Password Generation Strategies

[Max™]

I was curious what other folks use, I just recently was reading through a wiki page I wandered across and saw someone recommend using gestures to generate passwords, but the gestures seemed like they wouldn't be easier to keep track of until it hit me that there is a very easy way to generate them.

Pick somewhere on your keyboard, and pick a word, I'll go with "Cat" in this case and start with "p", then I trace out a natural feeling capital C, lowercase a, lowercase t.

POK<>poklpl;.

Doing different words at different starting points, different overlap patterns, you can make use of capital/lowercase, numbers, and symbols.

It doesn't readily fit a dictionary attack, and you can even stagger each new letter to avoid repetition.

starting at 7 with Cat:
&^TGHiujk0opl

I'm pretty sure that is a very strong password, and though "correcthorsebatterystaple" is easy to remember, so is the action of tracing "C" "a" "t" over the keys.

Is this a thing I'm just reinventing and I missed it, or what? I've tried a few different keywords to look for it but mainly I just find stories telling people to change passwords after heartbleed and whatnot.

[Razanir]

I'd just like to announce that I've used correcthorsebatterystaple as a password before. I've changed it since then, but I still used it as a secure password I don't care about. (We had to hardcode it into a program)

[Max™]

Heh, I never tried it but I have used various strings of words before, been mixing them up with the traced letters method whenever I change them now.

[TuggyNE]

Mostly I just use KeePass to generate passwords: 20 characters of random alphanumeric + symbols is usually upwards of 100 bits of entropy, and can't be copied from one site to attack another. (I'm up to well over 400 current entries in my database, and I have no intention of remembering that many.)

However, those that I need to remember separately, such as the KeePass database itself or OS login, generally use a particular scheme, which basically comes down to a one- or two-letter prefix, one or more vaguely mnemonic words, and a monotonically increasing change counter, separated notionally by "whitespace" expressed as some sort of character sequence. So it might be w45correct45horse45battery45staple4500000101: w is the prefix, 45 the "whitespace" (ASCII '-' decimal), the mnemonic words are obvious, and 00000101 is the fifth password used for this site, in one-byte binary. (This is not actually a valid password*, but it's close enough for illustration.) Sometimes I vary this by including suffixes for the whitespace, replacing digits in the counter, or specifying case on the prefix.

So far, this has worked pretty well for about seven or eight years.

*Because my actual password generation system is not something I will ever tell anyone until I'm dead, thank you very much.

[factotum]

My boss has a system where he uses the initial letters of the lyrics of songs he likes, with various letters changed for numbers etc. Probably as good as any!

Incidentally, with the power of modern dictionary-based password crackers married to GPU power for calculating the hashes, that XKCD password generation method is probably not as good as you'd think.

[The Grue]

I think the point of the XKCD method is not to generate completely secure passwords, but to find a reasonably secure password and a password that you don't need to write down to remember.

[Max™]

Yeah, the word string method runs the risk of fast enough cracking methods showing up eventually.

I only gave a couple of three letter tracing examples, but you can go quite a bit longer and keep them fairly easy to remember but stupid hard to crack.

Kinda like a captcha, easy for us to pick out the letters (in theory) but tying the string of digits to what someone chose to use is another matter.

[Knaight]

Yeah, the word string method runs the risk of fast enough cracking methods showing up eventually.

It compares favorably to other methods which tend to have fast enough cracking methods already available (even brute force works on shorter passwords, as there aren't actually all that many distinct symbols in use), particularly if you have a nice long number you know that you can attach it to, and even more particularly if you use technical jargon or names.

[supermonkeyjoe]

I have an 8-digit alphanumeric password with symbols that I modify on a site by site basis

say for example the password was e!CWYP0@t (it's not) then Amazon would be Ae!CWYP0@tN and ebay would be Ee!CWYP0@tY that way if the password is compromised for one site it can't be used on any others, and once the initial 8 digits are memorized then it's easily applied to every website by taking the first and last letters and putting them at the start and end.

[Max™]

Regarding the number attaching, I memorized pi to 80 digits due to the irrational number song, but suffice to say I resist the urge to toss it in because even though the little "password strength" checks will show it as being strong, it's really not the best idea.

[Telok]

I have two strategies, one for things I have to have a decent password on and another for disposable passwords to be used on stuff I assume is public anyways.

The first I use on household routers, for setting up my in-laws computer, and other places where being hacked is a real nuisance and I don't have to change the password every two months. This method is called "A long sentence with punctuation and a date." These usually end up as 50+ character passwords that are pretty easy to remember or look rather innocuous when written down.

The second is used for my work email system or anywhere that forces number-letter-CAPS-symbol passwords but limits you to less than 30 characters, and especially when they insist that you change the password frequently. Start at the 1 key and pick a pattern, two over and two down, chess knight's move, a spiral, whatever. Then shift over one or two numbers and do the same thing holding down the shift key. When it's time to change passwords you just shift the pattern over, start at 2 instead of 1. All you need to remember is your pattern and the starting key.

[pendell]

A strategy I have used in the past is: Read a book. Take the first letter of each word in the sentence to make your password. Include the trailing punctuation and substitute numbers for letters as needed. It results in gibberish which is going to be hard to crack, but the sentence serves as a memory mneumonic to recall it.

Respectfully,

Brian P.

[Zrak]

I've done variations on the chess move strategy and pendell's "first letter" strategy before (I typically use a poem and use the first letters of certain stresses, rather than certain words), as well as picked a random starting letter created a password based on joystick motions and button inputs from fighting game moves.

