Jon Singer (jonsinger) wrote,
Jon Singer

Fun with passwords; also a bit of a peeve...

Let me get my [very brief] peeve about an annoyance out of the way first:

I find, on several sites, a claim that the dielectric constant of water is 80, and the dielectric strength is zero. This is a crock. At low frequencies the dielectric constant of water is maybe 4.3, and the dielectric strength is minimal; but at high frequencies the dielectric constant of [very pure] water is about 79 at room temperature, and the dielectric strength is on the order of 1 gigavolt per meter (!). Water is extensively used in capacitors and transmission lines for pulsed high-voltage applications. Here’s a reference, for anyone who doubts this, or who is intrigued by the idea of using water as an insulator or a dielectric material.

So. On to the main subject of this posting:

Here is my protocol for making up passwords, which I hope will at least amuse, and perhaps even prove useful. After I list the steps, I’ll provide a few examples.

  1. Think of a phrase (or a word, if it’s long enough) that you like, and that you can easily remember. Ommatidium (not long enough by itself, but there are things one can do about that). Hippopotamonstrosesquipedalian (rather too long for most sites, but one can always use part of a long word). Kartoffelpuffer (gesundheit). Shou Wu Chih. “Not with a bang, but a whimper.” “Vaster than Empires, and more slow.” Ambystoma maculatum ...Whatever, just so it works for you.

  2. Think of an easy way to remember it: a mnemonic of some sort. I often come up with a mnemonic first, and have to fit a password to it. (Notice that the quotations above are better suited to being mnemonics than passwords.) Again, this is about whatever works for you.

  3. Write down the mnemonic. At this stage, you can even write down the word/phrase/whatever that is going to become the password, provided you can erase it very thoroughly.

  4. Modify the protopassword until it is suitable for use. (See the Ars Technica article [link, below] before you decide what constitutes a suitable pw!) Do NOT write it down. Anywhere. (I probably don’t have to say that, but better safe than sorry.) If you don’t have a good memory, repeat it and rehearse it, along with the mnemonic, until they both stick firmly in your mind, and they are tied firmly to each other.

  5. Maintain a list of the mnemonics, and review it often enough that you continue to remember the passwords they refer to.

(I will confess that I don’t review my own list quite often enough, and that I have lost a few, some of which I’ve recovered and some of which I haven’t. A bit further down the page I will tell you one of them.)

NOTE: Do NOT (!) use any of the passwords that I have generated as examples for this posting! They are right there, in cleartext, for any cracker to copy and add to a wordlist, and are therefore worse than useless.

Also note: Kathy Forer, in a comment elsewhere, has suggested this article, which is seriously worth reading. (Thanks for the pointer, Kathy!) I begin to suspect that I need to refine the method as I have presented it here, even though it seems to produce slightly better passwords than most of the ones the article mentions.

In any case, on to...

An example:

The General Prolog to Geoffrey Chaucer’s Canterbury Tales begins with the words “Whan that Aprille with his shoures soote...” The word “prolog” isn’t long enough, but if we fall back to Greek we get prolegomenon, which is a dozen characters, and is similar. (I haven’t checked, but I suspect that it even has essentially the same meaning.)

Just for yucks, let’s start by turning it around backwards: nonemogelorp. That isn’t nearly enough of a change, so I will pretend that the “L” is a capital letter, and reverse it to make “J”. Similarly, the “p” at the end can become a “q”: nonemogejorq. At this point it can’t be cracked by a dictionary search, even with the letters in reverse order, but that’s only a start.

Now we change some letters into numbers or symbols, and capitalize a few things. This results in n0n3M*G3j0rq, which is probably a viable password as it stands, but further tweaking is always possible and occasionally necessary. If a site won’t let you use an asterisk, you can always change it to a hyphen or an underscore or a period, depending. (I have encountered a few sites that insist on alphanumeric-only, in which case it reverts to a zero or an “O”, either lowercase or capitalized.) If you need or want more characters, you can put other things, preferably symbols, around or into it: n0n3%M*G%j0rq, for example.

Notice that the tweaked version looks like the kind of randomoid glop that a password-generation program might give you, but in fact it is nothing of the sort. That’s because humans are greatly nonrandom. Also, you will have come up with it yourself, which should, we hope, help you remember it (or maybe reconstruct it) when you need to. (Ahem. See below for a counterexample.) In any case, please remember that just using a word, or even more than one word, without doing some pretty serious mangling to it/them, is not going to get you anything viable.

Somewhere in here you need to come up with a mnemonic if you haven’t already done so. For this particular pw I probably wouldn’t use anything quite as direct as “Consider the General Prolog to Chaucer’s Canterbury Tales” although that’s not actually unreasonable. As it happens, though, I take a certain amount of delight in obfuscating these things by at least one more level, so I might use something on the order of “Get Thee to a Chaucery; to a Chaucery, go!”, or “April may be the cruelest month, but it’s also the softest” [or perhaps the sweetest; I’ve seen soote rendered as “sweet”, though that seems rather odd to me] — the idea is that you need to be able to associate the mnemonic with the password, and you get to do that any way you care to. If you don’t want or need additional obfuscation (if it makes the password harder to remember instead of easier, for example), don’t bother with it. The mnemonic is for you, and you need it to work. Just be sure that nobody else is going to figure it out.

Sometimes I modify the mnemonic to remind myself that I have added extra characters; sometimes I don’t Sometimes I modify the mnemonic even though I haven’t done that. A bit of extra obscuration is entirely appropriate for anything you expect to put where other people will see it. Also, I sometimes include a hint if I think I may have trouble remembering later on: “He will see you now. [think: I was behind the beaded curtain at the time]” With sufficient repetition, however, the need for hints tends to decrease or evaporate, and I restrict most of them to my master list.

[I tend, when presented with one of my mnemonics, to remember some early or intermediate stage in the construction of the actual pw; then I remember where I went with it. That seems reasonable and even expectable, but who is to say whether other people run their heads the same way I run mine?]

Another example:

I was driving one day, and found myself behind a car with a specialized license plate. The car was owned by a fraternity member, and it had the Greek characters Ω Ψ Φ on it. I took one glance and said, “Geez; that would mean the end of science fiction as we know it!”

I would, once again, reverse this, so it becomes ihPisPagemO; and again, I would toy with it. It would end up being something on the order of !Hp1sP8G3m0!, and the mnemonic doesn’t really have to be much more complex than “the end of science fiction as we know it’, though if I were actually planning on using this pw it probably would be.

I mentioned, above, the fact that I occasionally lose one of these, and this is the example I was hinking of. I looked at my list of potential and actual passwords one day, and could not remember what had led me to the end of SF; many months later I found myself stopped in traffic behind the same or another car with that same fraternity name on its license plate, and said the same sentence to myself, followed immediately by something I will approximate as “@#)*$#@$!!”

A third example:

I happen to be a Richard Thompson fan. One evening, a bunch of years back, I saw him perform with Danny Thompson [not related] at the Folklife Festival, in Seattle. At one point during the performance he said words to the effect of “Now I shall perform a medley of my hit, Due Piedi Sinistri.” He then played [no surprise] “Two Left Feet”. This is entirely straightforward; the Italian very easily goes to 1rtz1N!Z!b32q3Ub or some variant thereof, and the obvious mnemonic (a bit too obvious, actually) is “Now I shall perform a medley of my hit.” Not, mind you, that anyone who hasn’t been a member of an appropriate Richard Thompson audience would ever twig to the meaning, and not that they’d be likely to get from there to the actual password; but it pays to be extra-careful about these things, and this one is not quite obscure enough to suit me, which is why I’m willing to reveal it: I am not about to use any of these examples, and I’m not from Crete.

Mnemonics: A Challenge

I defy anyone to figure out my password from any of the following mnemonics. If you can do so I will happily hand you a hundred bucks, which I cannot afford. [No fair if you’ve watched me type it, and memorized the keystrokes. In fact, if you did that you should be ashamed of yourself for watching — the only time you should ever watch anyone type a password is if they have asked you to, or conceivably if they are breaking the law and you will need to do something about it. Also no fair if I’ve told it to you, though I don’t think I’ve done that with any of these.]

  • The NetGrrl takes her little pooch for a walk, around and around and around the block.

  • John Dickson Carr liked well-buttressed suspension bridges with a little extra.

  • My vote for Roger Lee.

  • Frank’s little sister went into the pool with nary a splash.

  • The Enzyme

(I will confess that the last of those is something I came up with very early on, and I would not use it today without performing serious modifications to it. Even so, it isn’t going to be easy to figure out. The password itself, however, would be trivially easy for a good program to crack, at least in its current form.)

I should note, btw, that my source for hippopotamonstrosesquipedalian is a delightful little book called Mrs. Byrne’s Dictionary.
Tags: passwords creativity amusements water ca
  • Post a new comment


    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
My algorithm for developing a new password:

1. Make sure the secondary ID token is plugged into the USB hub
2. Open KeePass
3. Type the pass-phrase that unlocks the password database
4. Click the "add entry" icon
5. Fill in the "title" (often a DNS name) and "user" fields
(The password is pre-generated and already in place)
6. Click "ok".

Well, actually I may have to go down into the password generating form and change the params, either if the site stupidly limits me to less-secure passwords (I run into sites that don't allow non-alphanumeric characters!).

Thus, I'm using 20-character random strings for most of my passwords -- and I've never laid eyes on most of them. For some reason that last fact makes me unreasonably happy.

I can access the same password database from my laptop, and from my phone, in both cases via DropBox.

What I hate worst: Sites and applications that go to great lengths to prevent you from pasting in the password. Having to type them in by hand means I pick a much less secure password.

What I hate second-worst: Sites that prevent Firefox from storing their passwords (under a good master password, naturally). Paypal is the worst offender here. I use credit cards directly considerably more often because Paypal has made it inconvenient or unsafe to use their service (I use a good password, and hence have to manually look it up in KeePass and paste it).

I've got a method I use for developing certain passwords that I have to type in by hand regularly -- first developed for a work password that had to be changed monthly, and typed in every time I'd been away from the desk for more than 5 minutes. However, I'm not sufficiently confident of its strength to exhibit the algorithm. A design constraint included being able to defeat the "duplicate password" detection algorithms, which it has done everywhere I've tried it so far.

I actually have an unreasonable number of passwords that I remember, including one that I couldn't look up if I forgot it (the password to the KeePass database, obviously). Let's see -- KeePass database, bank card pin, other bank card pin, Firefox master password, file server user ddb password, SSH private key passphrase, fire safe combination, emergency gun box combination, house alarm disarm code. I'm probably forgetting to mention some.

There are also two lock combinations from my childhood that I'm still wasting neurons on: 12-22 and 8-10-7. (Both locks are long gone.) Haven't figured out how to forget these yet :-)

I really should write down the Firefox password and the KeePass password and put a copy in the fire safe -- which Pamela in theory has access to. I'm not planning on dropping dead any time soon, but it's never too early to give some consideration to the convenience of others after it's not my problem any more. Anybody could get into that safe (it's primarily a fire safe, not a security safe, but in any case no safe you could possibly consider having in your home is rated to resist attack with modern tools for more than half an hour), but not without leaving clear tracks.

I'm going drastically against the "never write it down" mantra, obviously. At one point, I was holding root passwords for about 6 servers belonging to other people on the Internet, and was simply pushed past what I could reliably remember. I started out using Counterpane (Bruce Schneier)'s Password Safe, and later moved on to KeePass to get support across more OSs and devices. I'm kind of betting everything, from an online security point of view, on the encryption in KeePass, and that does represent a single point of failure.

Although it is clear that a good generator will make viable passwords, I have two colliwobbles about it. First, you've never seen most of your passwords, and you don't even know what they are. I'm sure that's viable for some folks (you explicitly note that it makes you happy), but it would scare the pants off me. Second, as you point out, it creates the possibility of a single point of failure, and that scares me even worse. I'd write down the master PW on three pieces of paper, and put them into three separate safety deposit boxes (or, in your case, two safety deposit boxes and one fire safe). Nothing quite like having an offsite backup, in case the fire safe becomes inaccessible for whatever bizarro-world reason. Third (forget the ruddy Spanish Inquisition, already), there's no amusement in it. ...Not that that really matters, in the Greater Scheme of Things, but still.

