# Discussion on: How to create an easy-to-remember, ultra-secure password

26

### Join the conversation!

Show:
+1 Vote
###### What a dilemma
Should I point out the misspelling of "delimma" or not?
Posted by NickNielsen
7th Sep 2011
###### fixed
I corrected it. Thanks!
Posted by tuancnguyen
7th Sep 2011
+1 Vote
###### A creative effort
At least you didn't spell it with an "n", as many people do (dilemna).
Posted by LedLincoln
7th Sep 2011
###### Poetry & lyrics
For many years I've been using poems and song lyrics which have been stuck in my head for decades as the key to my passwords, some of 'em since well before I started school, and throw in a bit of punctuation and a number or three.

One of the first was: Btdatd,Wtnibtl93. How on Earth is that a memorable password? Well I've known the key to it since I was three:

"Between the dark and the daylight,
When the night is beginning to lower"

Now I did have to remember that 93 was the number to finish it off, but other than that It was stuff kicking around in my head anyway.

What gives me fits are systems which insist on ridiculously short passwords: EIGHT characters? Really! That may have been reasonable back in the days when memory speeds were measured in microseconds, but nowadays? Ridiculous!
Posted by CodeCurmudgeon
7th Sep 2011
###### Poetry & lyrics
Are you sure that the lyrics aren't "Between the daylight and the dark, ..?"
Posted by oldrubbie
7th Sep 2011
###### You are missing the point
There's NO need to use numbers, lower/upper case or punctuation marks Tuan. You are completely safe using just a few words as your password.
Posted by weedb
7th Sep 2011
###### No
That's not true. Simple brute force attacks can kill passwords that use alphanumeric characters and they can do it quickly with passwords under 16 characters. Adding symbols and case increases the complexity exponentially. Current computer systems could take decades to brute force through passwords that contain letters (both cases), numbers and symbols at 12-16 characters. Adding characters increases the difficulty, again exponentially.

It's fairly simple math. If you only use alphanumeric (lets say only lower case) your password equals X^36 where X=password length. If you add both cases then it becomes X^62. Add symbols and it becomes X^94 on my keyboard.

So with 1 character you have 94 possible answers where one answer is your password. With 4 - 3.92318858 ?? 10^56. With 12 - 2.77355721 ?? 10^101. You get the idea. The complexity goes up really fast. Ultimately it comes down to how fast the computer performing the brute force attack can make posits. Most pros use graphics cards tethered together because they can affordable create systems that will run through a few million possibilities per second. But even with these machines some 16 character passwords can take over 100 years to break.
Posted by kwabinalars
7th Sep 2011
###### Correction to "No" by kwabinalars
For a password length of x characters with a choice of c possible characters the number of combinations is c^x, not x^c.
So the numbers for a 16 character password using any of 94 characters is 94^16, not 16^94
Posted by JohnOfStony
5th Jul
###### Human brain
What is the human brain better at than a computer? Pattern recognition. Using the human brain for memorization is a waste of brain power. Why not use something that the human brain is designed to do?
There are patterns all around you and you probably recognize them without even knowing it. For instance, take a look at your keyboard. See any patterns there? I have one of those natural keyboards and I see plenty of patterns. Using these patterns, we can generate highly complex passwords that require *NO* memorization!
1670tybn!^&)TYBN
That looks pretty complicated, right? Well, it isn't. It's just the pattern of my split keyboard. It splits at the 6-7 t-y b-n so this makes it a natural pattern to use.
How would you like a 21 character of seemingly random characters for a password? Just go up the keyboard, then back down with the shift key!
1qzxsw2!QAZXSW@
Again, notice this pattern? a 16 character random password that is easy to remember because it's a patttern!
Well, move over one key, So the above password becomes:
2wsxcde3@WSXCDE#
Posted by tech_ed@...
7th Sep 2011
+1 Vote
###### I love this way
I love this way
Posted by ruobin wang
7th Sep 2011
Now that you have helped us, are we sure that the hackers did not get educated just now as well? I wonder about the fingerprint thing. At least it works on the computer, and an app should be on the way soon - if it is not there already.
Posted by LynnOpportunity
Updated - 13th Jun
###### Are you a hacker?
tech_ed's suggestion is just what hackers love. Keyboard patterns are commonly used as passwords and are among the least secure so avoid them!
Posted by JohnOfStony
5th Jul
It works similar to CodeCurmudgeon's suggestion. Take a relatively short sentence that you can easily remember, remove the spaces and use that as your password. Select a sentence with punctuation to add symbols if you like. Make is kinda long and maybe mix the case a bit. Like this:

ILoveMyLittleBrownDog!

or

BestFriends4Ever!

In answer to kwabinalars's concern about not using symbols I have to ask: How would the hacker know you didn't use symbols? He'd have to check all of them anyway and this would make his search take just as long. Because he doesn't know each character of your password he has to test every POSSIBLE character whether you used it or not. If it ever caught on that nobody ever used symbols he could guess that you didn't so he could skip testing them.
Posted by robert_rowe@...
9th Sep 2011
+1 Vote
###### Don't use words or phrases w/o char delimitaions
Don't use common words (anything in any dictionary) as hackers use a dictionary attack as first port of call often (depending on what they might already know about their target) Running through dictionary combos first is quicker than brute-force AFAIK. I tell my clients: If you have to use a phrase or combo of words/names then put a delimiter in between eg theQuickbrown can become: the\$quick\$brown or maybe: thequickbr@wn or tHeQuIcKbRoWn, anyways, u get the idea.. Not that passwords do much to stop hackers in this day and age, having a password you can remember is more important than one that can withstand brute-forcing
Posted by AxelWiresmith
13th Sep 2011
###### No symbols - see Bank of America !!!
Suppose I want to hack your Bank of America account. First I open an account of my own with Bank of America and then I discover that they only allow letters and numbers. This makes it much easier to hack anyone's Bank of America account - and I hope some IT guy at Bank of America who restricted passwords in this stupid way (and so made hacking easier) is reading this - or, even better, some senior official who can get this stupid policy changed.
Posted by JohnOfStony
5th Jul
+1 Vote
Um. Can servers not tell that someone attempting 1000 log ins per second is probably not the registered user?

