January 20, 2009 at 22:00Mnemonic Strong Password Generation
This article is written habrapolzovatelem stboris under the "Ideas Green card " .
In my life, I often encounter the need to come up with a password for my (as well as not my) new account / login.
Passwords should be quite complicated, otherwise they can be easily matched (hello to the happy owners of passwords god, sex, love ). They should also be different, if possible. if you even come up with a very complex password, but use it everywhere, it can easily lead to compromise.
Remembering dozens of passwords consisting of a random set of letters of different registers, numbers, special characters is not such a trivial task.
My memory works according to some special principle of its own, something like "I remember, I don't remember here." I met a girl of a friend of mine 4 times, I could not remember her and that’s it. But my memory also has a bonus - it works very well with associations.
And also, before, I played a lot of different toys: Kwaku, Linyagu, VoV and a lot of other network things, and not very long ago I noticed that nicks are often used not only for letters, but also for numbers and special characters.
And so, once, after comparing all this, I came up with my own method of generating passwords (maybe someone came up with it before me, but I have not seen it yet). I have been using it for a long time, but still have not made clear rules for him. So I decided to write this article and with its help bring the method to mind and at the same time share it with people.
Create a method by which it would be easy to come up with strong, but easy to remember passwords.
Suppose I decided to play the online game Vegetable Tycoon (the game was invented, all coincidences are random). I create an account there and I need a password.
For easy remembering, the password should be meaningful, i.e. it must be a word or phrase. Many people know that a person remembers associations well, so ideally this word / phrase should be associatively linked to what we are creating the password for.
I have an association "eggplant"
To avoid evil (encoding problems), the password must use the English layout. Also, the word / phrase in the password should not be written in Russian (in Ukrainian, in Arabic, in Chinese, etc.) using the English layout otherwise you can very strongly shake in the absence of a Russian (substitute optional) keyboard. You can also not use translit, because There is no single transliteration standard. Hence morality - the most logical solution is to translate the word into a language using only the Latin alphabet (no diacritics, Cyrillic letters, hieroglyphs, etc.). For example, English or Latin. By the way, the use of Latin in this case is very interesting - no one in their right mind will ever make a dictionary for brute force for Latin.
Since I do not know Latin, I translate into English. It turned out - aubergine
The password must contain letters in different registers. For ease of memorization, we translate half the word to uppercase. There are also several options: the right - the left half and, if the number of letters is odd, with or without middle.
I take the first half with the middle letter and translate to uppercase. It turned out - AUBERgine
Also, the password must contain numbers and special characters. To do this, for part of the letters of the alphabet come up with a replacement of visually similar characters and numbers. The password after that will remain completely readable. By the way, for cool hackers and pro-gamers, this is nothing new, many of them record their nicknames in this way. For example, a = @, e = 3, i =! etc. Nuance - you do not need to replace the entire alphabet, only a certain part is enough, because it may turn out that the password will consist of only special characters - also not very good.
There is an option to use special characters only from the number keys, because if it’s not possible to use special characters in any service, you simply “downshift” them into the numbers corresponding to them. For example @ = 2,! = 1, etc.
Apply replacement. It turned out - @ UB3Rg! N3
In the case of a service that does not allow the use of special characters. It turned out - 2UB3Rg1n3
For this, the concepts of an “opening” and a “closing” symbol are introduced. Sometimes you need to make the password shorter (sometimes they put a limit on the length) for this we can remove the "characters". Some services work crookedly with passwords starting with special characters. In particular, Aurvote for the Arch Linux distribution does not correctly handle passwords starting with the “$” character. Therefore, it may be logical to make the “opening” symbol with a number, and the “closing” symbol with a special symbol.
I add the “opening” digit “1” and the “closing” special character “)”. It turned out - 1 @ UB3Rg! N3)
Well, in my opinion it’s not so bad - an eleven-character password containing all types of characters and at the same time is quite readable, by and large it is only necessary to remember the association word.
In this article, I specifically did not give ready-made solutions, because everyone who wants to use this system should choose some points himself, depending on what he likes and what he will remember better.
Relative resistance to selection, ease of remembering, speed of password generation (I used to sit an hour before trying to come up with a good password), modularity (you can drop those rules that you don't like or add new ones).
There may be small problems if you type on a non-standard keyboard, but this is solvable (find a standard layout image on the Internet). This password is weaker than a randomly generated password, because you can compile a dictionary based on these rules, but no one bothers you to add your own rules, which no one knows about.
In any case, this is not a panacea, but, like so much in our lives, a compromise between reliability and convenience.
Changing passwords regularly increases security. Changing the rule options increases the reliability of the system, but complicates the recovery of a password in memory after a long time. Identical passwords in different places greatly reduce security. If someone knows the answer to your security question, no password will help. There are many more options how to steal your password so that a strong password is not a panacea and you need to follow a lot more for what, but this is beyond the scope of this article.
This article does not say a word about password storage programs because the article is not about them =) Moreover, I do not use any of them yet, because just there was no case / periodically I forget the flash drive somewhere / not everywhere you can steal a flash drive, but you still need to enter passwords. And indeed one does not interfere with the other.
Constructive criticism is welcome.
UPD: The mention of Esperanto is removed, because, as it turned out, in Esperanto there are diacritical marks. I apologize to everyone who was misled or offended.
