Password Production
Since I’ve been futzing about with human-friendly security of various forms recently, it occurred to me that I ought to pass along a password-generation technique I’ve used for years now. Maybe it’s a well known technique, and maybe not. In any case, my best recollection is that I learned it from either John Sully or Jim Nauer back in my CWRU days.
The general idea is to pick a two-word combination you can easily remember. For example, suppose you’re a big fan of pizza and Pepsi, and would have no trouble remembering those words. Perfect: use them the basis of your password. No, you don’t make it “pizzaPepsi”—instead, you interleave the words. That would yield “pPiezpzsai”. It looks fairly random, and yet is very easy to recreate because the seed words are so easy to remember. If you have trouble remembering the exact sequence of letters, you can just write the words down on a piece of scrap paper and follow along.
In cases where your two words have different lengths, you can always tack on numbers. For example, maybe your seed words are “milkshake” and “fries”. That would normally yield “mfirlikesshake”, which is okay, but you could tack the numbers “123″ onto “fries” to get “mfirlikessh1a2k3e”. Alternatively, you could put the numbers at the beginning, so you get “m1i2l3kfsrhiaekse”.
I’ve found that when I start using a new password created this way, it takes me a few days to adapt to it. I usually have the seed words written down some place handy during that training period. Then my fingers take over, and from then on I can type it blindfolded in less than a second. I don’t even think about the actual characters I’m typing: I just start, and the muscle memory kicks in.
So if you’re looking for a way to generate harder-to-crack passwords, there’s one possibility. How about you—do you have any nifty human-friendly password-creation recipes?
59 Responses»
Received from Meriblog: Meri Williams' Weblog » Everyone’s Talking About…
[...] rchable information sources!). There are some interesting techniques put forward, first by Eric Meyer and then also by Matt Haughey. I have a similar tiering scheme for p [...]
Lucas Carlson wrote in to say...
One way I do it is by keyboard patterns. I will memorize a pattern from typing on the keyboard… for example… zxcvbnm is not in any dictionary, but is very easy to remember. You can make much more complex and yet easy to remember patterns this way too. Press the shift key on every other letter for another layer of security. However, it is usually nearly impossible to remember what the actual letters are if someone was to ask you what your password was.
James wrote in to say...
It’s a bit of an oldie now, but I found this article by Robert Hensing more than helpful when it comes to passwords; use pass-phrases instead.
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
It sort of expands on the idea of two key words. You simply remember a whole phrase instead (it only takes an extra half second to type ericmeyerusesalotofcss instead of xrhotcmkls, it’s harder to crack and just as easy to remember.
Fatty wrote in to say...
Myself, I tend to go for mnemonic passwords &8211; take a phrase (e.g. “Eric Meyer’s books are great!”) and take the first letter of each word:
EMbagWill pass a dictionary search, but still vulnerable. Could be improved by splicing some punctuation in there, along with the common substitutions like 4 or @ for a, 3 for e, etc:
EM'bk@Gr8!Again, this takes a little longer than a dictionary password to get settled in your head, but once you’ve had it for a week or two then you can type it in without thinking.
Leszek Swirski wrote in to say...
Personally, since I’m Polish, I just use obscure Polish words that no-one will ever be able to remember, let alone spell properly.
torch wrote in to say...
I always use Bible Scripture references. Since a lot of passwords are required to use a combination of upper & lower case, as well as numbers and punctuation (or any combination of those elements), bible verses, when written out correctly, use all of them.
John3:16 for example (no space between the word and the numbers). I’d pick something more obscure than that well-known verse, though.
Hezekiah2:15 anyone?
isil flynn wrote in to say...
You could also create a universal password algorithm that would work for anything. For example, let’s choose an 8 character algorithm such that the first two characters are the first two letters of the object in question; the next two characters are the service type you choose how you will truncate it; the next two characters could be the last two letters of your login id and the final two characters are a random pick of a special character and a number; So if meyerweb had a login area your password could be: mewbid9# where me is meryerweb/wb is service type web/id is the last 2 letters of login id/9# is selected. How about to login to your desktop (let’s assume its a dell): dedpid9#. Once you get used to it it simplifies your life – you don’t need to write down any passwords, just don’t forget the algorithm ;)
Ken Ray wrote in to say...
The “combine two four letter words” was the system supported method when I worked for IBM Australia in the early 1990’s. It just so happened that one of the senior female computer operators in the main IBM Australia Computer Centre had the last name “tout” – which was one of the myriad of ‘approved’ four letter words for generating passwords.
Unfortunately for her, the word “ugly” was also on the list. I was told that almost everyone in the computer centre had the password “uglytout”.
