19 Sept 2013

How-to make hard-to-crack passwords you can easily remember

by Emery Fletcher

For better or worse – and more often worse – passwords are required to do a lot of things on the Internet and even in your home. For example, you need password for your Linux account or at least for root in your Linux installation.

At the same time, cracking passwords has never been easier. It's not just for experienced hackers any more: now even the general public can buy a ready-made cracking utility, or even download one free. There are even forums that give detailed instructions so you can learn how to use it. Some people have earned a lot of Bitcoins by sharing unused GPU/CPU cycles on their computers to crack passwords on a commercial basis.

One thing you can't do is create an unbreakable password. In principle, despite all the salting and hashing and encrypting you or a website enforces, any collection of symbols you use as the sole key for protecting your digital asset (computer, website, whatever) can eventually be discovered by a determined cracker with good resources and lots of time. The best you can do is make the cracker need huge resources and nearly-endless time – in short, make it so tough it just isn't worth the cracker's time.

What that means is making the best use of randomness. There have been a good many highly sophisticated arguments within the mathematical brotherhood as to whether the concept of "random" can properly be applied to the distribution of a small (maybe even just a finite) set of symbols. I leave that to the mathematicians. What I mean by randomness in passwords is this: given any limited sub-sequence of symbols in your password, there is no logical way to derive the identity of the next symbol. That is the practical meaning of "random" in passwords.

That means a password cracker must use a brute-force attack to reveal your full password: every symbol in the word will have to be tested individually against all possibilities. There will be no short cuts available: no dictionary tables to consult, no help from any of the linguistic rules the cracker programs use, and even rainbow tables consisting of the hashes of millions of existing passwords won't reveal the brand-new randomized one you just made.

Actually, creating a good brute-force-only password is the easy half of the problem – the difficult half is remembering it. You could simply take all possible symbols available on your keyboard (or as many of them as the site will accept) and line up a dozen or more of them you choose haphazardly. That would create a password that a brute-force attack with anything less than a supercomputer would require months to crack, because the difficulty is exponential: with 95 symbols available on a keyboard (upper- and lower-case letters, punctuation, other special characters), there are 95^12 possible 12-symbol passwords. That would take 95^(12+11+10+9+8+7+6+5+4+3+2+1)=95^78 brute force tries to crack.

How will you remember your super-safe password? 

Where will you write it down? And in a very practical sense, how will you know you haven't made a typo while you're entering it on a website? The answer is that if you choose your password well, you can make use of all the human memory resources you have, nervous and muscular as well as purely intellectual, to recall it. Try this:

Think of a song, a poem, a quotation, or any set of words that creates the familiar phenomenon of an "ear worm" - it just keeps running through your head, and it's hard to ignore it. Make sure it has ten or twelve words, or nearly as many as you want to have symbols in your password (only "nearly" - we can even pad it out a bit).

Got it? Okay, take the first letters of the words and line them up. That has created the Level One randomness, which is the most important of all: namely that any letter in the series cannot be derived from the prior letters unless someone knows what the original song/poem/quotation was (and that means you might not want to use "To be or not to be"). Let's take something from the 60's, a line from the Rolling Stones:
Have you seen your mother, Baby, standing in the shadows?
I used to run the memory of that song through my head when some dippy little advertising jingle got stuck as an ear worm – drove the worm right out, every time.)

Now we go to Level Two randomizing, in which we line up those first letters to encrypt them: HYSYMBSITS. Since there are 10, we can leave it at that, but you will quickly figure out how to expand it. We will add to the randomness by using what seems like a really stupid form of encryption: no pattern at all in how we change a letter to its symbol in the password.

But if we randomly encrypt the first S to n and the second S to # and the third S to 7, how will we be able to reverse it and decrypt the password? The answer is, we won't. We will never need to. The end result, for all we care, might come out eRn$eI#Lp7 – it really won't matter. Even if some short pronounceable or otherwise identifiable logical sub-sequence accidentally appears it's not really a problem, for that would only reduce the cracking time slightly.

By now you've probably figured out the secret: what we're really doing is creating a set of keystrokes that we will enter while reciting to ourselves "Have you seen your mother, Baby, standing in the shadows?" at the rate of one word per keystroke. You will be amazed how quickly that becomes a routine process, blending motor and abstract memory together, and how perfectly it comes back after a long period of disuse. It's physical, like remembering how to ride a bicycle.

By all means, do write it down and keep it somewhere safe. But if you use several different passwords, all formed in that same way, you can just keep a list of reminders: call this one Stones, or mother, or shadows – it will often be enough to rekindle the repeated memory and as you start typing, the whole routine will come back to you. What your password has become, in an operational sense, is a sequence of motor responses set to music.

The more you use such a password, the easier it is to remember it. Oddly, the more songs and poems and quotations you convert to motor typing memories the more of them you'll find you can remember. You don't have to master the recall capabilities of the ancient bards who could recite hours of epic stories, but you can learn from them: they set their tales to meter and rhyme to make it easier to remember – now you can do that with passwords!

Wow, we created a secure password. That's a time to relax now. Let's listen to good music!


  1. "Have you seen your mother, Baby, standing in the shadows?"

    Given the length of the quote, wouldn't you just be better off modifying the quote a little bit and just using that?

    ex. "Have standing you seen in your the mother, shadows? Baby,"

    - long password
    - capitals and lowercase
    - multiple punctuation marks (" , ?)
    - probably won't be able to crack even if they used lyrics in their dictionary attack
    - fairly easy to remember (alternate words between first and second half of quote)

  2. As Ray said,
    longer passwords are better. Dictionary attacks are foiled by having enough words and obscure words, plus punctuation.

  3. thank you; Appreciated.

    not sure how i'd remember the n#7 (randomness), but I gather they were plucked from the air, and I use replacements I can remember...

    thanks DarkDuck.

    1. Ray, I don't use the words themselves, only the randomly encrypted initial letters. The trick is to transfer the memory of each word to a single keystroke.

  4. I have a small webapp that I also have as a win32 executable and a linux zenity script. Pretty much what I do is md5sum("google.com:salt") and take the last 12 digets of the md5 sum.

    So all my passwords are long, very random, and I don't need to remember them because I can recreate them whenever needed.

  5. see Steve Gibson's research on password security at grc.com