Open in app

Sign in

Write

Sign in

How to Create and Remember Strong Passwords

Increase security and enhance your memory

Joe Bowman
10 min readApr 12, 2014

Now that the rest of us know about the Heartbleed zero-day exploit in OpenSSL, emails and news stories are flying at people’s heads proclaiming the end of days and to change every password since the beginning of time. While the exploit is real and is serious, the responsibility for repairing the breach in security is on the service providers and their backend engineers. Tumblr users received emails prompting password changes after the company made fixes to their infrastructure — changing passwords before a provider has made fixes won't help.

WTF is a Password Policy?

A password policy is a set of rules that are designed to protect user authentication from subversion. In plain English, this means all the do’s and don'ts for making and updating passwords. Your workplace will have certain policies in place such as requiring a new password be created every x-number of days in order to access the company’s computer systems. Every user of the Internet is faced with the challenge of setting and maintaining passwords whether casually surfing the web or running your own online store. That’s right, billions of people are creating passwords all the time, we all have to do it — think of it as a basic web skill like typing or using chat and email. We all start out and suck, then we learn and get better. This is how situations like Heartbleed are great opportunities to teach users how to remain proficient with this all-important skill.

Stop making up your passwords, right now.

The Human brain is a computer and all people generally have the same operating system installed, therefore, with enough data points one can extrapolate the forms and iterations the average person may utilize when ‘making up’ a password. Once again in plain English, this means that you are soo predictable.. it’s ok, we all are (for the most part).

Scenario: You're at home, the TV is on, the cat is giving you the business (he can see the bottom of the food bowl), and you are signing up for a new account. You are rushing through the signup process because, shocker, people hate doing things, especially when forced. While you can tailor the situation to suit, several factors are consistent across similar circumstances:

  1. You are distracted or at least focused on multiple things at once.
  2. You are annoyed and this time its not just because you've fed the cat twice already. Even if you don't mind creating new passwords you've had to stop your current focus in order to access the cognitive resources in your brain needed to complete the task.
  3. You are mildly anxious (whether you recognize it or not). You know you will forget or not be able to type the password conveniently on your mobile device. You remember the time you were running errands and couldn't sign on to X,Y, or Z and all on the day you started curating a feed on what other people have been eating for lunch.

These factors (and likely many others) lead people to make similar conclusions and our passwords are weaker (more easily hacked) as a result. Thieves can load up dictionaries covering all words in the time it takes you to think of one obscure word (note: your word choice is not obscure, even if you chose ‘antidisestablishmentarianism’).

Your next thought may be to supplement numbers for letters, so called ‘leet speak’ or as written: l337 sp34k. But as before, such conventions are well known and commonly part of cracking algorithms meaning that d’oh! any easily conceived password is easily compromised.

Understand brain to proceed.

I worked in the telecom industry for a number of years and much of that time was devoted to managing call routes and large stacks of both local and toll free numbers, in addition to copious amounts of relational data. A survival skill in this particular role is the ability to employ short-term recall of strings of data. In plain English, this means that I picked up the ability to look at a phone number for just a split second and easily recall the same number accurately within a relatively short period of time.

In all fairness, the phrase ‘I picked up the ability’ glosses over many tedious hours working with dry sets of data, so don't be discouraged as you move forward with the exercises ahead. This type of skill does not come easily but is built on methods the brain already uses to absorb information.

To understand a little about how your brain processes text information, consider the following string:

This is a randomly generated unformatted phone number string

I've generated a random string of numbers as an image to compensate for the default font Medium uses (offset number type is gorgeous but one challenge at a time!). This is just a string of numbers that we will treat as a phone number (it’s not and sorry if this is happens to be your mobile). Keeping in mind that this is a phone number, what is the area code? Was your answer, “447"? Awesome. For a highly technical (and very boring) explanation of phone number area codes, go here.

But, wait… how did we know that 447 was the correct answer? That is because the first three digits in a phone number represents the area code or what local region to which the number corresponds. You already knew this piece of information and likely did not need to actually try to remember it, you internalized this piece of data which your brain referenced as soon as you read the words “phone number”. Your brain is continuously prefetching information for your conscious mind based on context clues you see and hear (and smell and feel).

The format of a phone number is a tool to make reading phone numbers easier. Here we have the number as you might expect:

(447)320-2806

Here is another way your brain is already processing information, consider the following example:

Longer strings are automatically separated by your brain to aid processing

In this example, the vertical bars represent how the brain visually parses text data. Longer strings are subdivided into smaller pieces and even longer strings such as the last item in the example are subdivided more than once. The brain divides the string equally into three sections of four numbers — but remember the brain subdivides, meaning that the group of four numbers is actually stored as two sets of numbers in the same relational context.

Give it a shot: try to commit “4681" to memory… it is easy to remember, but are you saying in your head, “4 681" or “4 68 1"? Maybe that’s probably just to prove me wrong, it is more likely you are reading “46 81" or “35 97" etc. You can do this quickly and easily because you've performed this type of memorization and recall many many times over the course of your life.

Now that you know that you're brain is already on the job, it’s time to leverage that natural processing power to your advantage.

Generating a strong password.

First we need to create some passwords and since we won’t ‘make up’ our own string; we need a tool to do this for us. I am using Strong Password Generator from the Chrome store which is good for it’s ease of use and freeness. Feel free to use any generator that you feel comfortable with so long as it allows you to randomly generate uppercase, lowercase, numbers, and symbols.