In my life, I often encounter the need to come up with a password for my (as well as not my) new account / login. Passwords should be quite complicated, otherwise they can be easily matched (hello to the happy owners of passwords god, sex, love ). They should also be different, if possible. if you even come up with a very complex password, but use it everywhere, it can easily lead to compromise.
Remembering dozens of passwords consisting of a random set of letters of different registers, numbers, special characters is not such a trivial task.
My memory works according to some special principle of its own, something like "I remember, I don't remember here." I met a girl of a friend of mine 4 times, I could not remember her and that’s it. But my memory also has a bonus - it works very well with associations.
And also, before, I played a lot of different toys: Kwaku, Linyagu, VoV and a lot of other network things, and not very long ago I noticed that nicks are often used not only for letters, but also for numbers and special characters.
And so, once, after comparing all this, I came up with my own method of generating passwords (maybe someone came up with it before me, but I have not seen it yet). I have been using it for a long time, but still have not made clear rules for him. So I decided to write this article and with its help bring the method to mind and at the same time share it with people.
Task
Create a method by which it would be easy to come up with strong, but easy to remember passwords.
Decision
Suppose I decided to play the online game Vegetable Tycoon (the game was invented, all coincidences are random). I create an account there and I need a password.
Meaningfulness
For easy remembering, the password should be meaningful, i.e. it must be a word or phrase. Many people know that a person remembers associations well, so ideally this word / phrase should be associatively linked to what we are creating the password for.
I have an association "eggplant"
Latin
To avoid evil (encoding problems), the password must use the English layout. Also, the word / phrase in the password should not be written in Russian (in Ukrainian, in Arabic, in Chinese, etc.) using the English layout otherwise you can very strongly shake in the absence of a Russian (substitute optional) keyboard. You can also not use translit, because There is no single transliteration standard. Hence morality - the most logical solution is to translate the word into a language using only the Latin alphabet (no diacritics, Cyrillic letters, hieroglyphs, etc.). For example, English or Latin. By the way, the use of Latin in this case is very interesting - no one in their right mind will ever make a dictionary for brute force for Latin.
Since I do not know Latin, I translate into English. It turned out - aubergine
Register
The password must contain letters in different registers. For ease of memorization, we translate half the word to uppercase. There are also several options: the right - the left half and, if the number of letters is odd, with or without middle.
I take the first half with the middle letter and translate to uppercase. It turned out - AUBERgine
Special characters
Also, the password must contain numbers and special characters. To do this, for part of the letters of the alphabet come up with a replacement of visually similar characters and numbers. The password after that will remain completely readable. By the way, for cool hackers and pro-gamers, this is nothing new, many of them record their nicknames in this way. For example, a = @, e = 3, i =! etc. Nuance - you do not need to replace the entire alphabet, only a certain part is enough, because it may turn out that the password will consist of only special characters - also not very good.
There is an option to use special characters only from the number keys, because if it’s not possible to use special characters in any service, you simply “downshift” them into the numbers corresponding to them. For example @ = 2,! = 1, etc.
Apply replacement. It turned out - @ UB3Rg! N3
In the case of a service that does not allow the use of special characters. It turned out - 2UB3Rg1n3
Password length
For this, the concepts of an “opening” and a “closing” symbol are introduced. Sometimes you need to make the password shorter (sometimes they put a limit on the length) for this we can remove the "characters". Some services work crookedly with passwords starting with special characters. In particular, Aurvote for the Arch Linux distribution does not correctly handle passwords starting with the “$” character. Therefore, it may be logical to make the “opening” symbol with a number, and the “closing” symbol with a special symbol.
I add the “opening” digit “1” and the “closing” special character “)”. It turned out - 1 @ UB3Rg! N3)
Well, in my opinion it’s not so bad - an eleven-character password containing all types of characters and at the same time is quite readable, by and large it is only necessary to remember the association word.
Total
In this article, I specifically did not give ready-made solutions, because everyone who wants to use this system should choose some points himself, depending on what he likes and what he will remember better.
pros
Relative resistance to selection, ease of remembering, speed of password generation (I used to sit an hour before trying to come up with a good password), modularity (you can drop those rules that you don't like or add new ones).
Minuses
There may be small problems if you type on a non-standard keyboard, but this is solvable (find a standard layout image on the Internet). This password is weaker than a randomly generated password, because you can compile a dictionary based on these rules, but no one bothers you to add your own rules, which no one knows about.
In any case, this is not a panacea, but, like so much in our lives, a compromise between reliability and convenience.
Recommendations
Changing passwords regularly increases security. Changing the rule options increases the reliability of the system, but complicates the recovery of a password in memory after a long time. Identical passwords in different places greatly reduce security. If someone knows the answer to your security question, no password will help. There are many more options how to steal your password so that a strong password is not a panacea and you need to follow a lot more for what, but this is beyond the scope of this article.
Password Storage Software
This article does not say a word about password storage programs because the article is not about them =) Moreover, I do not use any of them yet, because just there was no case / periodically I forget the flash drive somewhere / not everywhere you can steal a flash drive, but you still need to enter passwords. And indeed one does not interfere with the other.
PS
Constructive criticism is welcome.
UPD: The mention of Esperanto is removed, because, as it turned out, in Esperanto there are diacritical marks. I apologize to everyone who was misled or offended.