Secure Memorable Passwords for Older Users

Question

As with many people who work in IT I have found myself in the position of providing technical support for older relatives. Most of these relatives are not technically savvy and hate the idea of passwords.

I usually get frustrated and end up giving them a variant of p@ssw0rd which is obviously not that secure.

What is the best way to educate them on a generating a secure password that they can easily remember and type?

Most up voted question in this community, contains your answer: http://security.stackexchange.com/q/6095/67418 — mertyildiran, Nov 09 '15 at 01:46
Just generate a good password yourself and write it down for them. — Neil Smithline, Nov 09 '15 at 02:52
Let them select their password for themselves (you can suggest different variations to make them stronger) and have them write a hint of it on a piece of paper. Remember that the hint should be only enough for them to remember the password and not for someone else to be able to guess it. After setting it up, have them use the password everyday for atleast a week. Regular recalling of the password from their memory will help them remember it for a longer period of time. — Chirag Bhatia - chirag64, Nov 10 '15 at 02:10

score 10 · Accepted Answer · answered Nov 12 '15 at 14:47

I am an advocate of the passphrase approach. We all know longer passwords are harder for hash cracking attacks. For several years I have advocated the use of a short sentence with typical capitalization and punctuation. This produces inherent length and complexity, but might allow for easy guessing. To make guessing harder, additional strength can be added with the use of a multi-digit number or an odd word, such as a nickname or foreign derivative.

The following are all strong passwords that are easy to remember and natural to type.

  My home was 7925.
  Bito loves little kids.
  Mum was born in 1918.

I advocate this approach for everyone, but it might be particularly helpful to older people. Have them choose a fact from their youth, which is often easier for older people to remember than current facts.

Advantages:

Sentences or phrases are easy to remember.
Natural language includes punctuation and spaces which creates complexity but is both easy to remember and easy to type.
Even the shortest of sentences is a long password.

Disadvantages:

Failing to include an odd word or multi-digit number can make the passphrase susceptible to brute force if the attacker assumes a sentence structure and uses a dictionary.
Typing a long passphrase without seeing what you are typing can be a problem for some users.
Some systems do not allow the entire character set such as spaces or punctuation.
Some systems limit password length.

Enough simple words in the passphrase will make it strong without additional complexity, BTW. Consider: Using a very small English dictionary containing only 10,000 words. Four words in a predictable pattern would have 10000^4=10^16 combinations, slightly more than a complex (chosen from 96 possible characters) 8 character password and each additional word adds more combinations than 2 characters in a complex password since 10000>96^2. So

  Dogs and cats are cute.

is stronger than a 10 character complex password even if the attacker knows that the passphrase is a simple sentence.

If you take the above and add in a odd word or multi-digit number, a four word phrase is a very strong password.

Including punctuation and capitalization mid-sentence significantly strengthens the passphrase, BTW.

You just have to remember to use punctuation and capitalization where you put it. — schroeder, Nov 12 '15 at 16:11
Absolutely, but if the punctuation or capitalization is an organic part of the sentence, it comes naturally. An apostrophe for possessive nouns or the question mark in **Can I? I can!**. — JaimeCastells, Nov 12 '15 at 18:11
Be careful about making claims like "'Dogs and cats are cute' is stronger than a 10 character complex password." With natural language passphrases like this it's a question of whether an attacker has captured that phrase and added it to their dictionary. There's no good way to know that, although more famous phrases, song lyrics, book titles, etc. are likelier choices they'll try first. Stick with completely random word choices for passphrases. — PwdRsch, Nov 12 '15 at 18:32
@PwdRsch is absolutely right about common phrases and song lyrics. Those are definite pitfalls. IMO, phrases that contain personal information, particularly obscure words or foreign derivatives will make an intelligible sentence a strong passphrase. My example in the body of the answer was specifically to numerically demonstrate the strength against a dictionary based attack. — JaimeCastells, Nov 12 '15 at 22:58
This answer is the most comprehensive and is the "correct" one. However due to a Relative Comprehension Error I have had to follow a different path, hence my own answer. — Burgi, Nov 16 '15 at 16:46

score 3 · Answer 2 · answered Nov 12 '15 at 16:19

Because the password field is masked, users have to be able to type without getting feedback from the screen, so they need something that they can successfully type with only the keyboard to look at. For this type of situation, I like to show them keyboard patterns:

zaq1@WSXfacebook [the pattern becomes obvious when you type it out]

Each generated password is unique, satisfies complexity and length requirements, and I find that people naturally take to the 'no thinking or remembering' approach. It is also easy to "hunt and peck" on the keyboard for those who were never good typists or have vision issues. I have even physically notched the keys so that someone with poor vision could do it by touch alone.

Notching the keyboard isn't something I had considered for computer users. It sadly doesn't work for touchscreens. — Burgi, Nov 16 '15 at 16:51
Yes, my entire answer is relevant only to hardware keyboards — schroeder, Nov 16 '15 at 17:08

score 2 · Answer 3 · answered Nov 16 '15 at 16:43

After some lengthy arguments about pass-phrases, I hit upon an idea to solve this.

Perhaps it is my inability to fully explain the advantages/reasons that has frustrated me the most. One of the counter-arguments I found being thrown back at me was:

They don't look like passwords

I have set my relatives passwords to be the same as their car license plate. In the UK the license plates follows one of these patterns:

AB12 CDE
A123 BCD

This is something my relatives can easily remember (if they forget it they can open the front door and check) and it ticks most of the "strong password" requirements. The space between the digit groups can be swapped out for any special character.

I can understand that people have both attitudes and practical requirements! Your approach meets complexity but the fixed pattern makes it weak. The limited ordering of this pattern makes it a lot easier to brute-force. If we allow the letters to be a random mix of upper and lower case and the space to be any special character, the total number of combinations would be 52^5 x 10^2 x 33 + 52^4 x 10^3 x 33 which is roughly 1.4x10^12. That may seem like a huge number, but a modest cracking attack can test something like 10^9 values per second so this would only take a few minutes to crack. — JaimeCastells, Nov 16 '15 at 17:09

Luc · Answer 4 · 2015-11-16T17:03:18.763

Secure Memorable Passwords for Older Users

I'm not sure there is an answer at all. If a password is memorable it is either simple, contains a pattern, or has connections to other memories, thus making it less strong. Most suggestions I've seen use one or more of these methods.

You are specifically asking after memorable passwords, but why not use a password manager? Or a physical access token?

It could be as simple as using their smartphone for authentication, though then the smartphone has to be secured (and older people might not have/want a smartphone). If they happen to have one that has a fingerprint reader, it might be a good option. Still, giving them a separate device is more akin to a physical key and they might take better care of it security-wise.

And if all else fails, a password manager on their computer might be a lot more secure than whatever they can and care to remember, even if that one has a simple access code.

relatives [...] hate the idea of passwords

Relatives are maybe slightly different (I generalized up till now). Do they do important work, or are they janitors somewhere? Do they have a separate working laptop and personal laptop? What sort of services do they use?

All those questions change things. If they have some manager function and don't have a separate personal laptop, it might be a good idea to up their security and pay that extra dollar to get them a Yubikey or something. Which services they use also matters then: not everything supports 2FA (or what we're after in this case: 1FA after eliminating the password, or after making it rather weak). You might have to switch services, or use a password manager instead (or additionally, or use the access token for your password manager, or...).

There are lots of options, but I'd look at things people don't necessarily have to remember. We're after authenticating physical people after all, not filling their brains with something as difficult as possible.

Secure Memorable Passwords for Older Users

4 Answers4

Linked