6

I could use a password manager, but I don't like relying on another entity than myself to store my passwords, and it would screw me over if I find myself on the internet in a new location without the database. So I want to use the correct horse battery staple method for my passwords (don't tell anyone,) and memorise all of them. But I'm not sure how I can remember which password is for which service. How can I mnemonically link each password to the particular service?

Lou
  • 315
  • 1
  • 2
  • 8
  • 2
    Added as comment as it's a password manager "solution". Considered using a local password manager like KeePass synced over a cloud solution (ie owncloud.org) so you have an updated "vault" on all your devices, everywhere. – JimL Jul 16 '14 at 21:23
  • `Amazon => Alright Manchester Always Zoning Out Nulls`. Use the service name (or initial letters) as the first letters of each word in your password. – Carlos Campderrós Jul 16 '14 at 22:14
  • That's not a bad idea, but shouldn't that weaken the password security? In the worst-case scenario that the attacker knows I'm using the correct horse method, she doesn't know anything about the types of words I'm using. Making it an acronym not only gives them the first letter of every word, but I bet there are ways of using syntax to figure out the password. – Lou Jul 16 '14 at 22:35
  • see also [How to help users manage password portfolios based on risks of compromise?](http://security.stackexchange.com/questions/63344/how-to-help-users-manage-password-portfolios-based-on-risks-of-compromise) – nealmcb Jul 17 '14 at 16:38
  • Here is one that was unguessable...until it was known: CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN – SDsolar Jun 02 '17 at 02:42
  • I think as soon as you think up ways to link passwords to websites, you start to compromise the core source of strength in the XKCD-style password: randomness. Unless you are actually choosing words *randomly*, diceware-style, then the analysis shown in that XKCD strip is invalid and your passphrases are weaker than you think. As demonstrated by Carlos in an earlier comment, the fact that the words must be *truly random* is not widely understood for some reason. [Even Bruce Schneier seemingly missed this important fact](https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html). – Ben Jun 06 '17 at 14:44
  • *(continued)* That said, you *could* do something like *randomly choose* a word from the list of *all words starting with 'a'*, then from *all words starting with 'm'*, etc. but that's much harder to handle than plain diceware. It's going to be very difficult to come up with a unique passphrase for every site and memorize them all. Combine that with the fact that many sites have *maximum* allowed lengths around 12-24 letters, and trying to come up with and remember dozens of these passphrases quickly becomes unworkable. Just use a password manager, you'll wonder why you put it off for so long. – Ben Jun 06 '17 at 14:48

6 Answers6

6

The point of xkcd-style passwords is that: humans think in stories. A password of that kind can be remembered because the user will build a kind of "story" involving all the words in the password as elements of the story.

Along these lines, you should include the service name as part of the story. If your "correct horse" password is for Amazon, then you may remember the story as "a book about famous 'smart horses', including one who could correctly (and famously) recognize staples and batteries". Or something else. The story needs not make sense when written down; it is personal to the user.

Another completely different method to remember passwords is to type them often. This is memory in the fingers (that is, in the part of the brain that controls the fingers), and it works well.

Yet another point is that if you are on the other side of the Internet but still want to access your passwords, then you are about to type your password on some machine. So:

  • Either this is your own laptop, then why don't you have a copy of your passwords, encrypted with a strong master password ? That's something I do (this is safe if the master password is strong, and you apply some care on the decryption, e.g. deactivating swap space and doing the decryption in a RAM-based filesystem).

  • Or you are about to type your password in a third-party machine, e.g. in some "Internet café", and well, you should not. Really. Because such a machine could have a key logger.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    Well, as I said in the OP, I don't want to use a password manager; in case I use a different machine. But then also because I'm shunting the responsibility of actually memorising the password and depending on an external source. I think outlining a story as you suggest sounds like a great idea. And through typing it repeatedly, I'll remember them by rote as well. – Lou Jul 16 '14 at 20:32
1

How do you memorize each passphrase ? Probably it's the same way that's shown on the xkcd link you provided: by creating some context where those words could be used, or creating some mental image.

You just need to include the service on it. Perhaps not literally the service name, since it might just create some strange picture. But you can easily adapt.

