerical patterns or familiar words like our name tend to be the easiest ones to remember. The drawback is it makes them easy to hack, too. But make them too complicated and you’ll have a hard time committing the password to memory.

Proposed solutions to this problem aren’t hard to find. Do a little research on Google and you’ll find a wealth of ideas on how to create a secure password that’s can also be easily recalled, the so-called holy grail of internet security. However, I’ve recently came across a post on the blog Tecca entitled “5 ways to make an easy-to-remember, ultra-secure password” that, in my opinion, provides one of the best approaches on the topic.

While the author Taylor Hatmaker echoes much of the well-worn advice that’s already out there, she advocates a special method that, oddly enough, allows for simple words and even character patterns — but only within certain parameters.

Before we get into that let’s review some of the basic best practices for creating secure passwords by going over what you shouldn’t do.

  • Avoid using parts of your name or email address since criminals can easily figure this out
  • Don’t include personal information like your birth date, names of family members or street addresses.
  • Consecutive numbers are a bad idea. You can basically nix “123456″ or any other pervasively common combinations.
  • Steer clear of familiar sequences, phrases and slang terms.

What users are left with is the conventional thinking is that the best approach is to use a jumbled-up mixture of numbers, symbols and upper and lower case letters. Hence, a good password would look something like this: T^n3k28$P!eV*AfJ9

Sounds like life on the internet is getting pretty complicated, right? So then you’re probably wondering how it can be possible that using patterns, even simple ones, can bolster the strength of your password. The technique Hatmaker recommends involves a technique called “password padding,” which suggests incorporating more symbols along with making passwords longer as a way of fortifying them against an attack.

The strategy, proposed by renowned security expert Steve Gibson, is based on the rationale that incorporating those two factors gives users the best chance at thwarting malicious programs that rapidly runs several password combinations to uncover the right one, otherwise known as brute force simulators. For instance, there are more than 1500 symbols a hacking program needs to run through to correctly lock down one character of your password while each character added to a pass-code makes it several times more difficult to crack, Hatmaker writes.

Here’s an example from Gibson’s website in which he explains the counter-intuitive logic behind it:

The main concept can be understood by answering this question:

Which of the following two passwords is stronger,
more secure, and more difficult to crack?

D0g…………………

PrXyc.N(n4k77#L!eVdAfp9

You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!

But wouldn’t something like “D0g” be in a dictionary, even with the ‘o’ being a zero?

Sure, it might be. But that doesn’t matter, because the attacker is totally blind to the way your passwords look. The old expression “Close only counts in horseshoes and hand grenades” applies here. The only thing an attacker can know is whether a password guess was an exact match . . . or not. The attacker doesn’t know how long the password is, nor anything about what it might look like. So after exhausting all of the standard password cracking lists, databases and dictionaries, the attacker has no option other than to either give up and move on to someone else, or start guessing every possible password.

Don’t believe it? You can test out Gibson’s tactic using the password strength tester by going to his website.

Learn more about internet security on SmartPlanet:

Start your week smarter with our weekly e-mail newsletter. It's your cheat sheet for good ideas. Get it.

Tuan C. Nguyen

About Tuan C. Nguyen

Tuan C. Nguyen was a contributing editor for SmartPlanet from 2011 to 2013.

Tuan C. Nguyen

Tuan C. Nguyen

Contributing Editor

Tuan C. Nguyen is a freelance science journalist based in New York City. He has written for the U.S. News and World Report, Fox News, MSNBC, ABC News, AOL, Yahoo! News and LiveScience. Formerly, he was reporter and producer for the technology section of ABCNews.com. He holds degrees from the University of California Los Angeles and the City University of New York's Graduate School of Journalism.

Follow him on Twitter.

Tuan C. Nguyen

Tuan C. Nguyen

Tuan C. Nguyen does not hold any investments in the technology companies he covers.

He writes for SmartPlanet and is not an employee of CBS.

