A PRACTICAL METHOD FOR CHOOSING SECURE PASSWORDS
I’ve written in the past about the difficulties faced by anybody who uses online accounts (i.e. most of us) to choose easy and singularly unique passwords for those accounts. The requirements make it seem to be an impossible task.
- It should be memorable.
- It should be short (i.e. easily, quickly typed without mistakes).
- It should not be easily guessable by somebody who knows (anything) about you.
- It should not be easily guessable by a computer doing an exhaustive search.
- It should follow the “rules” dictated (must include digits, uppercase, symbols, the "right" symbols, not too long, not too short, etc.)
- You need a different password for each account & may need to frequently rotate passwords on certain accounts.
What happens then is that people choose passwords that are not secure (“password
”, etc.) or monstrosities (“Tr00b4dor&3
”, etc.) that are hard to remember, difficult to type, and prone to errors. A notable alternative is to use a password generator. However, this methodology carries its own share of problems, notably: choosing and remembering the master password, which generator to choose, how to set it up, the life expectancy of the generator you choose, whether it will work for you when away from your computer, etc.
One method that has gained some popularity is to generate and then concatenate random words (e.g. Diceware, “correcthorsebatterystaple”, etc.) This method has its own list of difficulties. Who carries dice in their pocket and the lookup table? Who can remember several such generated passwords? Note that I currently use 61 different passwords for my personal & business accounts. Who wants to type six (or seven) concatenated words just to access an account? Then, don’t forget to include capitals, digits, symbols, etc. in order for your password to “pass”. My method is based on the above but includes several modifications to make the generated passwords memorable and secure, valid and mostly hassle-free.
The first step of the method is to come up with a word list similar to the phonetic alphabet used by the military (Alpha, Bravo, Charlie, etc.) You’ll need to start with a list of words, one word for each letter of the alphabet. For ‘Q’, ‘X’, and ‘Z’, it’s OK if that letter appears within the first four letters of the word. For example, here’s a possible list:
Adams, Benedict, Chester, Davis, Eisenhower, Fillmore, Garfield, Harrison, Isaac, Japan, Kenya, Libya, Mexico, Nepal, Oman, Peru, Qatar, Romania, Salad, Taco, Unsalted-butter, Vanilla, Watermelon, Oxtail (soup), Yoohoo, Zuchinni
Note that I switched from historical names, to countries, to foods (Yoohoo
might be the exception). This list can be generated from a dictionary or out of your head. It’s better to generate the list somewhat randomly. Also note that memorizing this list does not seem to be out of the question (a historical figure whose name starts with ‘E’, a food that starts with ‘W’). The list could be written down, stored in a desk drawer or wallet. It would only compromise the resulting passwords to a small degree if discovered.
The second step is to pick one three-letter or four-letter acronym. It should be something that you wouldn’t easily forget. Ideally, it could be something that you could never forget. Examples: your favorite radio or TV station (WTOP), initials of a close relative (JFK), an organization you think is too cool (IRS), stock symbol of your favorite company (WHR). It’s easy to come up with them. It’s much harder to decide on just one. For this example, we’ll use “IRS”.
The next step is to decide on a three-digit or four-digit string. My favorite is to take the last part of a phone number that can’t be tied to me, but that I’m unlikely to ever forget in my lifetime. For me, it’s my grandparent’s phone number from a long time ago. For this example, I’ll use "3268" instead.
MOMENT OF GLORY
Now we’re ready to generate a password. Suppose we need a password for our online Washington Gas account. We start with four letters, two from the acronym and two from the account description:
IRS + Washington Gas -> I, R, W, A
We then take the first four letters of the word that each letter maps to in our word alphabet:
isaa roma wate adam 3268
Now we capitalize the first letter, substitute a symbol at the end and voila:
It’s 20 characters. It includes upper and lowercase letters, digits, and a symbol. Note that all of my passwords thus generated will be of the form “Issaroma********326-“. The Washington Gas account generates “wateadam”.
We could be more secure and use alternate letters for ‘W’ and ‘A’. The alternate letter would be the next consonant in the word that corresponds to the letter.
