Discussion on:

How to create an easy-to-remember, ultra-secure password

Should I point out the misspelling of "delimma" or not?

I corrected it. Thanks!

At least you didn't spell it with an "n", as many people do (dilemna).

For many years I've been using poems and song lyrics which have been stuck in my head for decades as the key to my passwords, some of 'em since well before I started school, and throw in a bit of punctuation and a number or three.

One of the first was: Btdatd,Wtnibtl93. How on Earth is that a memorable password? Well I've known the key to it since I was three:

"Between the dark and the daylight,
When the night is beginning to lower"

Now I did have to remember that 93 was the number to finish it off, but other than that It was stuff kicking around in my head anyway.

What gives me fits are systems which insist on ridiculously short passwords: EIGHT characters? Really! That may have been reasonable back in the days when memory speeds were measured in microseconds, but nowadays? Ridiculous!

Are you sure that the lyrics aren't "Between the daylight and the dark, ..?"

There's NO need to use numbers, lower/upper case or punctuation marks Tuan. You are completely safe using just a few words as your password.

That's not true. Simple brute force attacks can kill passwords that use alphanumeric characters and they can do it quickly with passwords under 16 characters. Adding symbols and case increases the complexity exponentially. Current computer systems could take decades to brute force through passwords that contain letters (both cases), numbers and symbols at 12-16 characters. Adding characters increases the difficulty, again exponentially.

It's fairly simple math. If you only use alphanumeric (lets say only lower case) your password equals X^36 where X=password length. If you add both cases then it becomes X^62. Add symbols and it becomes X^94 on my keyboard.

So with 1 character you have 94 possible answers where one answer is your password. With 4 - 3.92318858 ?? 10^56. With 12 - 2.77355721 ?? 10^101. You get the idea. The complexity goes up really fast. Ultimately it comes down to how fast the computer performing the brute force attack can make posits. Most pros use graphics cards tethered together because they can affordable create systems that will run through a few million possibilities per second. But even with these machines some 16 character passwords can take over 100 years to break.

For a password length of x characters with a choice of c possible characters the number of combinations is c^x, not x^c.
So the numbers for a 16 character password using any of 94 characters is 94^16, not 16^94

What is the human brain better at than a computer? Pattern recognition. Using the human brain for memorization is a waste of brain power. Why not use something that the human brain is designed to do?
There are patterns all around you and you probably recognize them without even knowing it. For instance, take a look at your keyboard. See any patterns there? I have one of those natural keyboards and I see plenty of patterns. Using these patterns, we can generate highly complex passwords that require *NO* memorization!
Take, for example, this password:
1670tybn!^&)TYBN
That looks pretty complicated, right? Well, it isn't. It's just the pattern of my split keyboard. It splits at the 6-7 t-y b-n so this makes it a natural pattern to use.
How about 1q2w3e4r5t^T%R$E#W@Q!
How would you like a 21 character of seemingly random characters for a password? Just go up the keyboard, then back down with the shift key!
1qzxsw2!QAZXSW@
Again, notice this pattern? a 16 character random password that is easy to remember because it's a patttern!
But most of you are saying, "what about when you are required to change your password?"
Well, move over one key, So the above password becomes:
2wsxcde3@WSXCDE#

I love this way

Now that you have helped us, are we sure that the hackers did not get educated just now as well? I wonder about the fingerprint thing. At least it works on the computer, and an app should be on the way soon - if it is not there already.

tech_ed's suggestion is just what hackers love. Keyboard patterns are commonly used as passwords and are among the least secure so avoid them!

It works similar to CodeCurmudgeon's suggestion. Take a relatively short sentence that you can easily remember, remove the spaces and use that as your password. Select a sentence with punctuation to add symbols if you like. Make is kinda long and maybe mix the case a bit. Like this:

ILoveMyLittleBrownDog!

or

BestFriends4Ever!

In answer to kwabinalars's concern about not using symbols I have to ask: How would the hacker know you didn't use symbols? He'd have to check all of them anyway and this would make his search take just as long. Because he doesn't know each character of your password he has to test every POSSIBLE character whether you used it or not. If it ever caught on that nobody ever used symbols he could guess that you didn't so he could skip testing them.

