June 1st, 2013

December 2014, by PNH

Fun with passwords; also a bit of a peeve...

Let me get my [very brief] peeve about an annoyance out of the way first:

I find, on several sites, a claim that the dielectric constant of water is 80, and the dielectric strength is zero. This is a crock. At low frequencies the dielectric constant of water is maybe 4.3, and the dielectric strength is minimal; but at high frequencies the dielectric constant of [very pure] water is about 79 at room temperature, and the dielectric strength is on the order of 1 gigavolt per meter (!). Water is extensively used in capacitors and transmission lines for pulsed high-voltage applications. Here’s a reference, for anyone who doubts this, or who is intrigued by the idea of using water as an insulator or a dielectric material.

So. On to the main subject of this posting:

Here is my protocol for making up passwords, which I hope will at least amuse, and perhaps even prove useful. After I list the steps, I’ll provide a few examples.

  1. Think of a phrase (or a word, if it’s long enough) that you like, and that you can easily remember. Ommatidium (not long enough by itself, but there are things one can do about that). Hippopotamonstrosesquipedalian (rather too long for most sites, but one can always use part of a long word). Kartoffelpuffer (gesundheit). Shou Wu Chih. “Not with a bang, but a whimper.” “Vaster than Empires, and more slow.” Ambystoma maculatum ...Whatever, just so it works for you.

  2. Think of an easy way to remember it: a mnemonic of some sort. I often come up with a mnemonic first, and have to fit a password to it. (Notice that the quotations above are better suited to being mnemonics than passwords.) Again, this is about whatever works for you.

  3. Write down the mnemonic. At this stage, you can even write down the word/phrase/whatever that is going to become the password, provided you can erase it very thoroughly.

  4. Modify the protopassword until it is suitable for use. (See the Ars Technica article [link, below] before you decide what constitutes a suitable pw!) Do NOT write it down. Anywhere. (I probably don’t have to say that, but better safe than sorry.) If you don’t have a good memory, repeat it and rehearse it, along with the mnemonic, until they both stick firmly in your mind, and they are tied firmly to each other.

  5. Maintain a list of the mnemonics, and review it often enough that you continue to remember the passwords they refer to.

(I will confess that I don’t review my own list quite often enough, and that I have lost a few, some of which I’ve recovered and some of which I haven’t. A bit further down the page I will tell you one of them.)

NOTE: Do NOT (!) use any of the passwords that I have generated as examples for this posting! They are right there, in cleartext, for any cracker to copy and add to a wordlist, and are therefore worse than useless.

Also note: Kathy Forer, in a comment elsewhere, has suggested this article, which is seriously worth reading. (Thanks for the pointer, Kathy!) I begin to suspect that I need to refine the method as I have presented it here, even though it seems to produce slightly better passwords than most of the ones the article mentions.

In any case, on to...

An example:

The General Prolog to Geoffrey Chaucer’s Canterbury Tales begins with the words “Whan that Aprille with his shoures soote...” The word “prolog” isn’t long enough, but if we fall back to Greek we get prolegomenon, which is a dozen characters, and is similar. (I haven’t checked, but I suspect that it even has essentially the same meaning.)

Just for yucks, let’s start by turning it around backwards: nonemogelorp. That isn’t nearly enough of a change, so I will pretend that the “L” is a capital letter, and reverse it to make “J”. Similarly, the “p” at the end can become a “q”: nonemogejorq. At this point it can’t be cracked by a dictionary search, even with the letters in reverse order, but that’s only a start.

Now we change some letters into numbers or symbols, and capitalize a few things. This results in n0n3M*G3j0rq, which is probably a viable password as it stands, but further tweaking is always possible and occasionally necessary. If a site won’t let you use an asterisk, you can always change it to a hyphen or an underscore or a period, depending. (I have encountered a few sites that insist on alphanumeric-only, in which case it reverts to a zero or an “O”, either lowercase or capitalized.) If you need or want more characters, you can put other things, preferably symbols, around or into it: n0n3%M*G%j0rq, for example.

Notice that the tweaked version looks like the kind of randomoid glop that a password-generation program might give you, but in fact it is nothing of the sort. That’s because humans are greatly nonrandom. Also, you will have come up with it yourself, which should, we hope, help you remember it (or maybe reconstruct it) when you need to. (Ahem. See below for a counterexample.) In any case, please remember that just using a word, or even more than one word, without doing some pretty serious mangling to it/them, is not going to get you anything viable.

Somewhere in here you need to come up with a mnemonic if you haven’t already done so. For this particular pw I probably wouldn’t use anything quite as direct as “Consider the General Prolog to Chaucer’s Canterbury Tales” although that’s not actually unreasonable. As it happens, though, I take a certain amount of delight in obfuscating these things by at least one more level, so I might use something on the order of “Get Thee to a Chaucery; to a Chaucery, go!”, or “April may be the cruelest month, but it’s also the softest” [or perhaps the sweetest; I’ve seen soote rendered as “sweet”, though that seems rather odd to me] — the idea is that you need to be able to associate the mnemonic with the password, and you get to do that any way you care to. If you don’t want or need additional obfuscation (if it makes the password harder to remember instead of easier, for example), don’t bother with it. The mnemonic is for you, and you need it to work. Just be sure that nobody else is going to figure it out.

Sometimes I modify the mnemonic to remind myself that I have added extra characters; sometimes I don’t Sometimes I modify the mnemonic even though I haven’t done that. A bit of extra obscuration is entirely appropriate for anything you expect to put where other people will see it. Also, I sometimes include a hint if I think I may have trouble remembering later on: “He will see you now. [think: I was behind the beaded curtain at the time]” With sufficient repetition, however, the need for hints tends to decrease or evaporate, and I restrict most of them to my master list.

[I tend, when presented with one of my mnemonics, to remember some early or intermediate stage in the construction of the actual pw; then I remember where I went with it. That seems reasonable and even expectable, but who is to say whether other people run their heads the same way I run mine?]

Another example:

I was driving one day, and found myself behind a car with a specialized license plate. The car was owned by a fraternity member, and it had the Greek characters Ω Ψ Φ on it. I took one glance and said, “Geez; that would mean the end of science fiction as we know it!”

I would, once again, reverse this, so it becomes ihPisPagemO; and again, I would toy with it. It would end up being something on the order of !Hp1sP8G3m0!, and the mnemonic doesn’t really have to be much more complex than “the end of science fiction as we know it’, though if I were actually planning on using this pw it probably would be.

I mentioned, above, the fact that I occasionally lose one of these, and this is the example I was hinking of. I looked at my list of potential and actual passwords one day, and could not remember what had led me to the end of SF; many months later I found myself stopped in traffic behind the same or another car with that same fraternity name on its license plate, and said the same sentence to myself, followed immediately by something I will approximate as “@#)*$#@$!!”

A third example:

I happen to be a Richard Thompson fan. One evening, a bunch of years back, I saw him perform with Danny Thompson [not related] at the Folklife Festival, in Seattle. At one point during the performance he said words to the effect of “Now I shall perform a medley of my hit, Due Piedi Sinistri.” He then played [no surprise] “Two Left Feet”. This is entirely straightforward; the Italian very easily goes to 1rtz1N!Z!b32q3Ub or some variant thereof, and the obvious mnemonic (a bit too obvious, actually) is “Now I shall perform a medley of my hit.” Not, mind you, that anyone who hasn’t been a member of an appropriate Richard Thompson audience would ever twig to the meaning, and not that they’d be likely to get from there to the actual password; but it pays to be extra-careful about these things, and this one is not quite obscure enough to suit me, which is why I’m willing to reveal it: I am not about to use any of these examples, and I’m not from Crete.

Mnemonics: A Challenge

I defy anyone to figure out my password from any of the following mnemonics. If you can do so I will happily hand you a hundred bucks, which I cannot afford. [No fair if you’ve watched me type it, and memorized the keystrokes. In fact, if you did that you should be ashamed of yourself for watching — the only time you should ever watch anyone type a password is if they have asked you to, or conceivably if they are breaking the law and you will need to do something about it. Also no fair if I’ve told it to you, though I don’t think I’ve done that with any of these.]

  • The NetGrrl takes her little pooch for a walk, around and around and around the block.

  • John Dickson Carr liked well-buttressed suspension bridges with a little extra.

  • My vote for Roger Lee.

  • Frank’s little sister went into the pool with nary a splash.

  • The Enzyme

(I will confess that the last of those is something I came up with very early on, and I would not use it today without performing serious modifications to it. Even so, it isn’t going to be easy to figure out. The password itself, however, would be trivially easy for a good program to crack, at least in its current form.)

I should note, btw, that my source for hippopotamonstrosesquipedalian is a delightful little book called Mrs. Byrne’s Dictionary.