Passwords

I'm going to address a topic which strikes fear into users and systems administrators equally: passwords! Truth of the matter is that it needn't be painful for either party. The current framework isn't working and both sides are complaining. Administrators are instituting rules which almost force users to write their passwords down, thus defeating the entire purpose. They also hold to unreasonable schedules for password changes, forcing people to arrive at new combinations which will be forgotten easily and thus the cycle continues unimpeded.

So let's all agree to some basic premises:

So why do administrators make the job of selecting a password tougher by adding rules which don't make sense? If we require users to come up with a password which passes the previous benchmark, why ask them to change after a certain period of time has elapsed? If we provide the incentive to generate a personally unique password which the users can comfortably recall ad infinitum, why would they need to change it every so often?

Having encountered this scenario time and again, I've decided to write about how to come up with a password which is highly secure yet memorable. You won't have to write it down and the administrators can run all the usual tests against it but won't likely break it without years of computing effort. Can it really be that easy? Yes!

One of the beauties of the English language is that there are alternative symbols we can use in place of letters, words or phrases. Does anyone remember that Irish singer who came out with a hit single titled "Nothing Compares 2 U"? Later we had Britney Spears releasing a song titled "Slave 4 U". And the completely forgettable Avril Lavigne number "Sk8er Boi." All are using digits and capital letters instead of complete words.

Anyone who has spent time on the 'net is aware that information compression is the order of the day. Small Message Service (SMS) for cell phones is gaining in popularity but the short forms have been around for a lot longer than the youngsters can imagine. So how can we use that knowledge to generate passwords which are almost unbreakable? Take a look at this table:

Symbol Possible meaning
8 ate, ait
4 for
| or
& and
@ at
! not

Merely using the preceeding five symbols along with the 26 upper and lower case letters (along with the 10 digits) provides us with (52+10+5)^8 possible combinations. That's 26 lower-case letters, 26 upper-case letters, the 10 digits and 5 special characters. That comes out to 40,606,767,755,641 discrete passwords in only 8 characters. Extend that to 12 and you arrive at 8,182,718,904,632,857,144,561 unique combinations.

So how many of you have received concrete advice on how to generate a password which you will be able to remember without writing it down? One which will provide you with long-term security? Does your IT department provide a booklet or a web page which provides pointers? This is the art I want to reveal, tricks learned from many years in the field. I'm sharing this so that we can all enjoy security without excessive demands on our memories. We already have enough passwords, PINs and the like to last us a lifetime!

All you have to do is pick a memorable phrase and encode it in a way you will easily recall. Sounds simple, right? A line of poetry from high-school, an adage you heard years ago, the punchline to a favorite joke. It could be a line from a song, your favorite television show from when you were a kid. All that matters is that you can represent it in a different format. I'll continue with a few examples.

Remember the song by Trooper entitled "Raise a Little Hell"? How about if we encoded it as "^aLittLeheLL"? The caret (^) is used in some computer languages to indicate raising a number to a power. As for the rest of the title, I've converted only the letter l to upper-case. You could also split it into constituent words and represent it as "^aLittLeHeLL" or even just go contrary-capital and make it "^AlITTLEhELL". Remember (taking the lyrics from the aforementioned song) "If your world is all screwed up, rearrange it"!

Perhaps you studied Shakespeare in school. The classic scene in the play Julius Caesar has Caesar asking "Et tu, Brute?". So why not "A2BROOTAY"? Better yet would be to institute your own rule which says that vowels are always lower-case, giving us "a2BRooTaY". You can decide for yourself whether y is a vowel or not and hence the case. We can even incorporate the original punctuation and make it "a2,BRooTaY?". Don't be afraid to use punctuation or other special characters in your password: it's usually acceptable and makes it tougher to crack. So are you starting to get the drift?

People in certain professions can select something near and dear to their hearts and incorporate it into a password which is not easily guessed. A dentist: "fl0ssIngIsGUd4U". Note the replacement of the capital O with the digit 0. Otherwise, vowels are capitalized and we intentionally misspell good as gud and use 4U instead of "for you". Then again, they could reverse the rule and come up with "!FLoSSiNGiSGuD4Me". In this case we used the exclamation mark which means not, so the meaning becomes "not flossing is good for me". Add another exclamation at the end and you end up with an 18 character password.

Everyone can benefit from this approach. Here are some more examples for your consideration:

Profession Password Meaning
Medicine InEEdAlOcUm I need a locum (MDs will get this one!)
Take2andUno Take 2 and you know (the rest...)
QiDim4u! Four times a day, I'm for you!
Law cOmpOsMEntIs,mE?! Compos mentis (sane) me?!
RUInsAnE?! 'nuff said
lIdIg84sUrE! Litigate for sure!
Mathematics One+Two=Twelve 1+2=12 (erk!)
E=mccubed? E=mc3?
3!=3*2*1 just an equation

What I'm suggesting is that choosing a password can actually be a fun experience. Spending two or three minutes coming up with something which has special meaning for you but cannot be easily guessed can make remembering your password a snap. Others won't have a chance at cracking it but you need to have a system which forces you to enter your carefully selected password at least once a week. Don't rely on systems which offer to "remember" your password for you: if you're not regularly typing the password then you run the risk of forgetting it after a few months.

Finally, realize that you can actually satisfy the requirements of the administrators with passwords which defy conventional attacks. Those passwords should also be given greater longevity for the same reason. You might have to repeat the exercise if there is a security breach but it should be no more difficult to memorize a self-generated password than your home telephone number. Then again, many people have problems with that one since how often do you call yourself at home? ☺

October 13th, 2002