Don't use common words (anything in any dictionary) as hackers use a dictionary attack as first port of call often (depending on what they might already know about their target) Running through dictionary combos first is quicker than brute-force AFAIK. I tell my clients: If you have to use a phrase or combo of words/names then put a delimiter in between eg theQuickbrown can become: the$quick$brown or maybe: thequickbr@wn or tHeQuIcKbRoWn, anyways, u get the idea.. Not that passwords do much to stop hackers in this day and age, having a password you can remember is more important than one that can withstand brute-forcing

Suppose I want to hack your Bank of America account. First I open an account of my own with Bank of America and then I discover that they only allow letters and numbers. This makes it much easier to hack anyone's Bank of America account - and I hope some IT guy at Bank of America who restricted passwords in this stupid way (and so made hacking easier) is reading this - or, even better, some senior official who can get this stupid policy changed.

Um. Can servers not tell that someone attempting 1000 log ins per second is probably not the registered user?

I've heard of some sites using an exponential time limit like 2 seconds for the second attempt, 4 for the next, etc. Why is this uncommon?

I agree that this would be the best possible security. My bank locks me out of my account if I enter more than 3 incorrect attempts over a 12 month period. To unlock, I have to ring the bank, and convince them who I am to have the account unlocked.

The only way that logon-attempt limits can be circumvented is if the database itself is stolen (which has happened), as then the hacker has unlimited attempts.

Hackers download password files, crack them, and then login using the passwords they've gained from working through the file.

Roger Demuth
https://piedex.com

@tuancnguyen. It appears that Facebook ignores the case of the first character in a password. Thus, Dog and dog are equivalent ... and so the example password is slightly less secure than might be expected. Of course, if it began with a period the security is as expected: .Dog... and .dog... are not equivalent

When I cut and paste the sample D0g (etc) I count only 10 characters yet the article states that it contains more characters than the other.

Is there some rule that says an elipsis counts as more characters than one?

XKCD already covered this:

http://www.xkcd.com/936/

It's a lot easier to remember a simple phrase of four random words than a bunch of symbols and remembering which letters you capitalized or not. And I'm not sure how a dictionary attack is going to work against a cluster of words, you'd have to guess all four words at the same time, you either get the whole password or nothing at all, that's how encryption works.

I was going to post the exact thing. I use a "base" that remains the same and an "extension" that changes each time I'm required to select a new password. Unfortunately since I can't remember all the little details of which password goes with which system, I have to have a paper with all my "extensions" written on it at my desk. Heaven help us if someone figures out my "base". Or, they could just let me make up a new password like CorrectBatteryStapleHorse that would be memorable and virtually unbreakable.

My favourite is psudo pronounceable non words.

My goal is to resist casual hacking in the work place, but keep the password in my head. I adapted some VB code to JavaScript for my companies Intranet for this.

The result is not suitable to ultra secure systems, but is plenty good enough for my domain admin account.

Typically an 8 char password would look like DiboGen7. Once you have the pronunciation in your mind it is surprisingly easy to remember. Using simple rules you can create passwords of any desired length.

A quick google will find details on this system, it is working very well for my company.

At the end of the day it is only worth securing password enough, any more is a waste of effort, take more care with your bank password than your facebook one.

Constructed languages can be very good for passwords, since most hackers only have dicts for natural languages. Especially Na???vi language with its complex *in*fix based tenses. For example, *yiveiom*, ???would happily eat???, is *yom* with two infixes stuck inside it, and will not appear in any dict, not even a Na???vi one, since it is just a form.

I had the password thing nailed a few years ago. Until some jokers stipluated that it's got to be 6 characters/7 characters with such and such a configuration. Now I've got 8 full pages of passwords and it's a major hassle.

As the number of possible characters used in a password increases its potential security, why is it that some passwods explicitly forbid the use of any character other than numbers and letters? It's just plain stupid. I've also come across restrictions such as no more than 2 identical characters together - which D0g...................... would certainly fail. I'm not going to divulge my password strategy (I'm over 55!) but I have a suggestion:
Pick an irrational number such as Pi, the square root of 2, etc., as such numbers go on forever. Then pick a start digit position and a substitution system such as 1=A, 2=B etc. Finally pick a substitution pattern such as letter-letter-number and, although your password may not be easy to remember, it will be easy to recalculate.
Example. I use Pi as my base number: 3.1415926535897932384626433832795
My password starts at the 6th digit (9). Using the substitution system and pattern as above, and choosing, say 9 characters, my password would be: ib6ec5hi7
By using digit pairs and more sophisticated substitution, this approach can make passwords that are very difficult to crack.