I've heard of some sites using an exponential time limit like 2 seconds for the second attempt, 4 for the next, etc. Why is this uncommon?
Posted by jm1248
13th Sep 2011
+1 Vote
###### Limiting the mumber of logins
I agree that this would be the best possible security. My bank locks me out of my account if I enter more than 3 incorrect attempts over a 12 month period. To unlock, I have to ring the bank, and convince them who I am to have the account unlocked.

The only way that logon-attempt limits can be circumvented is if the database itself is stolen (which has happened), as then the hacker has unlimited attempts.
Posted by Julie9009
23rd Sep 2011

Roger Demuth
https://piedex.com
Posted by rbdemuth
8th Jun
+1 Vote
###### ... but for Facebook ...
@tuancnguyen. It appears that Facebook ignores the case of the first character in a password. Thus, Dog and dog are equivalent ... and so the example password is slightly less secure than might be expected. Of course, if it began with a period the security is as expected: .Dog... and .dog... are not equivalent
Posted by richard@...
Updated - 13th Sep 2011
+1 Vote
###### Interesting idea
When I cut and paste the sample D0g (etc) I count only 10 characters yet the article states that it contains more characters than the other.

Is there some rule that says an elipsis counts as more characters than one?
Posted by jnkmail@...
14th Sep 2011
+1 Vote
###### XKCD

http://www.xkcd.com/936/

It's a lot easier to remember a simple phrase of four random words than a bunch of symbols and remembering which letters you capitalized or not. And I'm not sure how a dictionary attack is going to work against a cluster of words, you'd have to guess all four words at the same time, you either get the whole password or nothing at all, that's how encryption works.
Posted by branchman67
20th Sep 2011
+1 Vote
###### nice!
I was going to post the exact thing. I use a "base" that remains the same and an "extension" that changes each time I'm required to select a new password. Unfortunately since I can't remember all the little details of which password goes with which system, I have to have a paper with all my "extensions" written on it at my desk. Heaven help us if someone figures out my "base". Or, they could just let me make up a new password like CorrectBatteryStapleHorse that would be memorable and virtually unbreakable.
Posted by steve.mathys
27th Sep 2011
+1 Vote
###### Go the the middle.
My favourite is psudo pronounceable non words.

My goal is to resist casual hacking in the work place, but keep the password in my head. I adapted some VB code to JavaScript for my companies Intranet for this.

The result is not suitable to ultra secure systems, but is plenty good enough for my domain admin account.

Typically an 8 char password would look like DiboGen7. Once you have the pronunciation in your mind it is surprisingly easy to remember. Using simple rules you can create passwords of any desired length.

A quick google will find details on this system, it is working very well for my company.

At the end of the day it is only worth securing password enough, any more is a waste of effort, take more care with your bank password than your facebook one.
Posted by acmp<><
20th Sep 2011
+1 Vote
Constructed languages can be very good for passwords, since most hackers only have dicts for natural languages. Especially Na???vi language with its complex *in*fix based tenses. For example, *yiveiom*, ???would happily eat???, is *yom* with two infixes stuck inside it, and will not appear in any dict, not even a Na???vi one, since it is just a form.
Posted by skxawng.anawm
21st Sep 2011
+1 Vote
###### This is ridiculous
I had the password thing nailed a few years ago. Until some jokers stipluated that it's got to be 6 characters/7 characters with such and such a configuration. Now I've got 8 full pages of passwords and it's a major hassle.
Posted by Shoobee
27th Sep 2011
###### Why are some passwords restricted?
As the number of possible characters used in a password increases its potential security, why is it that some passwods explicitly forbid the use of any character other than numbers and letters? It's just plain stupid. I've also come across restrictions such as no more than 2 identical characters together - which D0g...................... would certainly fail. I'm not going to divulge my password strategy (I'm over 55!) but I have a suggestion:
Pick an irrational number such as Pi, the square root of 2, etc., as such numbers go on forever. Then pick a start digit position and a substitution system such as 1=A, 2=B etc. Finally pick a substitution pattern such as letter-letter-number and, although your password may not be easy to remember, it will be easy to recalculate.
Example. I use Pi as my base number: 3.1415926535897932384626433832795
My password starts at the 6th digit (9). Using the substitution system and pattern as above, and choosing, say 9 characters, my password would be: ib6ec5hi7
By using digit pairs and more sophisticated substitution, this approach can make passwords that are very difficult to crack.
Posted by JohnOfStony
5th Jul
###### Join the conversation
Formatting +
BB Codes - Note: HTML is not supported in forums
• [b] Bold [/b]
• [i] Italic [/i]
• [u] Underline [/u]
• [s] Strikethrough [/s]
• [q] "Quote" [/q]
• [ol][*] 1. Ordered List [/ol]
• [ul][*] · Unordered List [/ul]
• [pre] Preformat [/pre]
• [quote] "Blockquote" [/quote]

Join the SmartPlanet community and join the conversation! Signing up is fast and free. Don't wait -- we want to hear your opinion!