Password Production

Published 19 years, 10 months past

Since I’ve been futzing about with human-friendly security of various forms recently, it occurred to me that I ought to pass along a password-generation technique I’ve used for years now.  Maybe it’s a well known technique, and maybe not.  In any case, my best recollection is that I learned it from either John Sully or Jim Nauer back in my CWRU days.

The general idea is to pick a two-word combination you can easily remember.  For example, suppose you’re a big fan of pizza and Pepsi, and would have no trouble remembering those words.  Perfect: use them the basis of your password.  No, you don’t make it “pizzaPepsi”—instead, you interleave the words.  That would yield “pPiezpzsai”.  It looks fairly random, and yet is very easy to recreate because the seed words are so easy to remember.  If you have trouble remembering the exact sequence of letters, you can just write the words down on a piece of scrap paper and follow along.

In cases where your two words have different lengths, you can always tack on numbers.  For example, maybe your seed words are “milkshake” and “fries”.  That would normally yield “mfirlikesshake”, which is okay, but you could tack the numbers “123” onto “fries” to get “mfirlikessh1a2k3e”.  Alternatively, you could put the numbers at the beginning, so you get “m1i2l3kfsrhiaekse”.

I’ve found that when I start using a new password created this way, it takes me a few days to adapt to it.  I usually have the seed words written down some place handy during that training period.  Then my fingers take over, and from then on I can type it blindfolded in less than a second.  I don’t even think about the actual characters I’m typing: I just start, and the muscle memory kicks in.

So if you’re looking for a way to generate harder-to-crack passwords, there’s one possibility.  How about you—do you have any nifty human-friendly password-creation recipes?


Comments (59)

  1. Pingback ::

    Meriblog: Meri Williams' Weblog » Everyone’s Talking About…

    […] rchable information sources!). There are some interesting techniques put forward, first by Eric Meyer and then also by Matt Haughey. I have a similar tiering scheme for p […]

  2. One way I do it is by keyboard patterns. I will memorize a pattern from typing on the keyboard… for example… zxcvbnm is not in any dictionary, but is very easy to remember. You can make much more complex and yet easy to remember patterns this way too. Press the shift key on every other letter for another layer of security. However, it is usually nearly impossible to remember what the actual letters are if someone was to ask you what your password was.

  3. It’s a bit of an oldie now, but I found this article by Robert Hensing more than helpful when it comes to passwords; use pass-phrases instead.

    http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx

    It sort of expands on the idea of two key words. You simply remember a whole phrase instead (it only takes an extra half second to type ericmeyerusesalotofcss instead of xrhotcmkls, it’s harder to crack and just as easy to remember.

  4. Myself, I tend to go for mnemonic passwords &8211; take a phrase (e.g. “Eric Meyer’s books are great!”) and take the first letter of each word:

    EMbag

    Will pass a dictionary search, but still vulnerable. Could be improved by splicing some punctuation in there, along with the common substitutions like 4 or @ for a, 3 for e, etc:

    EM'bk@Gr8!

    Again, this takes a little longer than a dictionary password to get settled in your head, but once you’ve had it for a week or two then you can type it in without thinking.

  5. Personally, since I’m Polish, I just use obscure Polish words that no-one will ever be able to remember, let alone spell properly.

  6. I always use Bible Scripture references. Since a lot of passwords are required to use a combination of upper & lower case, as well as numbers and punctuation (or any combination of those elements), bible verses, when written out correctly, use all of them.

    John3:16 for example (no space between the word and the numbers). I’d pick something more obscure than that well-known verse, though.

    Hezekiah2:15 anyone?

  7. You could also create a universal password algorithm that would work for anything. For example, let’s choose an 8 character algorithm such that the first two characters are the first two letters of the object in question; the next two characters are the service type you choose how you will truncate it; the next two characters could be the last two letters of your login id and the final two characters are a random pick of a special character and a number; So if meyerweb had a login area your password could be: mewbid9# where me is meryerweb/wb is service type web/id is the last 2 letters of login id/9# is selected. How about to login to your desktop (let’s assume its a dell): dedpid9#. Once you get used to it it simplifies your life – you don’t need to write down any passwords, just don’t forget the algorithm ;)

  8. The “combine two four letter words” was the system supported method when I worked for IBM Australia in the early 1990’s. It just so happened that one of the senior female computer operators in the main IBM Australia Computer Centre had the last name “tout” – which was one of the myriad of ‘approved’ four letter words for generating passwords.

    Unfortunately for her, the word “ugly” was also on the list. I was told that almost everyone in the computer centre had the password “uglytout”.

    Now, being good Australians, we also used a few other four letter words not on the suggested list… but that’s a story for another time.

  9. Easy! Just remember a master password and use the password bookmarklet to generate unique passwords based on a MD5 hash of a combination of the master password + site name.

    http://www.angel.net/~nic/passwdlet.html

  10. First: ranges are actually green until they’re painted.

    Second: I tend to recommend that people take a number they know and a word associated w/ the thing the password goes to, and interleave them. A couple of people I know use the first 4 letters of the month and the date of their next required password change (numerically) and interleave those in an odd way to get their passwords for the frequent changes at their work. not terribly secure, but it would be hard to guess if you didn’t know them (of course, it was the telling me that was the bad idea) :)

  11. I use the interleaved words system for some of my passwords, and I have found that it is much easier to type the first word, return to the beginning of the string, and type the second word, alternating with the right-arrow.
    Less (fewer?) mental gymnastics, same end result.

  12. I had some random proto-web application generate 10 numerically-interleaved, random-cased strings that I have since completely ruined by using for myriad websites and never changing. First cracker to get a keylogger on my system gets all my pennies. :p

  13. A good idea is to create a pattern on the keyboard, like a big E. Check out the image I made. It’s a very simple pattern and easy to remember, but the result is 3edc456rtyvbn, which would be hard to crack. Think of all the combinations. You could make any letter, a spiral, a star, an arrow, anything really.

  14. I pick the first letter of each word in a sentence, here is an example:

    Love has a nasty habbit of dissapearing over night.

    becomes lhanhodon. Like this is simple to remember, at least for me, because you give a meaning to password.

  15. I use algorithm that Isil talks about above. It makes life a lot easier. Especially if you are working in a team environment that one password has to be shared by lots of people and changed frequently. With algorithm system, you can come up with any kind of algorithm and all your system can have different password. You might lose one of them to bad! people and you don’t have to worry about it as long as they don’t know the algorithm.

  16. I’ve to set up computers for some friends and created passwords for them. I use the names of pets or a fetish animal in h4x0r code, with some interleaved punctuation.

    My own maximum-security password is the initials of a historical figure I admire, and a word he made up (which doesn’t appear in the dictionary), and some punctuation.

  17. I take a familiar word that would be a horrible password and then shift my hands up a row on the keyboard. So “bluefish” becomes “go73r8wy”…

    Works really well if you touch-type, but I bet it would be pretty awkward for hunt-n-peck. You can move one hand up or shift one right/left as a varation.

  18. I come up with a new system each time. The first time I took my parents’ password and just added a letter. My second password had 3 of my friends’ initials, rearranged so that it was pronounceable (but still not a real word, of course).

    My current password is a bit interesting. I’ve taken a number, and basically “wrote” an equation for it using a variety of numbers and letters. For example, let’s say my number was 74 (which it’s not). I would then write something like thirtyplus44. I think it works well, since 1) it’s a pretty mangled combination of letters and numbers, and 2) the actual number (74 in this example) is always linked in some way to hardware I have. So I could use “50” for the cost of my Logitech mouse, “600” for my iBook’s CPU speed, etc. That way I can make a reasonably safe reminder thingie (like how in OS X you can type in a password reminder).

  19. I used to have one password (a person’s name) that I used for everything for quite a few years, and still do for some very low security stuff.

    Though, now I like to just pick totally random letters, numbers and punctuation (generally 8 characters) and just remember the sequence by repeatedly typing it and/or thinking about it.

    I find it more difficult to remember seed words and the algorithm used to generate the password from them, than it is to just remember 6 to 8 letters. The only difficulty I have with passwords is around the time I start to change it, because I can’t remember which site’s I’ve changed and which I haven’t.

  20. Simple, what do people remember better then almost anything? Verse: songs, poems, lines from your favorite movie, but something that you haven’t completely made up and you have some passing familiarity with. So take whatever song you’ve been humming the last few days, listen to it a few times over, pick your favorite stanza, and take the first letter from each word, or the last letter, or the second vowel or whatever… Once you listen to the song a few more times and practice typing the password (look at the keyboard to re-enforce it) you’ll have it down forever, and if you ever do forget it just remember how you picked individual letters from the words and look the lyrics up on the internet!

  21. I prefer to use roboform. I have a thumb drive where I store all the passwords that I take with me. I have a local copy on my computer and I also print out hard back up copy once in a while. It’s a pretty good program!

  22. 1) Take a longish word with plenty of vowels – like “banana.”
    2) Replace all the vowels with a sequence of numbers. Start at 9 and go down, for example.

    Thus, “banana” becomes “b9n8n7”.

    All you have to remember is the word and where your number sequence starts. It’s especially easy if you pick a word which can be typed entirely with one hand, so the other one’s free to work the numbers.

  23. Trackback ::

    eliot

    Better Methods for Passwords
    Was reading Eric Meyer’s ideas on Password Production, which lead me to this nifty little Password generator bookmarklet, RoboForm, and to Why you shouldn’t be using passwords of any kind on your Windows networks. I like the bookmarlet because you on…

  24. One I’ve used before is taking a couple of words, stripping out the vowels, and tacking on a couple of numbers for good measure. So with the “pizza Pepsi” example, you might end up with pzzPps35. So long as the words and numbers have some sort of meaning to the person using the password, it’s very easy to remember. You could start with someone’s name and part of their birth date, for example.

  25. I’ve had to change passwords so many times and use so many different passwords for different systems that I just wrote a little app to generate random a1pH4nUm3r1c strings and spit them out. This works great in conjunction with the password manager I wrote to go with it which stores everything encoded with a custom cypher in a (password protected) web accessible database. You can try it out here.

  26. Trackback ::

    Thinking Digitally

    Passwordaphobia
    I have always had a problem with passwords- thinking of new passwords, remembering old passwords, typing in passwords. Problems all across the board. A few years ago I used to be really good with my passwords. I had no less…

  27. I very often resort to parts of telephone numbers.

    One thing that I’ve already had to remember is a dear friend of family phone number, that makes for the numbers part of the password. I can use a shortened version, like the last 6 digits, and prepend with the person’s nickname or pet’s name…

    It’s an easy to remember and non-dictionary password.

  28. I like to put my passwords in backwards and the word coming from what machine I am using, using punctuation around them. For instance I used to own a compaq – the password was !qapmoc!. This has changed a bit now, but still generally applicable – I substitute 0’s for o and stuff like that now too… makes for interesting passwords, and makes your brain work for a while trying to spell words backwards!

  29. I do it the way all good CompSci departments do: a markov model password generator.

    Throw a dictionary into a markov model to (say 3rd order) in order to work out the probability of a given letter appearing after another. Then simply walk down chains of high probability and make sure you don’t generate a real word. The result: A password that is human readable and doesn’t appear in the dictionary (thus avoiding that kind of attack).

  30. Trackback ::

    40 anni buttati

    Casualmente non casuali
    Un metodo facile per ottenere password che sembrano casuali ma hanno una loro logica…

  31. Hezekiah2:15 anyone?

    Too bad Hezekiah2:15 isn’t an actual Biblical reference :-p

  32. I pull a book off my bookshelf, and turn to an arbitrary page and go down the left column of letters. It returns an apparently random set of letters which can easily be re-created. Sometiems to spice it up, i’ll substitute certain numbers for letters, like say 3 for E or 4 for r for example.

    As an example, if i were to use Eric Meyer on CSS and turn to page 55 i would get “AhpwmaIbdt” as my password, and i could easily re-create it if i lost it.

  33. I like the idea of mixing two words together, I might combine that with my current system of
    one or two characters of random punctuation
    a capitalized word
    one or two numbers

    to get somthing like %!Dogs52 which is so crazy I can remeber them

    Oh and thankyou AJ, Hezekiah2:15 does not exist

  34. Too bad Hezekiah2:15 isn”t an actual Biblical reference :-p

    hard to get much more obscure than that, isn’t it? ;)

    i’m glad someone finally picked up on that.

  35. I love using Compound Passwords, that way I can have an easy to remember list, and still meet rigid security requirements.

    This idea was endorsed by the lead security engineer for Lotus, who now works at Microsoft.

    http://www.leadershipbynumbers.com/MS.nsf/d6plinks/BMMA-5UW4GP

  36. I generate a series of random passwords with a script, all in the form 3 chars, 2 numbers, 3 chars. Then I pick a word that is meaningless, but easy to rember, like “pxp21pop” or “com19hem”.

  37. I like to mix vowels and consonants together to form short non-words, pair them up and sepearate them by some non-alphanumeric characters. It’s pretty easy to come up with new (good) passwords and becuase the pattern of vowel to consonant is easy to remember, I never forget these passwords. Here are some examples…

    kivi$lew5
    weti!muv9

    Maybe it’s just me, but I find these passwords very easy to remember. They’re almost like a little jingle (to me).

  38. One problem with rules-based passwords is that some sites have their own rules that conflict with your own, such as “no special characters.” Then you have to document or remember their rule, and how you modified your rule to accomodate theirs.

  39. I use an Italian sounds generator to mix already known patterns.
    Taken from a ColdFusion programmer (Fabio Serra), modified by Giampaolo Bellavite than a little modified by me too and translated into PHP

  40. Myself, I’m partial to the ‘first letter of each words in a phrase’ with one twist : only phrases with numbers in them..
    ‘there is fifty-two cards in a deck of cards’ becomes ‘ti52ciadoc’ for instance. Or ‘one onion a day keeps every one away’ to ‘1oadke1a’ etc. Easy to remember or note somewhere (not on a post-it stuck to the screen, though).

  41. If you were an amatuer radio operator (ham) a few years ago and had a conversation with me, your call letters are in my list of password seeds. Take k5fox and pad each end to get 8 characters. Secure from most dictionary attacks (who would think of using the callsign directory?), long enough for most applications, and includes a number required by many applications.

    BTW, the Ministry of Finance in Italy (similar to our FBI) has gotten a law passed (under the guise of Privacy) requiring all firms doing business in Italy to implement passwords of at least 8 characters, containing at least one numeral, with expiration no longer than 90 days. Some corporations are scurrying to update their applications to comply with the Italian law. See: https://www-112.ibm.com/software/howtobuy/passportadvantage/paocustomer/docs/en_US/registration.html#password

  42. I remember dates from significant events, mangle them to include/exclude leading zero’s and the century, add some obscure acronym to it (for terms that hardly anyone but me could know) that includes both lower- and uppercase characters et voila: a fairly secure password.

  43. I use the app Keychain (Schlüselbund) in OSX – I put my passwords in a new, separate “Notes” keychain and keep it locked. You need to remember only the master password for the keychain. To backup I transfer it to a USB stick – you can carry the stick anywhere with you.

  44. I tend to take the domain or at least the first three letters of it and combine that with a relatively complex password that I use in many places. So if my common password was gr4P3ap3 my password on this site would be meyergr4P3ap3. That at least lets me focus brain power on remembering the non-trivial passwords like my work account while being farily assured that my more trivial passswords are relatively difficult to break. And it means less guessing for me when I forget the password.

  45. Wow, a lot of different ideas on creating a password. The suggestion about taking the first letter of each word from a phrase is one I would tell my users when I worked as a sysadmin. They seemed to like the idea and it was easy for them to remember. For myself, I typically take a word and replace letters with numbers or symbols that resemble the lette. For instance, if my password was ‘meyer’ it would become ‘m3y3r’. Other examples; ‘cascading’ becomes ‘c@5c@d1ng’, ‘comment’ becomes ‘c0mm3n7’.

  46. I documented this online once – though I’ve lost where, so I’ll need to get it back up – but it is still my favorite method of developing random appearing passwords:

    Come up with a list of ten key events in your life that are memorable. If you can’t get ten, but you have seven, that’s a good start; in a few years you’ll have more. Use your birthdate, the birthdate of your significant other, your children, when you started at your favorite employer, whatever. The fact that it is public knowledge is not necessarily a concern.

    Convert each of these to a two-alpha/two-digit code. For example, Zeldman could use his daughter’s birth and code it as am28: Ava Marie born on the 28th. I don’t know which significant event that would be for him, but say it is number 7. Your answers don’t have to be real, either, and there are a ton of ways to remember each event. This is where the first pseudo-randomness comes in. They just have to be one’s you can remember. Zeldman might use av10 for the announcement that came in October, or ab04, or even bg09.

    After doing this with all of your events, you have a list from 0 to 9 of events with 4 character codes. Now just pick a two-three digit number, preferrably with unique digits, and a phrase which brings that number to mind. If it can be confusing, so much the better. For instance, one of my favorite is the phrase “What is six times nine?” pointing to the number 42 (thank you Doug Adams).

    Then use the codes which go with these numbers. For example, af70mg58. Using the shift key helps randomize it: AF&)mg58.

    No dictionary attacks will ever hit it, even people who know me won’t know which events I used or how I coded them, and after a few months, I pick a new number and new code. If I need a way to remember them, I can write down the remembrance phrase, and there is little evidence of what it is used for.

  47. If you really can’t pull yourself to these mneomic tricks, then you can always use some regular punctuation with your weak dictionary passwords. If your password is fish, then “fish!” (quotes included) is a lot harder to crack, and very few people seem to use passwords like this. Another easy method is to alternate CaSeS LiKe ThIs and then put an exclamation on the end. PaSsWoRd! anyone? :)

  48. Lucas: “zxcvbnm” most definitely is in every brute-force-dictionary.

  49. Trackback ::

    The Engineered Boulderer

    Secure Passwords
    I often read Matt Howie’s “A Whole Lotta Nothing:http://a.wholelottanothing.org/ and stumbled onto his post on Creating (and remembering) crazy hard passwords. In it he outlines how he makes secure but easily rememberable passwords. In it h…

  50. Leszek Swirski wrote in to say…
    “Personally, since I”m Polish, I just use obscure Polish words that no-one will ever be able to remember, let alone spell properly.”

    Same here (but with Blr.).
    A neighbour from Belarus. ;)

  51. Pingback ::

    SocInf » Blog Archive » Password sicure

    […] ere perfezionato adottando pochi e semplici accorgimenti, uno dei quali viene descritto in questo sito. Pubblicato il 21 Febbraio 2005 alle 18:14 […]

  52. This is a little idea i came up with. Since most places i use passwords have a button to click to e-mail your password remembering them dosn’t have to be a big choir. I use cd key’s as passwords and might change the letters to captiols. Good idea for me cause its already written down on the cd case. 2104-92892664-4877 just drop in a few letters and your good to go. login: 2104acdw password: 9a28b826c64

    try to use 8 or more numbers or letters. cd keys with numbers and letters are best to use.

    xup8-gab8-tax5-gad7-6632
    login: xup8gab8 password: tax5gad7

  53. Pingback ::

    Password sicure | SocInf

    […] ere perfezionato adottando pochi e semplici accorgimenti, uno dei quali viene descritto in questa pagina. Permalink | Print Categorie Etica Tecnologica Ta […]

  54. CyberScrub KeyChain is a free password manager we use at work. http://www.cyberscrub.com
    I found this on their website:
    Manage ALL Passwords with One Phrase. When you log on to KeyChain with your Master Pass Phrase you will have instant access to all of your password protected websites. Select your destination from a special list you have created- then simply “Click & Go”. It’s that easy! Each time you visit a site requiring a user name and password KeyChain auto enters this information and logs you in. It even prompts you to add these passwords to the program if you have not already done so. Never manually fill in credit card details again. Online shopping is a snap because KeyChain automatically enters your selected credit card details, Shipping and Billing address and more. All of your data is secured with strong encryption. Only you have access to the sensitive data within KeyChain. All information, including passwords, credit cards and other data, is protected with strong encryption algorithms. The USB flash drive also synchronizes with your host computer to back up your encrypted password list. This is an important feature should your PC crash or fail. You may also utilize the USB flash drive, if desired, for Dual User Authentication. This requires the user to not only enter the Master Pass Phrase, but also to plug the USB flash drive into their computer. Easy to use, backed award winning CyberScrub Customer Support.

  55. That URL should be: http://www.cyberscrub.com/keychain
    Sorry about that :)

  56. Pingback ::

    EnigmA-X’s blog » Password…anyone?

    […] mijn zoektocht kwam ik deze site tegen. Misschien is de content wat oud (jan. 2005), maar het idee en de comments eronder zijn […]

  57. Pingback ::

    LifeHacker, Dansk Produktivitets - og Softwareguide.

    […] er svært at gætte for andre Trivielt ikke?, men på trods af dette har webeksperten Eric Meyer en metode til at finde det perfekte password: Vælg 2 ord du kan huske, og flet ordet ind i hinanden. Så […]

  58. i have a password generator that you all might find useful.
    It is located on my personal site.
    http://eric.torvinen.net/password-generator.php

    Just type a word in the form and it will spit out the word in md5 and
    crypt.

    it is meant for apache’s htaccess files but i guess it creates harder passwords. and if you forget it you can always retype the word i my form or another for like it and get the hash.

    i would use md5 because it stays the same on all systems. crypt changes every time, crypt encryptyion is used for unix/linux boxes.

  59. Pingback ::

    » Blog Archive » Creating (and remembering) strong passwords

    […] Creating strong password doesn’t have to be a complicated procedure. I’m not using strings of arbitrary characters. You can get a good idea of some rules and practices here. […]

Add Your Thoughts

Meyerweb dot com reserves the right to edit or remove any comment, especially when abusive or irrelevant to the topic at hand.

HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <em> <i> <q cite=""> <s> <strong> <pre class=""> <kbd>


if you’re satisfied with it.

Comment Preview