What is your way to create good passwords that can actually be remembered?

Question

What are the methodologies which can be used to generate "human" good quality password?

They have to ensure a good strength and also easy to remember for a human being.

Answer 1

This XKCD comic describes a way to generate a good password. The quality of such passphrases has been discussed in : XKCD #936: Short complex password, or long dictionary passphrase?

Answer 2

Ahem.
Depending on what this password is to be used for, I would recommend a technique recommended even by crypto-great Bruce Schneier:

Write it down.

That's right - get yourself a REEAAAHEEELLYYY complex random password that you cannot remember, and WRITE IT DOWN.
Of course, write it someplace safe, not attached to outside of your laptop that the password is being used for.

Answer 3

I use a phrase. A proper phrase, with multiple words and spaces, but one I can easily remember.

"My favourite month of the year is the 3rd!"

Answer 4

I like to use the Shift your fingers method. Take an easy passphrase like 'stackoverflow', move your fingers 1 character to right as you type and you get 'dysvlpbtg;pe' which is a lot harder to guess or crack.

Although this works fairly well its best to add a few other twists to this like a memorable number and some special characters to make it a really strong password.

'dysvlpbtg;pe!1234$'

Using this method its easy to have a different and very good password for each site you use but for it still be re-memorable.

UPDATE:

@Larry & @AviD point out that if this method becomes more common it becomes more likely to be taken into account by cracking dictionaries and other attack methods.

Obviously there is a balance between the re-memorable and the super secure. Depending on the usage applying some of these techniques would help make this method stronger.

• Shift differently - don't just shift 1 character to the right. Go a different way and / or shift by a different number of characters. Using "stackoverflow" as an example passphrase again, shift down you get "xgz ,l dfv.ls", shift by 2 characters right you get "fudb;[ntyh'[r". This starts to improve the technique but obviously this can be adopted by attackers as well.
• Suffix and Prefix - Add a suffix and prefix into the mix, "@@stackoverflow$$" adds a load of other possibilities in to the mix.
• Be different - There are a lot of different methods suggested as answers to this question. Probably the best answer to the question, is to use a bit from each of them and make a method your own. In that way you will always remember it and if its unique to everyone else, it means it does not become weak as everyone else isn't doing the same thing.

Answer 5

I use Diceware. You need a six-sided die (or a good random number generator), and a Diceware word-list.

Throw dice to get a five digit number; for example 34512.

Look up the word in the list; for example jinx.

Repeat five times.

Length is the most important attribute of a password. This will generate a fairly long password.

/Roger

Answer 6

I take a line from a song I like, and then take the first letter from each word. This will most likely not exist in any password dictionary. Then, you can substitute special characters.

For example, take Elvis Presley's Hound Dog:

You ain't nothing but a hound dog, crying all the time

This would become:

yanbahd,catt

Then, sprinkle in some special characters, play with the case, etc:

Y@nBa!^d,c@Tt

Then, if you can remember the song lyric, hopefully you can remember the password.

Answer 7

Use a long sentence in your language. It's easier to crack a short, illegible password, than a long "plain" sentence. Choose lyrics from your favourite songs, quotes, whatever.

You can craft long (i.e., 40 characters or more) passwords this way, without having to think too much about them.

Answer 8

There is good advice at http://www.schneier.com/blog/archives/2007/01/choosing_secure.html and http://en.wikipedia.org/wiki/Password_strength

I think the key is to combine at least two seemingly unrelated pretty big sources of entropy. E.g. part of one medium-sized word combined with letters from the beginning of an idiosyncratic phrase, with some mixed case and numbers/symbols thrown in the middle. Do it in a way that you can make an odd and memorable story about it all, and make sure it is long enough, depending on how important it all is to you. Practice it for a while, and put some subtle hints about the story in a relatively private file.

You can also go overboard on picking a long or hard-to-remember password: http://www.schneier.com/blog/archives/2009/07/strong_web_pass.html

Answer 9

I think of a lie -- something that isn't true, and make it into a proper sentence such as "The sky really is Green!". (This isn't one I've used before)

They are easy to remember because they are just so odd.

Answer 10

I use a passphrase and random generator for that phrase (substitution cipher). I regenerate my key card monthly and keep a copy with me. I find the pseudorandom nature of it creates for strong passwords in a quasi-2 factor authentication. Something I have is my key card, something I know is my key phrase. As sample, I wrote a short app to build them here:

For example: my bank password could be "banking" and it would generate a very strong password for me, it would be easy to change, and my password would always be banking.

http://levii.com/cipher.php

*Edit: Just as a note, I proposed this method to the /. community back in 2005ish and haven't updated it since. I've been meaning to run some real research on it as part of my MS-ISA program.

Answer 11

For passwords, I use the following: two letters, then two digits, then two letters, then two digits. Letters are lowercase. Letters and digits are generated randomly.

It turns out that the resulting passwords are easy to remember (at least, easy for me; your brain might not be wired the same way than mine).

A good point of such passwords is that it is easy to compute their entropy: there are 26⁴x10⁴ possible passwords with this format, all with the same probability, thus an entropy of about 32.09 bits (a given password has probability 1/2^32.09 to be selected). 32 bits of entropy are not good for all usages, but they are good enough for most, including every usage where attacks are online. An online attack is one where the attacker must make a request to an "honest" system for each guess; e.g. a SSH server. Offline attacks (where the attacker can check a guess "alone", limited only by his computing power) are more scary and would require a stronger password.

Remember that knowing how much security you have is at least as important as having such security.

Bonus: here is the C program I use to generate those passwords (compiles under Linux and FreeBSD, should work on other Unix-like systems):

/*
 * Small utility for password generation.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>

static unsigned
randval(unsigned max)
{
        static int fd = -1;

        unsigned char x;

        if (fd < 0) {
                fd = open("/dev/urandom", O_RDONLY);
                if (fd < 0) {
                        perror("open");
                        exit(EXIT_FAILURE);
                }
        }
        for (;;) {
                unsigned val;

                for (;;) {
                        if (read(fd, &x, 1) <= 0) {
                                if (errno == EINTR)
                                        continue;

                                perror("read");
                                exit(EXIT_FAILURE);
                        }
                        break;
                }
                val = (unsigned)x;
                if (val >= max * (256 / max))
                        continue;
                return val % max;
        }
}

static int
randletter(void)
{
        return "abcdefghijklmnopqrstuvwxyz"[randval(26)];
}


static int
randdigit(void)
{
        return "0123456789"[randval(10)];
}

int
main(void)
{
        printf("%c%c%c%c%c%c%c%c\n",
                randletter(), randletter(),
                randdigit(), randdigit(),
                randletter(), randletter(),
                randdigit(), randdigit());
        return EXIT_SUCCESS;
}

Answer 12

1. I start with a passphrase, such as pancakes.

2. Next, I make some substitutions - add numbers, symbols and capitals. pAzc@Kez.

3. Finally, I'll add a prefix or suffix for each site I use it on, such as pAzc@KezStack.

   PS: It's a good idea to have a few bases and alternate those as well.

Disclaimer: This is not any of my passwords. (Yes, I am eating a pancake as I write this.)

Answer 13

I use the password generator in Mac OS X, set to "memorable password" mode.

Answer 14

For medium-security sites:

1. Choose a word you would remember and it long enough - let's say it's porcupine.
2. Choose a number you would remember - don't use you birth year, month and day, neither for your relatives, etc.! - let's say it's 28.
3. When you need a password for site security.stackexchange.com - make it 28-porcupine+S.S.C

This password is rememberable, since you only need to remember 1 word and 1 number for all sites you visit, and can recover password for any site without any effort. Of course, you can change algorithm, but the idea is to use combination f(n, w, s) where n and w are fixed and s is generated from the site name.

For high-security sites (aka "if somebody gains access to this, my life is ruined") - generate long random password, write it down, put this paper somewhere secure - like with your passport, titles, etc. documents.