For example, if your email password is correct horse battery staple, you can imagine that the horse is writing the "battery staple" on some envelope.

woliveirajr
  • 4,462
  • 2
  • 17
  • 26
  • The problem with service name is you introduce some invariants, and so a motivated adversary who got hold of your credentials on a poor website will be able to figure out your passwords on others. You should consider all credentials with invariants as more or less identical. It can still be a nice strategy to introduce some recallable randomness (i.e. that you can recall on the spot rather than actively memorise) to your otherwise "identical" passwords. – Steve Dodier-Lazaro Jul 16 '14 at 21:34
  • @Steve ops, perhaps your comment was to the other answer, provided by tom leek ? – woliveirajr Jul 17 '14 at 11:30
  • No I meant your answer. If you have a strategy that reuses elements of the service to add variability to an otherwise invariant password, it can be guessed by an adversary. Protects against very dumb/obvious password thefts but not even basic targeted attacks. Though I reckon it's an extremely convenient approach :) – Steve Dodier-Lazaro Jul 17 '14 at 12:10
  • @SteveDL ah, thought was a mistake, because of the "service name" phrase that I didn't use. Thanks for your comments: I assumed that the OP said he would use the "correct horse" method to generate N passwords, one for each site, as he said he would "memorize all of them". And that the problem was only to know which password was used at each site/program. So, having a strong password, adding one element to associate it with the site wouldn't decrease the security. – woliveirajr Jul 17 '14 at 12:13
  • @SteveDL and I can improve my answer, based on your comments, to address such understanding. thanks! – woliveirajr Jul 17 '14 at 12:14
  • Well, if you have for instance "correct horse battery " and then "correct horse battery " you get little extra security. If you have " – Steve Dodier-Lazaro Jul 17 '14 at 13:17
  • 1
    @SteveDL "correct horse battery staple envelope" for email, "rainbow sand pipe nose face" for facebook, "dark bug hole scream gates" for your microsoft account... where the last word isn't random, just associated with the service/site/program... – woliveirajr Jul 17 '14 at 13:23
  • Then yeah if you can remember them all you're all set :) – Steve Dodier-Lazaro Jul 17 '14 at 14:56
  • @woliveirajr - I was originally going to have a unique password for each site, but as Steve rightly points out, that's too much. I'll concentrate on the important websites. – Lou Jul 18 '14 at 18:52
1

I'm assuming you're facing either issue:

  • How to remember a different credential for each site
  • How to reuse credentials in ways that don't compromise your security too much, and how to know which credential to use where

To be honest, I as a security usability specialist do reuse passwords. Nobody can cope. That's normal and that's nothing to be ashamed of. There are a couple of tricks that can be useful to avoid losing access to your important accounts.

First, you should identify your most valuable assets. Always have a unique password for email and payment accounts. Your payment accounts (PayPal, banking..) are obviously valuable because they can make you poorer. Still, your email accounts are the most critical you have. If I steal your main email account I can learn on which other services you have accounts on and I can reset your password everywhere (through the lost password form)! There's an example of a guy who lost a very precious Twitter name because of getting his email account compromised.

Second, if you find a password manager you can use, get one. If you don't trust the big commercial companies with your data, consider open-source password managers.

Third, do you need to remember passwords to sites you barely ever connect to and you assign little value to? So long as a (rarely-used) site allows you to easily reset your password, you can put this to your advantage to reduce the number of passwords you need to remember. There are sites for which I only use the reset password and forget it immediately.

Finally, you can start grouping accounts by whatever semantics they have, so you can drastically reduce your number of passwords. A couple of criteria could be:

  • Do these accounts serve the same purpose to you? E,g, accounts where you can book/order things of the same type (without having your credit card attached)?
  • Are they attached to the same stakeholder/assets? Think different accounts in the same company (often they require you to handle 2 or 3 accounts because they can't properly handle Single-Sign On...)
  • Does the compromise of one lead to the compromise of the other? For instance if I can impersonate you on a specific service is that enough to hurt your assets on another service, e.g. OSN accounts with links to one another?

Hope it helps.