If you liked this, don't miss...
26
Comments
Add Your Opinion

Join the conversation!

Follow via:
RSS
+1 Vote
+ -
What a dilemma
Should I point out the misspelling of "delimma" or not?
Posted by NickNielsen
7th Sep 2011
+2 Votes
+ -
fixed
I corrected it. Thanks!
Posted by tuancnguyen
7th Sep 2011
+1 Vote
+ -
A creative effort
At least you didn't spell it with an "n", as many people do (dilemna).
Posted by LedLincoln
7th Sep 2011
+2 Votes
+ -
Poetry & lyrics
For many years I've been using poems and song lyrics which have been stuck in my head for decades as the key to my passwords, some of 'em since well before I started school, and throw in a bit of punctuation and a number or three.

One of the first was: Btdatd,Wtnibtl93. How on Earth is that a memorable password? Well I've known the key to it since I was three:

"Between the dark and the daylight,
When the night is beginning to lower"

Now I did have to remember that 93 was the number to finish it off, but other than that It was stuff kicking around in my head anyway.

What gives me fits are systems which insist on ridiculously short passwords: EIGHT characters? Really! That may have been reasonable back in the days when memory speeds were measured in microseconds, but nowadays? Ridiculous!
Posted by CodeCurmudgeon
7th Sep 2011
+2 Votes
+ -
Poetry & lyrics
Are you sure that the lyrics aren't "Between the daylight and the dark, ..?"
Posted by oldrubbie
7th Sep 2011
0 Votes
+ -
You are missing the point
There's NO need to use numbers, lower/upper case or punctuation marks Tuan. You are completely safe using just a few words as your password.
Posted by weedb
7th Sep 2011
+2 Votes
+ -
No
That's not true. Simple brute force attacks can kill passwords that use alphanumeric characters and they can do it quickly with passwords under 16 characters. Adding symbols and case increases the complexity exponentially. Current computer systems could take decades to brute force through passwords that contain letters (both cases), numbers and symbols at 12-16 characters. Adding characters increases the difficulty, again exponentially.

It's fairly simple math. If you only use alphanumeric (lets say only lower case) your password equals X^36 where X=password length. If you add both cases then it becomes X^62. Add symbols and it becomes X^94 on my keyboard.

So with 1 character you have 94 possible answers where one answer is your password. With 4 - 3.92318858 ?? 10^56. With 12 - 2.77355721 ?? 10^101. You get the idea. The complexity goes up really fast. Ultimately it comes down to how fast the computer performing the brute force attack can make posits. Most pros use graphics cards tethered together because they can affordable create systems that will run through a few million possibilities per second. But even with these machines some 16 character passwords can take over 100 years to break.
Posted by kwabinalars
7th Sep 2011
0 Votes
+ -
Correction to "No" by kwabinalars
For a password length of x characters with a choice of c possible characters the number of combinations is c^x, not x^c.
So the numbers for a 16 character password using any of 94 characters is 94^16, not 16^94
Posted by JohnOfStony
5th Jul
+2 Votes
+ -
Human brain
What is the human brain better at than a computer? Pattern recognition. Using the human brain for memorization is a waste of brain power. Why not use something that the human brain is designed to do?
There are patterns all around you and you probably recognize them without even knowing it. For instance, take a look at your keyboard. See any patterns there? I have one of those natural keyboards and I see plenty of patterns. Using these patterns, we can generate highly complex passwords that require *NO* memorization!
Take, for example, this password:
1670tybn!^&)TYBN
That looks pretty complicated, right? Well, it isn't. It's just the pattern of my split keyboard. It splits at the 6-7 t-y b-n so this makes it a natural pattern to use.
How about 1q2w3e4r5t^T%R$E#W@Q!
How would you like a 21 character of seemingly random characters for a password? Just go up the keyboard, then back down with the shift key!
1qzxsw2!QAZXSW@
Again, notice this pattern? a 16 character random password that is easy to remember because it's a patttern!
But most of you are saying, "what about when you are required to change your password?"
Well, move over one key, So the above password becomes:
2wsxcde3@WSXCDE#
Posted by tech_ed@...
7th Sep 2011
+1 Vote
+ -
I love this way
I love this way
Posted by ruobin wang
7th Sep 2011
0 Votes
+ -
patterns for passwords
Now that you have helped us, are we sure that the hackers did not get educated just now as well? I wonder about the fingerprint thing. At least it works on the computer, and an app should be on the way soon - if it is not there already.
Posted by LynnOpportunity
Updated - 13th Jun 2012
0 Votes
+ -
Are you a hacker?
tech_ed's suggestion is just what hackers love. Keyboard patterns are commonly used as passwords and are among the least secure so avoid them!
Posted by JohnOfStony
5th Jul
+2 Votes
+ -
Use a pass phrase instead of a password
It works similar to CodeCurmudgeon's suggestion. Take a relatively short sentence that you can easily remember, remove the spaces and use that as your password. Select a sentence with punctuation to add symbols if you like. Make is kinda long and maybe mix the case a bit. Like this:

ILoveMyLittleBrownDog!

or

BestFriends4Ever!

In answer to kwabinalars's concern about not using symbols I have to ask: How would the hacker know you didn't use symbols? He'd have to check all of them anyway and this would make his search take just as long. Because he doesn't know each character of your password he has to test every POSSIBLE character whether you used it or not. If it ever caught on that nobody ever used symbols he could guess that you didn't so he could skip testing them.
Posted by robert_rowe@...
9th Sep 2011
+1 Vote
+ -
Don't use words or phrases w/o char delimitaions
Don't use common words (anything in any dictionary) as hackers use a dictionary attack as first port of call often (depending on what they might already know about their target) Running through dictionary combos first is quicker than brute-force AFAIK. I tell my clients: If you have to use a phrase or combo of words/names then put a delimiter in between eg theQuickbrown can become: the$quick$brown or maybe: thequickbr@wn or tHeQuIcKbRoWn, anyways, u get the idea.. Not that passwords do much to stop hackers in this day and age, having a password you can remember is more important than one that can withstand brute-forcing wink
Posted by AxelWiresmith
13th Sep 2011
0 Votes
+ -
No symbols - see Bank of America !!!
Suppose I want to hack your Bank of America account. First I open an account of my own with Bank of America and then I discover that they only allow letters and numbers. This makes it much easier to hack anyone's Bank of America account - and I hope some IT guy at Bank of America who restricted passwords in this stupid way (and so made hacking easier) is reading this - or, even better, some senior official who can get this stupid policy changed.
Posted by JohnOfStony
5th Jul
+1 Vote
+ -
Log in limits
Um. Can servers not tell that someone attempting 1000 log ins per second is probably not the registered user?

I've heard of some sites using an exponential time limit like 2 seconds for the second attempt, 4 for the next, etc. Why is this uncommon?
Posted by jm1248
13th Sep 2011
+1 Vote
+ -
Limiting the mumber of logins
I agree that this would be the best possible security. My bank locks me out of my account if I enter more than 3 incorrect attempts over a 12 month period. To unlock, I have to ring the bank, and convince them who I am to have the account unlocked.

The only way that logon-attempt limits can be circumvented is if the database itself is stolen (which has happened), as then the hacker has unlimited attempts.
Posted by Julie9009
23rd Sep 2011
0 Votes
+ -
Login Limits
Hackers download password files, crack them, and then login using the passwords they've gained from working through the file.

Roger Demuth
https://piedex.com
Posted by rbdemuth
8th Jun 2012
+1 Vote
+ -
... but for Facebook ...
@tuancnguyen. It appears that Facebook ignores the case of the first character in a password. Thus, Dog and dog are equivalent ... and so the example password is slightly less secure than might be expected. Of course, if it began with a period the security is as expected: .Dog... and .dog... are not equivalent
Posted by richard@...
Updated - 13th Sep 2011
+1 Vote
+ -
Interesting idea
When I cut and paste the sample D0g (etc) I count only 10 characters yet the article states that it contains more characters than the other.