W -> Wat
ermelon -> T -> Taco -> taco
A -> Ad
ams -> D -> Davis -> davi
The password generated would thus be:
NOW FOR A TWIST
For added security, it would be a good idea to add a simple twist to the above scheme. Many variations are possible:
Capitalize a different letter instead: (issaromatacoDavi326-
Place the symbol after the first eight characters: (Issaroma-tacodavi326
Cut a letter and use the full pin code: (Issaromatacodav3268-
Add a letter, digit, or another symbol to the end. (Issaromatacodavi326-H
There are easily one thousand possible twists that one could conceive. The important thing is to be consistent. If you plan to use a twist, pick one and stick to it.
PASSWORD STRENGTH ANALYSIS
A 20-character password where each character is a letter, number, or symbol contains over 120 bits of entropy. An entropy of between 50 and 70 bits is generally assumed to be “good”. 120 bits is more than adequate. But, what if we know how the password was generated: i.e. that the first character is capitalized, last is a symbol, digits in place, using parts of words, etc.? In that case, each set of four letters represents the number of possible unique four-letter starts of dictionary words. This is at least 2048, so we get 11 bits on each set of four letters. The digits give us 3.3 bits each. Our twist generates an additional 10 bits. So we get 11+11+11+11+3.3+3.3+3.3+3.3+10 = 67.2 bits. Using caps and symbols at the beginning at end may not help much; but, it certainly won’t hurt us. 67.2 bits makes it 8,000,000 times harder to guess than the “correcthorsebatterystaple” example and contains 5 fewer characters.
PASSWORD PRACTICALITY ANALYSIS
While the generated passwords may look daunting, they are all composed of four (truncated) words and a numeric code which should optimally be second nature to remember. Each piece is easy enough to remember: two words that are common to all the passwords, two words that correspond to the account in question, a “pin” code, one symbol, and remember to capitalize the first letter. Also, aside from the initial choice of 26 words, there is very little that is ad hoc. The password follows from a straightforward set of easy-to-follow rules.
The 20-character length may seem extreme; but, fifteen of them are all lowercase letters, one uppercase, three digits, and one symbol. It’s much easier and less error-prone than typing, say, “&$(#H230B
”. Because of the construction, passwords will often be pronounceable. This makes it both easier to type and easier to remember. A good tip would be to sound out the password before typing it. Length also goes a long way toward the security of the password. In the long run, it would be better to start with a long password and be able to keep it, than to start with a too-short one and need to keep appending to it or otherwise modifying it.
As far password “criteria”, all our passwords will include at least one capital letter, two digits, and one symbol. These aren’t used to strengthen the password as much as to satisfy the “rules” and then not need to remember which letters are capitalized, where the symbol goes, etc. It is a sad fact that many online accounts limit password length. Since our passwords are constructed in parts, it is relatively easy to abbreviate it. We could also lengthen it quite easily, if necessary and/or desirable. Here is one scheme to bring our length from 20 to 12 characters: Take each of our four-letter truncated words and use a two-letter combination consisting of the first character and the next consonant. If no consonants, then use the very next letter. So we’d have:
Issa -> is, roma -> rm, taco -> tc, davis -> dv,
resulting in “Isrmtcdv326-
“, a 12-character password. It’s not very pretty, but we needed to economize. Similarly, we can lengthen it by adding more truncated words. For example:
IRS -> issa-roma-sala
hington Gas -> WAS -> wat
a -> TDL -> taco-davi-liby,
resulting in “Issaromasalatacodaviliby326-
“, a 28-character password.
If password rotation is necessary, then we can incrementally modify by using the sequence “WA”, “WB”, “WC”, “WD”, etc. This would give us a sequence of:
or to be more secure:
The password generation scheme presented seems to be simple, straightforward, and generates strong passwords. The scheme can be easily tailored to individual preferences and requirements. The most difficult part is to come up with a word list and remember it. Keeping a copy in your wallet might be advisable and to a large extent would not compromise the passwords.The list can be generated with a randomized dictionary search, by using a process such as Diceware, or by coming up with words with a common theme or themes. Note that a more randomized word list will generate stronger passwords. I’ve generated a list of 2704 words (26 letters x 26 themes x 4). The list is freely available at www.hstreet.com/tips/wordlist.xlsx. Feel free to randomly choose words from this list. Use F9 on the second worksheet tab to generate random alphabetical listings. Happy passwording!