Now, being good Australians, we also used a few other four letter words not on the suggested list… but that’s a story for another time.
Zsolt wrote in to say...
Easy! Just remember a master password and use the password bookmarklet to generate unique passwords based on a MD5 hash of a combination of the master password + site name.
http://www.angel.net/~nic/passwdlet.html
tom wrote in to say...
First: ranges are actually green until they’re painted.
Second: I tend to recommend that people take a number they know and a word associated w/ the thing the password goes to, and interleave them. A couple of people I know use the first 4 letters of the month and the date of their next required password change (numerically) and interleave those in an odd way to get their passwords for the frequent changes at their work. not terribly secure, but it would be hard to guess if you didn’t know them (of course, it was the telling me that was the bad idea) :)
Josh wrote in to say...
I use the interleaved words system for some of my passwords, and I have found that it is much easier to type the first word, return to the beginning of the string, and type the second word, alternating with the right-arrow.
Less (fewer?) mental gymnastics, same end result.
Daniel wrote in to say...
I had some random proto-web application generate 10 numerically-interleaved, random-cased strings that I have since completely ruined by using for myriad websites and never changing. First cracker to get a keylogger on my system gets all my pennies. :p
Moz wrote in to say...
A good idea is to create a pattern on the keyboard, like a big E. Check out the image I made. It’s a very simple pattern and easy to remember, but the result is 3edc456rtyvbn, which would be hard to crack. Think of all the combinations. You could make any letter, a spiral, a star, an arrow, anything really.
bogyit wrote in to say...
I pick the first letter of each word in a sentence, here is an example:
becomes lhanhodon. Like this is simple to remember, at least for me, because you give a meaning to password.
Mehmet Dogan wrote in to say...
I use algorithm that Isil talks about above. It makes life a lot easier. Especially if you are working in a team environment that one password has to be shared by lots of people and changed frequently. With algorithm system, you can come up with any kind of algorithm and all your system can have different password. You might lose one of them to bad! people and you don’t have to worry about it as long as they don’t know the algorithm.
Adam Rice wrote in to say...
I’ve to set up computers for some friends and created passwords for them. I use the names of pets or a fetish animal in h4×0r code, with some interleaved punctuation.
My own maximum-security password is the initials of a historical figure I admire, and a word he made up (which doesn’t appear in the dictionary), and some punctuation.
Erik Peterson wrote in to say...
I take a familiar word that would be a horrible password and then shift my hands up a row on the keyboard. So “bluefish” becomes “go73r8wy”…
Works really well if you touch-type, but I bet it would be pretty awkward for hunt-n-peck. You can move one hand up or shift one right/left as a varation.
Sage wrote in to say...
I come up with a new system each time. The first time I took my parents’ password and just added a letter. My second password had 3 of my friends’ initials, rearranged so that it was pronounceable (but still not a real word, of course).
My current password is a bit interesting. I’ve taken a number, and basically “wrote” an equation for it using a variety of numbers and letters. For example, let’s say my number was 74 (which it’s not). I would then write something like thirtyplus44. I think it works well, since 1) it’s a pretty mangled combination of letters and numbers, and 2) the actual number (74 in this example) is always linked in some way to hardware I have. So I could use “50″ for the cost of my Logitech mouse, “600″ for my iBook’s CPU speed, etc. That way I can make a reasonably safe reminder thingie (like how in OS X you can type in a password reminder).
Lachlan Hunt wrote in to say...
I used to have one password (a person’s name) that I used for everything for quite a few years, and still do for some very low security stuff.
Though, now I like to just pick totally random letters, numbers and punctuation (generally 8 characters) and just remember the sequence by repeatedly typing it and/or thinking about it.
I find it more difficult to remember seed words and the algorithm used to generate the password from them, than it is to just remember 6 to 8 letters. The only difficulty I have with passwords is around the time I start to change it, because I can’t remember which site’s I’ve changed and which I haven’t.
Kjell wrote in to say...
Simple, what do people remember better then almost anything? Verse: songs, poems, lines from your favorite movie, but something that you haven’t completely made up and you have some passing familiarity with. So take whatever song you’ve been humming the last few days, listen to it a few times over, pick your favorite stanza, and take the first letter from each word, or the last letter, or the second vowel or whatever… Once you listen to the song a few more times and practice typing the password (look at the keyboard to re-enforce it) you’ll have it down forever, and if you ever do forget it just remember how you picked individual letters from the words and look the lyrics up on the internet!
Website wrote in to say...
I prefer to use roboform. I have a thumb drive where I store all the passwords that I take with me. I have a local copy on my computer and I also print out hard back up copy once in a while. It’s a pretty good program!