Set the character count to 12 and relax, you've remembered your own phone number before and that’s already 10 characters. Choose uppercase and lowercase and numbers and symbols and click generate. To the uninitiated, the strings you create will look like, well gobbledygook. Click generate several times until you have seen a few strings in rapid succession (you may get a list back from your chosen tool).

The trick here is choosing one of the random strings that your brain may find more digestible than the others. Keep clicking… sooner or later one of those strings might appear “different” and not in very noticeable way however your brain is already parsing these strings and becoming better each time so keep going. The ones that appear “different” or “easier” to read are the ones that you’ll have the best luck with. Keep clicking. Did you go past a good one? Keeeep clicking. I typically click once per second until I see one that I like.

If you get frustrated, slow down or just focus on one string of characters. Once you see one that you think you want, touch the letters on the keyboard without pressing the keys — do the keystrokes “feel” relatively natural? If you have to strain your wrist (you have bad hand position) to type your password, choose another.

I clicked generate a few times and settled on 8zumeOHUUnNS which my brain has already created mnemonic devices for recall. A mnemonic device is a fancy word for something that helps you remember something else. This is why consumer brands have jingles, slogans or a few notes played as a quick tune that you associate with a brand. Intel uses one consisting of four notes, can you hear it in your head already? That little tune is worth billions of dollars and years in brand marketing, no joke.

8zumeOHUUnNS

Look at the chosen string without trying to read it… can you see how your brain is subdividing the sections? No? Stop thinking and get out of the way, gaze at the string for a moment, I see three distinct parts:

8zume OHUU nNS

What does the first section “sound like” in your head? I think “Oh Zumay” or “Oh Zoom” even though the first character is an 8 and not the word “oh” and “zume” brings to mind Microsoft’s Zune player from a few years back. You may be catching on, already using this technique, or have already decided I'm quite daft. Regardless let’s press forward since your neurons are already laying down new pathways to deal with the current task.

The second section is easier (for me anyway) and it sounds like “ohhh youuu” and I could even imagine using that in short text speak while chatting “OHUU just did not!” Just as with “8zume” the mnemonic device works even though the association in your mind is not what is literally written out and with more practice you will become better at doing so (yes, I surprise even myself sometimes and its a fun trick to pull out when having a party and someone asks for your wifi password…).

Ok ok, laaaast section: “nNS” which is a little different. Remembering “NS” is easy, in fact it’s so easy the “n” is more like an afterthought almost as if it is not part of that third section. More importantly, with practice this type of fluctuation becomes easier to remember when you think of it as you would a “,” or some other incidental punctuation — you know it’s there without thinking “lower case n”. Again with practice your brain will leave memory available for data that you frequently need and it will do it in the way that you need.

8zume OHUU n NS

The above example is the fully parsed version that popped into my head within seconds of viewing this string.

Your password does not meet the requirements.

Oh cruel fate, Y U No like me? I didn't check the string completely and we actually needed at least one symbol. Not to fret, we've already identified the perfect spot for that character and no it is not an “!” at the end. I'll pretend you didn't just think that. ☺

Can you guess where we are going to put a symbol? Yup, that pesky “n” we thought of as a element of punctuation is ripe for the taking. If you are actually making a password you are going to try to keep and remember re-read the requirements for the password.

Why did I wait to mention this? When you focus on mnemonic devices and subdividing longer strings you gain the ability to adapt the string in a way that changes it but makes it still easy to remember. Also, I forgot and at some point you will, too.

8zume | OHUU | , | NS

You could view this string in a bunch of different ways and you could even make it a bit easier for yourself by substituting the “8" for a zero using the “oh zoom” clue from earlier.

Memorization Steps:

  1. Get a random password generator online it can be paid or free as long as it meets the requirements (upper, lowercase, symbols, numbers).
  2. View a few different strings until one seems to jump out at you or appears “easier” to remember.
  3. Fake-type the password out — does it seem like a fit? If not keep going.
  4. Analyze your string: Subdivide and break it down, does it seem to do it automatically? You’re on the right track.
  5. Remember the Johnny Mnemonic… Seriously, make up fun sounds or sayings in your head to remember these longer randomized passwords.
  6. Practice (sorry not sorry). Your brain computer will not maintain the upgrade if you do not use it — your brain is actually lazier than you are and won't retain things you don't need (or use frequently).

What about that heart bleep thing?

The OpenSSL Heartbleed zero-day exploit as we discussed earlier is a server-side problem. You can have 30-character randomized password but if that password can be accessed from the server’s memory (like Heartbleed) it is as secure as “123456" which incidentally, was the number one password of 2013.

You may think that placing passwords in a file on your computer or an encrypted service like Evernote (they said you don't need to do anything), but the Heartbleed issue has exposed a fault within the very infrastructure used by 2/3 of web servers to keep information protected shaking the industry to the very core.

So you’re screwed? NO. You memorize new password strings with the aid of your brain and your new generator tool. You’ll put the link for the generator in your browser’s toolbar and will not be far from it — you will generate new passwords frequently and soon you will be recalling numbers and strings in a way that will surprise your enemies and amaze your friends.

Have fun taking control of your own security — leave me feedback on what your password strategies are, any gaps in the method presented here, and how you are coping with or are unaffected by OpenSSL Fail 2014.

--

--

Joe Bowman

Written by Joe Bowman

19 Followers

http://t.co/TgCDlk2mrU http://t.co/7g2XFF1ZLR http://t.co/vSNqM2pF1Y

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams