Make your passwords memorable but secure

This is apparently National ID Fraud Prevention Week, so my name is Bill Bartmann and welcome to my blog.

This is timely.  The recent publication of email passwords online has set many people busily changing passwords. But how often do we create passwords like October09 or BenWarsop1 even though we know we shouldn’t? And we compound the problem by using the same password everywhere, leaving all our accounts wide open whenever a website emails us a forgotten password in plain text with the subject line ‘password’.

I’ve been mulling over how to create passwords which you, but only you, can reverse engineer. The suggestions here aren’t best practice (I am not sure what is, these days) and an additonal option is to use a password manager. But you might find some of these approaches easy to use and more secure than what you are doing now.

We all know that passwords should be in a mix of upper and lower case with numbers and special characters, but too many people just tag a number on the end. A slightly more sophisticated alternative is to type in Leet. Leet (pronounced ‘elite’) looks like txtspk but 1s 1n f@ct ju5t sw@pp1ng letter5 with num6er5 in @ w@y th@t m0re or le55 keep5 th1ng5 legi6le. UK personal number plates tend to be in Leet.

But the challenge is more about mnemonics – devising an approach which you can remember but which is hard for others to predict. I have been playing with systems based on the name of the site or service. An example of such a system would be to assign the numbers 1-12 to the months of the year, and then count the number of letters in the site’s name. WordPress has 9 letters in it so the password would be September. There are several ways to write that in Leet, such as S3ptember. Better not to put the capital at the beginning: s3ptemBer. But what to do if the name has more than 12 letters in it? Simply do the numerologist’s trick and add the digits together so 14 becomes 5, or May.

If you don’t like months (and I don’t because I’ve just blogged about it) then other months are available. Counting rhymes are a good source of number systems. The 12 days of Christmas give us gives us nine ladies dancing, so WordPress would be ladies, or l@dIes if you write it in leet and capitalise the 3rd letter from the end. There are any number of counting rhymes like ‘One for Sorrow‘ or ‘Yan Tan Tetherer‘. There are other options: Use the 1966 England squad if you know it by heart. It’s all a matter of what you can remember without looking up.  But try to make the group not very obviously a group, which is why it is better to avoid things like the  signs of the zodiac. It is harder to spot the pattern in earnest and serve than it is to spot it in earth and saturn, so better to use one of the mnemonics for the planets and not the planets themseves.

Ten or twelve passwords isn’t that many, working with the letters in the site name gives you 26 potential passwords, for example by using the international call-sign alphabet. If you choose the first letter, WordPress would be Whisky or wh1Sky. But that’s a little obvious; if I know your WordPress password is wh1Sky it would be easy enough to guess your Yahoo one was y@nKee. It would be better to consistently choose a letter that’s not the first letter, say the third one, rendering WordPress as roM3o.

It is poor practice to have just one word in your password, so it’s better to combine the two approaches: r0M3os2ptemBer. Of course, some site somewhere will be n0vemBern0vemBer but hey.

As you can guess, I am not a fan of using the international call sign alphabet because it is so recognisable. If you have any other alphabets in your head, from reading books to your children perhaps, then better to go with them:

  • A was an apple pie
  • B bit it
  • C cut it
  • D dealt it
  • E eat (ate) it
  • F fought for it
  • G got it
  • H had it
  • I inspected it
  • J jumped for it
  • K kept it
  • L longed for it
  • M mourned for it
  • N nodded at it
  • O opened it
  • P peeped in it
  • Q quartered it
  • R ran for it
  • S stole it
  • T took it
  • U upset it
  • V viewed it
  • W wanted it
  • X, Y, Z, and ampersand
  • All wished for a piece in hand

Combining this with the 12 days of Christmas would give me ranladies for WordPress, or r@nl@dIes in leet with an internal capital.

Again, other alphabets are available.  For example, the cockney alphabet which goes ‘A fer ‘orses, B fer lamb, C for th’ighlanders’. It doesn’t need to be an alphabet, any long list will do if you count A for the first place, B for the second and so on. Are you a chemist? Use the periodic table. Do you know the Modern Major General off by heart? Or the Shipping Forecast? If you struggle mnemonics for letters then Derren Brown describes several mnemonics for letters and numbers.

The thing is to devise an approach and stick to it, so that the letter that you match is always the third letter of the site’s name, you always use the international call-signs. Or whatever. Then you can reverse engineer your password any time you need to.

The problem with this is that you should change your passwords frequently, but I am rather stumped for an approach to that. You could of course just retire the 12 days of Christmas at the end of the year and replace it with Green Grow the Rushes-O or anything else that is stuck in your mind and won’t go away.

Like this post? Click to share:

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine


8 responses to “Make your passwords memorable but secure

  1. I picked up a tip from a gaming forum. I’m not sure if it’s true, but the poster stated that a space inside a password can’t be recorded by keyloggers since it isn’t a character of any kind.

    I’ve been using it where ever I can, but not all sites/programs/gadgets will allow for a space withing a password.

  2. I tend to use lines of songs – pick a suitably long line (8 words or more ) and use the first letter of each word. Add a capital and a couple of digits and it’s pretty strong.

    OidiaIpwyh37 is not readily guessable but quite memoriseable – at least if you like Britney Spears — sorry, but that was what the music in the background had on right now 😉

    What it doesn’t is link to the website in question – that one I’d never ever thought of. Hmmmm…

  3. personnally I have always the same password not to forget it and it’s a modification of my surname

  4. Oh, this is fascinating stuff! I am as guilty as anyone, although I do use an alpha numeric generally rated ‘strong’. The… ummm… SAME alpha numeric, every time! Perhaps I should work on this…

  5. Oh, interesting thought Titania – though I suspect that the space key is in fact a character because it can’t be nothing. I like the thinking though.

    That’s a good approach, SGV – perhaps link it with the site-specific approach – otndocmtlgtm9ld – on the ninth day of Christmas my true love gave to me 9 ladies dancing? I might think more about this but not share whatever I come up with!

    Can I have your date of birth please, Mutuelle, and your mother’s maiden name?

    That’s the trouble HFF, we do strong passwords, but the *same* strong passwords.

  6. Here’s a challenge for you Ben – look at all the various character maps in Windows (and you Mac users can stop making ugly faces right now!).

    Can you find a single one that contains the code for a space?

  7. Character maps, maybe not, but it’s denoted by mid-line dot when you have characters on in MS Word and when you use find and replace in Word it’s denoted by ^w for white space and ^s for non-breaking space. Spaces in file-names are converted to %20 in URLs.

    So there is clearly *something* going on there. Though just because Microsoft doesn’t show it in the character maps….

  8. If you did Santra’s song thing, it’d be easy enough to have the reminder be the song title (or whatever you call the song, if you’re bad with titles).

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s