Ben M wrote in to say...
1) Take a longish word with plenty of vowels – like “banana.”
2) Replace all the vowels with a sequence of numbers. Start at 9 and go down, for example.
Thus, “banana” becomes “b9n8n7″.
All you have to remember is the word and where your number sequence starts. It’s especially easy if you pick a word which can be typed entirely with one hand, so the other one’s free to work the numbers.
Received from eliot
Better Methods for Passwords
Was reading Eric Meyer’s ideas on Password Production, which lead me to this nifty little Password generator bookmarklet, RoboForm, and to Why you shouldn’t be using passwords of any kind on your Windows networks. I like the bookmarlet because you on…
Mike Piontek wrote in to say...
One I’ve used before is taking a couple of words, stripping out the vowels, and tacking on a couple of numbers for good measure. So with the “pizza Pepsi” example, you might end up with pzzPps35. So long as the words and numbers have some sort of meaning to the person using the password, it’s very easy to remember. You could start with someone’s name and part of their birth date, for example.
J Cornelius wrote in to say...
I’ve had to change passwords so many times and use so many different passwords for different systems that I just wrote a little app to generate random a1pH4nUm3r1c strings and spit them out. This works great in conjunction with the password manager I wrote to go with it which stores everything encoded with a custom cypher in a (password protected) web accessible database. You can try it out here.
Received from Thinking Digitally
Passwordaphobia
I have always had a problem with passwords- thinking of new passwords, remembering old passwords, typing in passwords. Problems all across the board. A few years ago I used to be really good with my passwords. I had no less…
ghola wrote in to say...
I very often resort to parts of telephone numbers.
One thing that I’ve already had to remember is a dear friend of family phone number, that makes for the numbers part of the password. I can use a shortened version, like the last 6 digits, and prepend with the person’s nickname or pet’s name…
It’s an easy to remember and non-dictionary password.
Paul wrote in to say...
I like to put my passwords in backwards and the word coming from what machine I am using, using punctuation around them. For instance I used to own a compaq – the password was !qapmoc!. This has changed a bit now, but still generally applicable – I substitute 0’s for o and stuff like that now too… makes for interesting passwords, and makes your brain work for a while trying to spell words backwards!
Gary Fleming wrote in to say...
I do it the way all good CompSci departments do: a markov model password generator.
Throw a dictionary into a markov model to (say 3rd order) in order to work out the probability of a given letter appearing after another. Then simply walk down chains of high probability and make sure you don’t generate a real word. The result: A password that is human readable and doesn’t appear in the dictionary (thus avoiding that kind of attack).
Received from 40 anni buttati
Casualmente non casuali
Un metodo facile per ottenere password che sembrano casuali ma hanno una loro logica…
AJ wrote in to say...
Hezekiah2:15 anyone?
Too bad Hezekiah2:15 isn’t an actual Biblical reference :-p
eaf wrote in to say...
I pull a book off my bookshelf, and turn to an arbitrary page and go down the left column of letters. It returns an apparently random set of letters which can easily be re-created. Sometiems to spice it up, i’ll substitute certain numbers for letters, like say 3 for E or 4 for r for example.
As an example, if i were to use Eric Meyer on CSS and turn to page 55 i would get “AhpwmaIbdt” as my password, and i could easily re-create it if i lost it.
Dave Heath wrote in to say...
I like the idea of mixing two words together, I might combine that with my current system of
one or two characters of random punctuation
a capitalized word
one or two numbers
to get somthing like %!Dogs52 which is so crazy I can remeber them
Oh and thankyou AJ, Hezekiah2:15 does not exist
torch wrote in to say...
Too bad Hezekiah2:15 isn”t an actual Biblical reference :-p
hard to get much more obscure than that, isn’t it? ;)
i’m glad someone finally picked up on that.
Jack Dausman wrote in to say...
I love using Compound Passwords, that way I can have an easy to remember list, and still meet rigid security requirements.
This idea was endorsed by the lead security engineer for Lotus, who now works at Microsoft.
http://www.leadershipbynumbers.com/MS.nsf/d6plinks/BMMA-5UW4GP
Magnus wrote in to say...
I generate a series of random passwords with a script, all in the form 3 chars, 2 numbers, 3 chars. Then I pick a word that is meaningless, but easy to rember, like “pxp21pop” or “com19hem”.
Justin Perkins wrote in to say...