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
  • 1
    "do you need to remember passwords to sites you barely ever connect to and you assign little value to?" I have thought about this. I will reuse stock passwords for minor sites of low security, because I don't want to have so many passwords that I need a database. I want to have them all in my head. (I'll write them down somewhere secure as a failsafe though.) – Lou Jul 16 '14 at 22:21
  • 1
    Good answer! And I'm glad to see you answering the question here :) [How to help users manage password portfolios based on risks of compromise?](http://security.stackexchange.com/questions/63344/how-to-help-users-manage-password-portfolios-based-on-risks-of-compromise) – nealmcb Jul 17 '14 at 16:37
  • Thank you! I was considering giving a link to that question since it's quite related. You might want to edit your question and point here as well? There are a bunch of nice answers already. – Steve Dodier-Lazaro Jul 17 '14 at 17:20
0

I've recently read a blog post from Sophos Security where they link to a study about how to remember complex passphrases which are not dictionary words, using spaced repetition - I think the same can be applied to passwords based on dictionary words.

The idea is to learn a passphrase over a period of time where it becomes more complex, rather than trying to remember it from the first time.

My suggestion, use that and words in different languages :).

Augusto
  • 398
  • 1
  • 11
  • I was worried this study would be carried around without critical assessment by non-scientists... Spaced repetition might work well as a learning tool, but that tells nothing of the long-term memorability of the password. Besides, with such a friendly training environment (motivated subjects who are paid to re-type the password every 30 minutes), they still have a failure rate of at least 30% (12% failure + 21% of 88% succeeding who admitted to cheat). – Steve Dodier-Lazaro Jul 16 '14 at 21:19
  • That's a fun idea actually: when changing a well-memorized password, adding a password to it, instead of replacing it. – drumfire Jul 16 '14 at 23:31
  • @drumfire the usual mantra of the password-expiration policy is that your old password is compromised, hence no it's not necessarily safe to just add something to it (depends on whether online vs. offline attacks). As usual the main factor of how (in)secure adding a few letters would be has nothing to do with the user but w/ the quality of the password storage :) Also what happens if you forgot the new bit of your password? – Steve Dodier-Lazaro Jul 17 '14 at 13:19
0

I'm not sure the general perceived opinion of this method, but here's what I do. In the correct horse battery staple example, my method is to add the website I'm browsing on to that. Suppose I were using a stackexchange account instead of my google account, my password would be something like:

correct horse battery staple stackexchange

More specifically, I add a rather large phrase (not just random words) as the first part, so in the classic Portal way, I could make these:

the cake is a lie stackexchange

The cake is a lie stackexchang3

The C4K3 is @ lie stackexchange

The key to remembering them is I always have the same first phrase where possible (I'm looking at you, microsoft), but vary the end to something tailored to the website I'm browsing.

Of course, if you prefer not to do that, as others have said: get a password manager.

Seiyria
  • 101
  • 2
  • 2
    And if one site's password database is leaked and your password recovered (say they didn't even properly hash and salt them, just use simple encryption on the database - yes, it still happens), you're in trouble on all other sites you have an account, if the attacker can guess or deduct which that might be (say, you leave traces about that on the initially breached site). What you suggest is not something I'd recommend. It's as safe as the crappiest protected site you have an account on. – TildalWave Jul 17 '14 at 03:51
  • I hate to be that guy, but I use a throwaway password for any site I don't frequent so it's not a huge issue. Also, OP was looking for ways to remember his password, and I gave him one that's still relatively secure. – Seiyria Jul 17 '14 at 12:47
-1

Here is another way to memorize passwords that aren't predictable, no matter how much someone knows about you:

From this article:

PASSPHRASES THAT YOU CAN MEMORIZE — BUT THAT EVEN THE NSA CAN’T GUESS

It turns out, coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. If you use an entirely random sequence of characters it might be very secure, but it’s also agonizing to memorize (and honestly, a waste of brain power).

But luckily this usability/security trade-off doesn’t have to exist. There is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. The method is called Diceware, and it’s based on some simple math.

...then it goes on to describe a simple method to do the XKCD thing but with some true randomness behind it.

SDsolar
  • 977
  • 1
  • 6
  • 25