Answer 15

Unfortunately, many systems place silly restrictions on passwords, so the same method of generating "rememberable" passwords will not always work for me.

Most often I don't need to remember that many passwords. I write the important ones down in keepass or a PGP-encrypted text file, or both.

However, most ones that I chose for my unix systems are based on lines from songs or just silly phrases or expressions, where I let each word become a character, with case varied depending on the stress or intonation of the word, or what words have more "meaning" in the phrase. Good idea to suffix or prefix some representation of the system/site name as well.

About password length: on web sites I always chose passwords of more than 8 characters. My reasoning being that many "clueless" systems designers store just an MD5 hash of the users password without any salt. Web sites do get hacked, and even if I use different passwords everywhere, I still don't want a script kiddie to do a lookup in a pregenerated hash-to-plaintext table and find my "random" password there.

Answer 16

1. Shuffle a deck of cards.
2. The order of cards is your password.
3. Buy a new deck for each password. Don't drop the deck.

If coerced you can drop the deck, or in the case of the UK when they search your house they will scatter your deck and delete your password / encryption key.

;)

Answer 17

A password hint should just be something that reminds you what your password is without exposing the actual password. Which means it should be something you would understand, but that a stranger would not be able to figure out.

If you use a base password but sometimes you use all lowercase or sometimes special characters then you could use a hint that just explains that (i.e. hint is "all lowercase").

Or use LastPass, it is my favorite password keeping tool that I use for almost everything.

Answer 18

For my login passwords, I use software (pwsafe or KeePass, mattering where I am) to generate an ugly password of whatever length I need (9 characters?). Then I write it down on something that goes in my wallet. After a few days of using it I remember it well enough and I shred the paper. The backup there is keeping it in one of those programs that's on a different machine than the password is to :)

For everything else, software does that for me. Having a program remember your passwords is so much better than doing it yourself, I don't quite understand why people resist it.

Answer 19

To avoid Rainbow Table attacks, length is key. It is not uncommon when carrying out exploitation to grab SAM file or /etc/passwd and run a crack on the hashes. In the past I often used John the Ripper for a few days to see which hashes could be brute forced. These days I would quickly pop the hashes against a rainbow table and would have 95% of all the passwords under 9 characters (and if I wanted to check for 10 chars I could download the table for that length too - it just starts to get very big...)

Having said that, the 2 techniques I use are:

1. like pkaeding - lyrics from songs
2. the old CVC CVC CVC CVC CVC method (consonant, vowel, consonant) to whatever degree of entropy required

Answer 20

Here's yet another scheme for musicians:

qiurtyuqytnreqwerwmqweq
qqwnqqrtyyyttrrtyy7yytytrrtr
qweqqweqerterttytreqtytreqqbqqbq
32g5532g5532g5d5srr

Transpose or obfuscate further as desired.

Answer 21

One methodology I've heard of is to pick a page of a book and use the first letter of each word on a line. If you combine the capitalisation of the words and the odd number you can get a strong password that isn't easy to guess - all you have to do is remember the book and line!

Answer 22

I've recently been looking at Off The Grid by Steve Gibson. It's a paper based encryption which can encrypt a domain name (or any text really) and provide a password to use. There's plenty of information on the site about it.

The basics of it is you take a 26x26 table of characters. This table follows rules similar to Sudoku (only one of each character in each row and column). This starts it off with a lot of entropy (1400 bits minimum). The basics of how to use it are fairly easy (I won't bother re-typing it all out again). The biggest risk for it is if someone physically steals your grid. Even then there are few steps you can take slow (should be easily long enough to realize someone has stolen it). These methods include,

1. Choosing a different starting location
2. Salting (You can do this by pre-pending/appending something when performing the encryption)
3. When performing the encryption (read the appropriate page) instead of choosing the next two characters. Instead choose perhaps the next three characters, one across one up, two down one left, etc.

I'm not using it myself, but I don't have much difficulty remembering 20 random characters which I use in combination of Passpack (online password manager)

Answer 23

Depending on what I need it for, I'll calculate an MD5 or SHA1 on some random file and run over that a few times. That's rather weak though, in that it only contains 16 characters.

If I need something stronger, I'll type three or four characters into a Tripcode searcher and see what it throws back at me. Stick two of those together and run them over a few times, and you've got a pretty secure password in that it's really quite random.

Answer 24

I open a big book at a random page and use the first letter of the ~8 first words/lines. Not exactly easy to remember but it makes it very hard to completely "forget" your password.

Answer 25

Change your life :) have all password be extremely complicated, with no way to remember any of them. Get a password manager, I found KeePass pretty useful.

You can keep DB files on dropbox and use password + picture (binary file) to access passwords, keep the picture (file) only on devices you likely use to access password from (not on dropbox!).

Keep picture accessible but not obvious. So the system is still usable, but if hackers get your password DB files they can not get access to it by brute force.

This way you will need to remember only one password, which is much easier.

Change it and the file regularly and you you're safe.

DropBox keeps a history of your data for a month (?) so remember it when changing the DB password.

Answer 26

similar to some of the other answers, for some passwords a base it on a phrase which I find memorable then translate that into a password. So as an example

i;)@0dd^'s

is a reasonable password which I'd remember as "I wink at odd hats". Generally that or something based on first letters of a phrase (usually with some leet speak modifications and added punctuation).

Answer 27

I use the perl module Crypt:RandPasswd, which can create pronouncable phrases surrounded by misc. specials and numerics. I find that the pronounciation rules limit the keyspace, but they make the mental part much easier. Even if I have to lookup a password, I can remember it long enough to type correctly first time.

A password might look like this: Vorda#Capis%99^

Answer 28

I find a totally random, complex string of characters by randomly hitting keys on my keyboard in a pattern my fingers are comfortable with and can do very quickly. Techniques I use to do this are:

• alternate successive keys between hands for speed or use small groups of keys (2 or 3) next to each other on the keyboard, alternating the groups between each hand to make up the full password. It is hard to type an entire password quickly with just one hand
• literally make the keys random and not spell anything or even a variant of something
• when you change passwords, change your finger pattern significantly enough to hit totally different keys and key patterns (and not the same pattern shifted 1 or 2 keys in any direction)

After I have my random password, I practice typing the new password a few times to get my muscle memory to retain the key pattern. After my password is set, I log into a few systems in a row to further retain the key pattern.

In the end, you will have a totally random password that is difficult for you to forget because you aren't even remembering a string of characters, just a pattern your fingers take on the keyboard that doesn't mean anything at all to anyone, even you. Sometimes when I accidentally type my password in a clear text field (everyone has done this at some point...) it looks totally foreign to me because I don't think of the string, just the pattern I am hitting on the keyboard.

This method also doesn't translate to similar passwords and patterns among different users because everybody types differently. What is easy and fast for one person to type may be more difficult for another.

Answer 29

Create some new words: splur, bambile, egilomanifastic, spilomasilomagnitolistable. Combine for a bit of fun rhyme and an easy mnemonic.

Answer 30

If English is not your mother tongue, you are lucky. I would suggest using a passphrase that uses a combination of English words with words from your native language or languages. Such a password will be quite difficult to guess.

Of course you should choose a passphrase that can be remembered easily by you. I am not a big fan of creating too complex passwords, just remember that the password should not be easily guessable and should not be listed in a dictionary.

I also recommend not to have a single password for all your accounts. I maintain a small pool of passwords (this will come with practice). Your net banking password should not be reused for your eBay or monster.com account. Once I clicked on forgot password link of a job site and they sent me my password in plaintext. Basically you cannot trust every random website out there!

Answer 31

What about a password with a rotating key, based on what you are doing? Example: My core password is P4$$w3rdthati$h4rd (yeah, that's really what I use)

I want to use it for GMail. I start with P4$$w3rdthati$h4rd and add gm to the end (P4$$w3rdthati$h4rdgm). This way I only have to remember two or three letters based on what I'm doing, as my password is relatively consistent across services (public and private). I may use a tail ending (suffix) modifier for internet stuff, and a beginning modifier (prefix) for private stuff. Or insert it in the middle.

I'm open to flames if you feel this is bad practice, but I've never run into someone guessing my passwords, and I've never needed to write them down.

Answer 32

I used to take four random words, substitute some of the letters for numbers, and append four numbers plus a special character. The problem was, that was a bit difficult to remember - now, I have take my favourite line from the book I was reading the previous month and do a similar substitution plus some capitalisation changes, e.g:

"A human head rises up from a swamp of sleep" (number9dream, David Mitchell) becomes "Ahum4nH34dR1s3sUpfR0mASw4mpOfSl33p!"

It has acceptable entropy and the computational complexity of a brute-force search means that such an attack is impractical.

Answer 33

Two more points:

a. Along with all other methods, one more way to increase entropy:

Go beyond just (plain) English.

If we combine (seed) words from more that one language the password guessing/search area immediately becomes HUGE. And that would certainly confuse people writing password guessing rules.

Then again that would require having a broader field of thinking than the "bad guys". Perhaps it comes down to "our" intellect against "theirs". Perhaps, the broader thinking should be:

Go beyond just CS methods.

So, what other such ways can we think to outsmart password guessing?

b. One point not seen mentioned so far: Thinking from the administrator's side, let's not forget that any password generation rules may also have to adhere to the password policy of your organization. E.g. I have difficulty thinking how the method words-separated-by-spaces (using uncommon words!) could be easily implemented and enforced in an enterprise environment (OK, parsers, dictionaries etc. but you get the idea...)

And how about educating and convincing users to use this or any other method...?

Answer 34

First reccomendation is something like lastpass or keepass, but I know those aren't always practical and my less technically savvy friends certainly don't want to "complicate things any more" so I have found that a substitution cipher works fairly efficiently and allows for easy remembrance of your password while making it very unlikely for it to be guessed or easily hacked.

I put an example out there http://levii.com/cipher.php ... I use at least a 4 letter key word (so "BANK" for my bank "WORK" for my work) which I don't bother changing -- I keep the card in my wallet and print a new one up every couple of months when its time to change the password. (note: this is not the actual app I use to generate my cards, but is conceptually the same)

Answer 35

My way is in no way unbreakable, primarily because it relies on security through obscurity, but it is better than password reuse and doesn't rely on keeping much remembered. I xor a repetition of the url of the site in question with a long password of my choosing. In this way, you only remember one password yet a compromise of one site's password store doesn't compromise your other logins. This has potential for infinite variation. You could do the url followed by the ip address, the url reversed, the url translated to spanish, etc, etc.

Answer 36

I have a long password I use which I can type in from memory each time which I created by remembering a specific zig-zag path across the keyboard, one which passes through letters, numbers, and symbols, and then tapping out the keys that make up that path in the rhythm of a drum pattern from a favorite post-dubstep track of mine, shifting some of the characters according to where the snares are in that drum pattern.

This is a different 'path' to what I use, but you can see how complex a password this technique gets you, and with a little bit of practise it's quite memorable:

\]={-p)o9I8u&y6T5r$e3W2q

Then for different applications I'll I will usually add at the end my old Hotmail password I came up with when I was 11, or my date of birth backwards, or something like that that I can remember easily.

Answer 37

Let you choose a verse from your favorite song in the history or just in this period of time.

Take a random sentence, make some CamEl cAse permutation, you can even use a script kiddie charset substitution to m4k3 1t l00k1ng so CoMpl3X and difficult to guess.

Ideally, you write an English sentence, like: this morning I am so blue. Actually your password can be: Th1S M0rn1Ng I 4M s0 Blu3.

Easy to remember and after some input also easy to type.

Answer 38

My way is to change some letters with similar numbers and every new word start with uppercase.

for example: Th1sIsGreatPassw0rd!

i=1,

0=o

and at the and '!' or something else.