Unpredictability is key
Passwords seem to be today's topic. By pure coincidence, I just came across this article from the Economist a couple of months ago, on the subject of how people pick passwords. It brings up the topic of so-called "mnemonic passwords".
I first came across these when I got to Memento a few years ago. My colleague Bob was setting me up on various systems, and set one of them up with a strange-looking password: it looked like there was something to it, but it was kind of a jumble. When I went to him and asked about it, he explained that it was a somewhat hacked acronym of a particular line from a particular poem -- suddenly, the password was completely transparent to me, easy to remember despite being cryptic and at least *somewhat* secure.
I've used those a lot since then; indeed, it's become my go-to technique for those relatively rare cases where I need a password that I actually have to *remember*. (As opposed to a generated LastPass password.) But it occurred to me early on, and has been confirmed in a number of security articles, that these things aren't a panacea. In particular, if all you do is take the acronym of the first line of a well-known song or poem it's not really all that secure: a smart dictionary attack just needs a database of major songs and poems (and really, that database isn't *that* large), run the obvious acronymizing on that, and it'll still come up with some good guesses.
That said, the technique still works well -- you just have to step it up a bit by injecting a little bit of random whimsy into it.
For instance, let's take one of my old passwords: "1234,CIhalittleM?" This is, of course, a famous Beatles line: "One, two, three, four: can I have a little more?" It's a good candidate for this technique: doing it in the obvious way would give you "1234cIhalm?", and that has all the elements of a good password: a decent length, a mix of numbers, letters and symbols, and not a word in any dictionary. But it could still be cracked, precisely because it *is* the obvious permutation of the line: that reduces the search space to a manageable length.
But by tweaking it with a little bit of randomness -- injecting that comma between the phrases, capitalizing the M and spelling out "little" -- the password becomes *much* more secure. Since each possible line has many possible "whimsies" in it, using a few of them increases the difficulty of the password by a fairly big multiplier. It's not impossible to crack (especially if, say, you were known to always use Beatles-based passwords), but it becomes hard enough to usually not be worth it.
So I recommend this approach, of using a mnemonic based on song or story: it works well if used right, and can produce passwords that are fairly easy to remember but hard to crack. But don't generally use the first line or the title, choose a more-obscure song if possible, and always toss in at least one inconsistent detail: a word or number spelled out, a symbol used somewhere odd, a strangely-chosen capital letter, and so on. Just a few of these tweaks can change a password from Okay to Solid...
I first came across these when I got to Memento a few years ago. My colleague Bob was setting me up on various systems, and set one of them up with a strange-looking password: it looked like there was something to it, but it was kind of a jumble. When I went to him and asked about it, he explained that it was a somewhat hacked acronym of a particular line from a particular poem -- suddenly, the password was completely transparent to me, easy to remember despite being cryptic and at least *somewhat* secure.
I've used those a lot since then; indeed, it's become my go-to technique for those relatively rare cases where I need a password that I actually have to *remember*. (As opposed to a generated LastPass password.) But it occurred to me early on, and has been confirmed in a number of security articles, that these things aren't a panacea. In particular, if all you do is take the acronym of the first line of a well-known song or poem it's not really all that secure: a smart dictionary attack just needs a database of major songs and poems (and really, that database isn't *that* large), run the obvious acronymizing on that, and it'll still come up with some good guesses.
That said, the technique still works well -- you just have to step it up a bit by injecting a little bit of random whimsy into it.
For instance, let's take one of my old passwords: "1234,CIhalittleM?" This is, of course, a famous Beatles line: "One, two, three, four: can I have a little more?" It's a good candidate for this technique: doing it in the obvious way would give you "1234cIhalm?", and that has all the elements of a good password: a decent length, a mix of numbers, letters and symbols, and not a word in any dictionary. But it could still be cracked, precisely because it *is* the obvious permutation of the line: that reduces the search space to a manageable length.
But by tweaking it with a little bit of randomness -- injecting that comma between the phrases, capitalizing the M and spelling out "little" -- the password becomes *much* more secure. Since each possible line has many possible "whimsies" in it, using a few of them increases the difficulty of the password by a fairly big multiplier. It's not impossible to crack (especially if, say, you were known to always use Beatles-based passwords), but it becomes hard enough to usually not be worth it.
So I recommend this approach, of using a mnemonic based on song or story: it works well if used right, and can produce passwords that are fairly easy to remember but hard to crack. But don't generally use the first line or the title, choose a more-obscure song if possible, and always toss in at least one inconsistent detail: a word or number spelled out, a symbol used somewhere odd, a strangely-chosen capital letter, and so on. Just a few of these tweaks can change a password from Okay to Solid...