Creating secure and easy to remember passwords

Recently one of my business partners forgot his password to his account on a server at my organization and asked me to reset it for him. My server requires at least 1 character from each of upper/lower case letter, digits and special characters. He explained that he forgot where he put additional special characters into his password. He is a technically savvy guy who used to work for a security company, so I was surprised he didn't not know a method for creating easy to remember passwords that meet the above mentioned criteria. I promised him that I would send him a link later to an article that describes the one that I had been successfully using for many years. I thought that "my" method is widely known and described in several places, so I was even more surprised by the fact that I couldn't find it anywhere on the internet. Hence this article (I want to keep my promise ;)

The method I've been using is a special case of what is now widely called Bruce Schneier’s method. It was actually shared with me back in about 1999 while I was a CS student at MIMUW by one of the lecturers: credits to him, unfortunately I don't remember who was it exactly :(

So the idea is that you first create a sentence that is easy to remember for you, for example something personal, like "When I was 27, I married my wife" and put first letters of each word, all digits and special characters into your password: WIw27,Immw
That's more or less what Bruce Schneier described in his article. However to make it long enough and containing enough of entropy of all 4 types of characters he gives examples to randomly change some letters into special characters (like a -> @ ) or put some randomly selected words in a whole version into a password. This however makes it more difficult to remember and as it was pointed many times common substitutions like a -> @  do not increase password security (password cracking programs know about them bascially)
The very simple idea that was shared with me is to create sentences containing dates, distances and/or prices. Again come up with something personal to you, so it's easy to remember. For example:

Of course you can combine all dates, distances, prices and other things like that as long as they are easy to remember for you:
"On December 8th 2014 Jane paid two and a half dollar for 1 liter of gas"   ->   O12/8/2014Jp2.5USDf1log

Remember however that password crackers will use all available information about you to crack your password. This includes, but is not limited to birth&wedding dates&places of you and your relatives, places where you and your relatives used to live or work etc. Basically everything they can find. If they get access to your phone/computer or account on some internet service they will index every possible string/date/number that they can find there and feed it to password cracking software to get access to more of your accounts. Therefore it's critical that you don't use your real personal data to create your passwords. Use fake dates/distances/prices/names that somehow are easy to remember for you, but that you have never written down on your phone or computer (notice that all the above examples are unreal). You can for example use a route that your friend often commutes on, but give a time that it takes you to visit your parent's house. You can write about the price of the favourite newspaper of your mother, but use the price of your favourite candy, etc.


Some typical bullshit nobody will care about (read: very important information that can save the world ;)

Don't reuse your password in several online services! At least not in the important ones: if one service is cracked then crackers will be able to crack all your other accounts. It may be fine to reuse the same password for several news sites that just store which articles you have already read, but passwords for your bank, payPal and anything you care about should be separate and never reused.
I know it's hard to remember many passwords, but fortunately there are solutions to this as well: password managers and password hash-ers.

Password Managers are fairly popular and most people know about them. Many people for example use those built into their browsers. It is however damn important to make sure that your passwords are stored securely. For example Firefox allows to encrypt your passwords with a master password, but by default they are stored as a plain text... Skype decided to use this fact to steal firefox saved passwords of its users ;]
Another problem with password managers is the fact that if you lose your computer or when hard drive fails or you accidentally delete files from it, you will lose the access to all these accounts. Therefore I use password hash-ers instead or at least in conjunction with password managers.

Password hash-ers generate secure and unique passwords for each site based on your one master password. The process is repeatable, so if you lose your password manager data you can easily recreate all your passwords with just your master password. This way you really need to remember just 1 password.
This process is fairly secure as it uses cryptographic hash functions (hence the name), so generally nobody can reverse any of your site-specific passwords to get the master one.
I personally use Stanford PwdHash which includes a Firefox plugin.



Copyright 2015 Piotr Morgwai Kotarbiński