I like to mix vowels and consonants together to form short non-words, pair them up and sepearate them by some non-alphanumeric characters. It’s pretty easy to come up with new (good) passwords and becuase the pattern of vowel to consonant is easy to remember, I never forget these passwords. Here are some examples…
kivi$lew5
weti!muv9
Maybe it’s just me, but I find these passwords very easy to remember. They’re almost like a little jingle (to me).
Charles wrote in to say...
One problem with rules-based passwords is that some sites have their own rules that conflict with your own, such as “no special characters.” Then you have to document or remember their rule, and how you modified your rule to accomodate theirs.
J wrote in to say...
I use an Italian sounds generator to mix already known patterns.
Taken from a ColdFusion programmer (Fabio Serra), modified by Giampaolo Bellavite than a little modified by me too and translated into PHP
Paul Position wrote in to say...
Myself, I’m partial to the ‘first letter of each words in a phrase’ with one twist : only phrases with numbers in them..
‘there is fifty-two cards in a deck of cards’ becomes ‘ti52ciadoc’ for instance. Or ‘one onion a day keeps every one away’ to ‘1oadke1a’ etc. Easy to remember or note somewhere (not on a post-it stuck to the screen, though).
Bob Easton wrote in to say...
If you were an amatuer radio operator (ham) a few years ago and had a conversation with me, your call letters are in my list of password seeds. Take k5fox and pad each end to get 8 characters. Secure from most dictionary attacks (who would think of using the callsign directory?), long enough for most applications, and includes a number required by many applications.
BTW, the Ministry of Finance in Italy (similar to our FBI) has gotten a law passed (under the guise of Privacy) requiring all firms doing business in Italy to implement passwords of at least 8 characters, containing at least one numeral, with expiration no longer than 90 days. Some corporations are scurrying to update their applications to comply with the Italian law. See: https://www-112.ibm.com/software/howtobuy/passportadvantage/paocustomer/docs/en_US/registration.html#password
Manuzhai wrote in to say...
I remember dates from significant events, mangle them to include/exclude leading zero’s and the century, add some obscure acronym to it (for terms that hardly anyone but me could know) that includes both lower- and uppercase characters et voila: a fairly secure password.
WM - XYZ aka Wojciech Miskiewicz wrote in to say...
I use the app Keychain (Schlüselbund) in OSX – I put my passwords in a new, separate “Notes” keychain and keep it locked. You need to remember only the master password for the keychain. To backup I transfer it to a USB stick – you can carry the stick anywhere with you.
Lou wrote in to say...
I tend to take the domain or at least the first three letters of it and combine that with a relatively complex password that I use in many places. So if my common password was gr4P3ap3 my password on this site would be meyergr4P3ap3. That at least lets me focus brain power on remembering the non-trivial passwords like my work account while being farily assured that my more trivial passswords are relatively difficult to break. And it means less guessing for me when I forget the password.
Scott wrote in to say...
Wow, a lot of different ideas on creating a password. The suggestion about taking the first letter of each word from a phrase is one I would tell my users when I worked as a sysadmin. They seemed to like the idea and it was easy for them to remember. For myself, I typically take a word and replace letters with numbers or symbols that resemble the lette. For instance, if my password was ‘meyer’ it would become ‘m3y3r’. Other examples; ‘cascading’ becomes ‘c@5c@d1ng’, ‘comment’ becomes ‘c0mm3n7′.
David Engel wrote in to say...
I documented this online once – though I’ve lost where, so I’ll need to get it back up – but it is still my favorite method of developing random appearing passwords:
Come up with a list of ten key events in your life that are memorable. If you can’t get ten, but you have seven, that’s a good start; in a few years you’ll have more. Use your birthdate, the birthdate of your significant other, your children, when you started at your favorite employer, whatever. The fact that it is public knowledge is not necessarily a concern.
Convert each of these to a two-alpha/two-digit code. For example, Zeldman could use his daughter’s birth and code it as
am28: Ava Marie born on the 28th. I don’t know which significant event that would be for him, but say it is number 7. Your answers don’t have to be real, either, and there are a ton of ways to remember each event. This is where the first pseudo-randomness comes in. They just have to be one’s you can remember. Zeldman might useav10for the announcement that came in October, orab04, or evenbg09.After doing this with all of your events, you have a list from 0 to 9 of events with 4 character codes. Now just pick a two-three digit number, preferrably with unique digits, and a phrase which brings that number to mind. If it can be confusing, so much the better. For instance, one of my favorite is the phrase “What is six times nine?” pointing to the number 42 (thank you Doug Adams).
Then use the codes which go with these numbers. For example,
af70mg58. Using the shift key helps randomize it:AF&)mg58.No dictionary attacks will ever hit it, even people who know me won’t know which events I used or how I coded them, and after a few months, I pick a new number and new code. If I need a way to remember them, I can write down the remembrance phrase, and there is little evidence of what it is used for.