Hope to see you & yours in a little over a week.

Best —
I have enough passwords I DO have to remember (or at least, that it's so much more convenient to remember) that I get my amusement value from those :-).

I've looked at enough of the random passwords to know that they do exactly what they say -- combine random strings of the sets of characters that I check off on the form. And those passwords are consistently given the top rating by sites that rate passwords when you enter them.

There are currently 686 entries in my KeePass database. Any kind of "remembering" operation is out of scope well over an order of magnitude away from there for me (I'm sure there are people would could actually remember that many unique good passwords -- but not very many!).

I definitely should make some additional backup provisions for one or two passwords, particularly the KeePass database -- especially since I changed it this year. I do tend to use it multiple times a day, which limits my chances of just forgetting it. (It's also now a two-factor setup, with a file needed as well as the password; I do have additional secure backups of that file.)

I checked last year, my bank doesn't even rent safety deposit boxes. Don't know what the world is coming to! I've never actually had one, but this is something like the fourth safe I've owned. On the third hand (or whatever I'm up to), even the current safe, a good fire-safe (UL 2-hour fire rating, ETL 2-hour media rating) isn't that secure physically. On the fourth hand, it's pretty secure against *invisible* entry, and my threat situation just isn't that severe (I'm not protecting nuclear launch codes here!). The delay in getting access after a fire is a risk, as is the risk that it'll be crushed by the whole house falling down onto it, or for that matter that the twister will somehow take it off to Oz.

I don't know a better way to make tamper-evident backup of very small data (keys) than sealing wax, and that hasn't been adequate for many centuries now.

Huh; I should ask Bruce about that.


June 2 2013, 04:17:45 UTC 4 years ago

My algorithm for passwords:
Find a random Windows product key.
Reverse the digits, then randomly reverse the clusters of letters.
Add random non-alphanumeric characters between each set of alphanumerics.
Memorize the hell out of that sucker.

Of course, just in case I forgot, I wrote it down and put it up on my refrigerator.
Teehee. We likes it, though putting it on the fridge does open you up to certain forms of social engineering.

Best —


June 2 2013, 15:49:02 UTC 4 years ago

For 90% of the folks out there, a good standby is two unrelated words separated by a number and a symbol. cat*67boat for instance. generally easy to remember, (easier if you make a mnemonic) resistant to dictionary attack, and simple enough for Mom or Dad to get comfortable enough with that they might actually start using different passwords for different things. Yes, for high security stuff, something more complex like Mr. Singer shows above would be far better, but as a first step to help those who use their daughter's birthday and middle name as the password for their email, bank account, facebook login and workplace login password, it's a good start.

I would have posted this other than Anonymously, but Livejournal wanted to access my name, address, date of birth, friends list, blood type, mother's maiden name, etc. Sorry. If my name and IP isn't good enough, oh well, you just get my IP address.

Alas, if you read the article I added a link to, you'll discover that this method is no longer viable. It appears that a good cracking program does hundreds of billions of tests per second, and can perform an exhaustive search of a remarkably large character space in very short time. I don't think anything less than 12 chars is viable any more, and I don't think anything that uses real words is particularly good. Sigh.

I am perfectly okay with you posting Anonymously; you have my apologies for being slow about unscreening your cmts and getting back to you on them.

Best —
i use a strategy somewhat similar to Jon's, but for regularly changing passwords, as at the office, i draw keywords from two or more newspaper front page stories.

looking at Saturday's paper i would get something like "Ford Biennale cleaning"- top stories of the Globe and Mail being Rob Ford, Venice Biennale, and"feminism's final frontier-who cleans the toilet bowl".

my passwords go in a password keeper app on my Blackberry, which will will "self-destruct" or security wipe on ten bad passwords. my hints go on a novelty pad headed "my secret passwords".

This makes sense to me, though as I pointed out to "Anonymous", above, I am now very uneasy about anything that involves actual words.

Best —