Is there some rule that says an elipsis counts as more characters than one?
Posted by jnkmail@...
14th Sep 2011
+1 Vote
+ -
XKCD
XKCD already covered this:

http://www.xkcd.com/936/

It's a lot easier to remember a simple phrase of four random words than a bunch of symbols and remembering which letters you capitalized or not. And I'm not sure how a dictionary attack is going to work against a cluster of words, you'd have to guess all four words at the same time, you either get the whole password or nothing at all, that's how encryption works.
Posted by branchman67
20th Sep 2011
+1 Vote
+ -
nice!
I was going to post the exact thing. I use a "base" that remains the same and an "extension" that changes each time I'm required to select a new password. Unfortunately since I can't remember all the little details of which password goes with which system, I have to have a paper with all my "extensions" written on it at my desk. Heaven help us if someone figures out my "base". Or, they could just let me make up a new password like CorrectBatteryStapleHorse that would be memorable and virtually unbreakable.
Posted by steve.mathys
27th Sep 2011
+1 Vote
+ -
Go the the middle.
My favourite is psudo pronounceable non words.

My goal is to resist casual hacking in the work place, but keep the password in my head. I adapted some VB code to JavaScript for my companies Intranet for this.

The result is not suitable to ultra secure systems, but is plenty good enough for my domain admin account.

Typically an 8 char password would look like DiboGen7. Once you have the pronunciation in your mind it is surprisingly easy to remember. Using simple rules you can create passwords of any desired length.

A quick google will find details on this system, it is working very well for my company.

At the end of the day it is only worth securing password enough, any more is a waste of effort, take more care with your bank password than your facebook one.
Posted by acmp<><
20th Sep 2011
+1 Vote
+ -
conlang passwords
Constructed languages can be very good for passwords, since most hackers only have dicts for natural languages. Especially Na???vi language with its complex *in*fix based tenses. For example, *yiveiom*, ???would happily eat???, is *yom* with two infixes stuck inside it, and will not appear in any dict, not even a Na???vi one, since it is just a form.
Posted by skxawng.anawm
21st Sep 2011
+1 Vote
+ -
This is ridiculous
I had the password thing nailed a few years ago. Until some jokers stipluated that it's got to be 6 characters/7 characters with such and such a configuration. Now I've got 8 full pages of passwords and it's a major hassle.
Posted by Shoobee
27th Sep 2011
0 Votes
+ -
Why are some passwords restricted?
As the number of possible characters used in a password increases its potential security, why is it that some passwods explicitly forbid the use of any character other than numbers and letters? It's just plain stupid. I've also come across restrictions such as no more than 2 identical characters together - which D0g...................... would certainly fail. I'm not going to divulge my password strategy (I'm over 55!) but I have a suggestion:
Pick an irrational number such as Pi, the square root of 2, etc., as such numbers go on forever. Then pick a start digit position and a substitution system such as 1=A, 2=B etc. Finally pick a substitution pattern such as letter-letter-number and, although your password may not be easy to remember, it will be easy to recalculate.
Example. I use Pi as my base number: 3.1415926535897932384626433832795
My password starts at the 6th digit (9). Using the substitution system and pattern as above, and choosing, say 9 characters, my password would be: ib6ec5hi7
By using digit pairs and more sophisticated substitution, this approach can make passwords that are very difficult to crack.
Posted by JohnOfStony
5th Jul
Join the conversation
Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

Join the SmartPlanet community and join the conversation! Signing up is fast and free. Don't wait -- we want to hear your opinion!

Join Login

Keep Up with SmartPlanet

SmartPlanet Weekly Newsletter
SmartPlanet Weekly Newsletter

Facebook Activity

View Results

Quick Poll

Where do you believe consumers are in their adoption of the cloud?

View Results

Blog Archive