Peter Cooper wrote in to say...
If you really can’t pull yourself to these mneomic tricks, then you can always use some regular punctuation with your weak dictionary passwords. If your password is fish, then “fish!” (quotes included) is a lot harder to crack, and very few people seem to use passwords like this. Another easy method is to alternate CaSeS LiKe ThIs and then put an exclamation on the end. PaSsWoRd! anyone? :)
Jussi Kukkonen wrote in to say...
Lucas: “zxcvbnm” most definitely is in every brute-force-dictionary.
Received from The Engineered Boulderer
Secure Passwords
I often read Matt Howie’s “A Whole Lotta Nothing:http://a.wholelottanothing.org/ and stumbled onto his post on Creating (and remembering) crazy hard passwords. In it he outlines how he makes secure but easily rememberable passwords. In it h…
rydel.net wrote in to say...
Leszek Swirski wrote in to say…
“Personally, since I”m Polish, I just use obscure Polish words that no-one will ever be able to remember, let alone spell properly.”
Same here (but with Blr.).
A neighbour from Belarus. ;)
Received from SocInf » Blog Archive » Password sicure
[...] ere perfezionato adottando pochi e semplici accorgimenti, uno dei quali viene descritto in questo sito. Pubblicato il 21 Febbraio 2005 alle 18:14 [...]
Sneaky Smokie wrote in to say...
This is a little idea i came up with. Since most places i use passwords have a button to click to e-mail your password remembering them dosn’t have to be a big choir. I use cd key’s as passwords and might change the letters to captiols. Good idea for me cause its already written down on the cd case. 2104-92892664-4877 just drop in a few letters and your good to go. login: 2104acdw password: 9a28b826c64
try to use 8 or more numbers or letters. cd keys with numbers and letters are best to use.
xup8-gab8-tax5-gad7-6632
login: xup8gab8 password: tax5gad7
Received from Password sicure | SocInf
[...] ere perfezionato adottando pochi e semplici accorgimenti, uno dei quali viene descritto in questa pagina. Permalink | Print Categorie Etica Tecnologica Ta [...]
WSA wrote in to say...
CyberScrub KeyChain is a free password manager we use at work. http://www.cyberscrub.com
I found this on their website:
Manage ALL Passwords with One Phrase. When you log on to KeyChain with your Master Pass Phrase you will have instant access to all of your password protected websites. Select your destination from a special list you have created- then simply “Click & Go”. It’s that easy! Each time you visit a site requiring a user name and password KeyChain auto enters this information and logs you in. It even prompts you to add these passwords to the program if you have not already done so. Never manually fill in credit card details again. Online shopping is a snap because KeyChain automatically enters your selected credit card details, Shipping and Billing address and more. All of your data is secured with strong encryption. Only you have access to the sensitive data within KeyChain. All information, including passwords, credit cards and other data, is protected with strong encryption algorithms. The USB flash drive also synchronizes with your host computer to back up your encrypted password list. This is an important feature should your PC crash or fail. You may also utilize the USB flash drive, if desired, for Dual User Authentication. This requires the user to not only enter the Master Pass Phrase, but also to plug the USB flash drive into their computer. Easy to use, backed award winning CyberScrub Customer Support.
WSA wrote in to say...
That URL should be: http://www.cyberscrub.com/keychain
Sorry about that :)
Received from EnigmA-X’s blog » Password…anyone?
[...] mijn zoektocht kwam ik deze site tegen. Misschien is de content wat oud (jan. 2005), maar het idee en de comments eronder zijn [...]
Received from LifeHacker, Dansk Produktivitets - og Softwareguide.
[...] er svært at gætte for andre Trivielt ikke?, men på trods af dette har webeksperten Eric Meyer en metode til at finde det perfekte password: Vælg 2 ord du kan huske, og flet ordet ind i hinanden. Så [...]
EricT wrote in to say...
i have a password generator that you all might find useful.
It is located on my personal site.
http://eric.torvinen.net/password-generator.php
Just type a word in the form and it will spit out the word in md5 and
crypt.
it is meant for apache’s htaccess files but i guess it creates harder passwords. and if you forget it you can always retype the word i my form or another for like it and get the hash.
i would use md5 because it stays the same on all systems. crypt changes every time, crypt encryptyion is used for unix/linux boxes.
Received from » Blog Archive » Creating (and remembering) strong passwords
[...] Creating strong password doesn’t have to be a complicated procedure. I’m not using strings of arbitrary characters. You can get a good idea of some rules and practices here. [...]