Creating secure and easy to remember passwords

Recently one of my business partners forgot his password to his account on a server at my organization and asked me to reset it for him. My server requires at least 1 character from each of upper/lower case letter, digits and special characters. He explained that he forgot where he put additional special characters into his password. He is a technically savvy guy who used to work for a security company, so I was surprised he didn't not know a method for creating easy to remember passwords that meet the above mentioned criteria. I promised him that I would send him a link later to an article that describes the one that I have been using for many years. I thought that this method is widely known and described in several places, so I was even more surprised by the fact that I couldn't find it anywhere on the internet. Hence this article (I want to keep my promise ;) )

The method I've been using is a special case of what is now widely called Bruce Schneier’s method. It was actually shared with me back in about 1999 while I was a CS student at MIMUW by one of the lecturers: credits to him, unfortunately I don't remember who was it exactly :(

So the idea is that you first create a sentence that is easy to remember for you, for example something personal, like "When I was 27, I married my wife" and put first letters of each word, all digits and special characters into your password: WIw27,Immw
That's more or less what Bruce Schneier described in his article. However to make it long enough and containing enough of entropy of all 4 types of characters he gives examples to randomly change some letters into special characters (like a -> @ ) or put some randomly selected words in a whole version into a password. This however makes it more difficult to remember and, as it was pointed many times, common substitutions like a -> @ do not increase password security (password cracking programs know about them also)
notice: the mentioned article has since been updated and is now surprisingly similar to mine ;-]
The very simple idea that was shared with me is to create sentences containing dates, distances and/or prices. Again come up with something personal to you, so it's easy to remember. For example:

Of course you can combine all dates, distances, prices and other things like that as long as they are easy to remember for you:
"On November 51st 2014 Jane Austin paid two and a half dollar for 1 Gigabyte of 99 octane gas"  ->  O11/51/2014JAp2.5USDf1GBo99og

Remember however that password crackers will use all available information about you to crack your password. This includes, but is not limited to birth&wedding dates&places of you and your relatives, places where you and your relatives used to live or work etc. Basically everything they can find. If they get access to your phone/computer or account on some internet service they will index every possible string/date/number that they can find there and feed it to password cracking software to get access to more of your accounts. Therefore it's critical that you don't use your real personal data to create your passwords. Use fake dates/distances/prices/names that somehow are easy to remember for you, but that you have never written down on your phone or computer (notice that all the above examples are unreal). You can for example use a route that your friend often commutes on, but give a time that it takes you to visit your parent's house. You can write about the price of the favourite newspaper of your mother, but use the price of your favourite candy, etc.


Some typical bullshit nobody will care about (read: very important information that can save the world ;) )

Don't reuse your password in several online services! At least not in the important ones: if one service is cracked then crackers will be able to crack all your other accounts. It may be fine (although definitely not recommended) to reuse the same password for several news sites that just store which articles you have already read, but passwords for your bank, payPal and anything you care about should be separate and never reused.
I know it's hard to remember many passwords, but fortunately there are solutions to this as well: password managers and password hashers (hash password generators).

Password Managers are fairly popular and most people know about them. Many people for example use those built into their browsers. It is however damn important to make sure that your passwords are stored securely. For example Firefox allows to encrypt your passwords with a master password, but by default they are stored as a plain text... Skype decided to use this fact to steal firefox saved passwords of its users ;]
Another problem with password managers is the fact that if you lose your computer or when hard drive fails or you accidentally delete files from it, you will lose the access to all these accounts.
For this reason some companies offer password manager apps and they promise to keep your passwords safe. Unfortunately safe, does not mean secure: I don't recommend anyone to trust all his passwords to some for-profit entity on the internet. First, their intentions may not be that honest nor genuine (again: these are for-profit entities), second they may get hacked themselves: since they store a lot of high-stake data, they are a tempting target for all kind of bad actors out there. Some of such companies may try to fool you with promises like "our app encrypts your data before it reaches our servers, so your passwords are secure": of course it's a bullshit unless the app is open-source and independently verified to indeed encrypt stuff in a secure way (if it's not open-source it may have backdoors and is more likely to have bugs: proprietary software is infamous for insanely misdesigned and poorly implemented crypto: see M$ PPTP for example ;-] ).
An open-source password manager app that securely stores encrypted backup of your passwords in a cloud may actually be a good solution, unfortunately I'm not aware of any: if you know some, you can let me know ;)

Password hashers generate secure and unique passwords for each site based on your one master password. The process is off-line and repeatable, so if you lose your password manager data, you can easily recreate all your passwords without relying on any 3rd party, using just your master password.
This process is fairly secure as it uses cryptographic hash functions (hence the name), so generally it's reasonably hard/expensive to reverse any of your site-specific passwords to get the master one as long as your master password is cryptographically secure and your hasher app uses modern and secure hash algorithm (so not MD5 anymore for example).



Copyright 2015-2020 Piotr Morgwai Kotarbiński