[Joran]

A strategy I have used in the past is: Read a book. Take the first letter of each word in the sentence to make your password. Include the trailing punctuation and substitute numbers for letters as needed. It results in gibberish which is going to be hard to crack, but the sentence serves as a memory mneumonic to recall it.

Respectfully,

Brian P.

I think of a sentence I associate with the website, like "I for one welcome our new Google overlords, next stop Skynet."

Then go through it, using number to letter substitutions, random caps, or punctuation as desired. So, that phrase leads to this password: "i41wonG0nsSn".

[CarpeGuitarrem]

My strategy is...not one I'm going to discuss on this site.

[Max™]

I have two strategies, one for things I have to have a decent password on and another for disposable passwords to be used on stuff I assume is public anyways.

The first I use on household routers, for setting up my in-laws computer, and other places where being hacked is a real nuisance and I don't have to change the password every two months. This method is called "A long sentence with punctuation and a date." These usually end up as 50+ character passwords that are pretty easy to remember or look rather innocuous when written down.

The second is used for my work email system or anywhere that forces number-letter-CAPS-symbol passwords but limits you to less than 30 characters, and especially when they insist that you change the password frequently. Start at the 1 key and pick a pattern, two over and two down, chess knight's move, a spiral, whatever. Then shift over one or two numbers and do the same thing holding down the shift key. When it's time to change passwords you just shift the pattern over, start at 2 instead of 1. All you need to remember is your pattern and the starting key.

That's basically what I was talking about with tracing words over the keys.

Note that I'm not saying what is the EXACT method you use, just the general ways you try to balance the need for strength versus the ability to recall it.

As for the "I for one welcome..." used to generate "i41wonG0nsSn" as a password.

Tracing "Google" across the keyboard produced:
R$#WSDRytghiujkpol;.,-['\]'

[The Grue]

A strategy I have used in the past is: Read a book. Take the first letter of each word in the sentence to make your password. Include the trailing punctuation and substitute numbers for letters as needed. It results in gibberish which is going to be hard to crack, but the sentence serves as a memory mneumonic to recall it.

Respectfully,

Brian P.

I believe that's known as a book code.

[noparlpf]

I use the same few crappy throwaway passwords for most sites because I don't mind too much if somebody gets access to my Facebook or FML or Photobucket. For secure stuff (email, bank) I used to use a 30-character string with a pattern to it, but that was too much hassle. Now I use names of characters that I've never put to paper fully (I don't usually introduce myself by full name at the table, so a character's surname will just stay in my head), with a few letters switched to numbers to add another layer of complexity. That's way easier to remember, can be fairly long, and basically requires a brute force attack to crack because made-up fantasy character names won't show up in a dictionary.

[Traab]

I use deliberately misspelled versions of fake languages from fantasy novels with letters mixed in. I have like 3 base words, that I have multiple spellings for, and like I said, i include a few numbers as well. I dont do anything very secret or important online, so I dont go too crazy, its just something that stays in my mind easily. Of course, my biggest problem is sites that remember your password for months on end, then suddenly dont for some reason. I can never remember which variant I used for that site and always have to reset the password.

[Max™]

Yeah, what is worse is when I have firefox remember a password and then at some point wound up changing it without clicking the "update password" prompt and have to figure out what went wrong.

[TSGames]

When it comes to passwords, I have only two rules.

1) Don't ever reuse a password for anything. This applies to variants of passwords as well. This does mean that I have well over 30 unique passwords that I use on a regular basis which would be problematic for some, but I am quite well adjusted to it.

2)Don't ever share passwords or the methods used to generate them. Especially not on the internet. =P

[Knaight]

1) Don't ever reuse a password for anything. This applies to variants of passwords as well. This does mean that I have well over 30 unique passwords that I use on a regular basis which would be problematic for some, but I am quite well adjusted to it.

Depending on what it's for, this isn't necessarily a big deal. For instance, it would be really stupid to use the same password on, say, this forum, your email, and Amazon. This forum, another forum, and a third forum? Not so much.

[Max™]

See, I know that discussion of password strategies might seem like a bad idea, but I could just as easily see why not discussing them would leave one open for attacks on passwords generated by flawed or poorly excuted methods.

[noparlpf]

I don't really see how anybody's going to crack my passwords just because I've told them that they're long made-up words that literally nobody outside of my head has ever heard. They'd end up resorting to brute force with or without that information.

[TuggyNE]

2)Don't ever share passwords or the methods used to generate them. Especially not on the internet. =P

I'm pretty paranoid (I routinely use strong crypto in emails and IMs with anyone willing to set it up, use the aforementioned 20-character random passwords, and browse the web with NoScript and RequestPolicy up), but I think that's going a little too far. As long as you provide nowhere near enough information to automatically generate passwords you might use, you're fine.

[reaverb]

A strategy I have used in the past is: Read a book. Take the first letter of each word in the sentence to make your password. Include the trailing punctuation and substitute numbers for letters as needed. It results in gibberish which is going to be hard to crack, but the sentence serves as a memory mneumonic to recall it.

Respectfully,

Brian P.

By the way, this will always have less entropy than the normal sentence (you are removing information) so you might as well just use the sentence. (Unless you're on a site which limits how long your password can be)

[Astral Avenger]

When I need a really secure password I figure out what the longest password allowed is and then run the following python script:

Spoiler

Show

Spoiler: The script

Show

Code:

#Password generator
import random
symb=input("Are symbols allowed? (1/0) ")
a=input("Maximum length of password: ")

alphabet=[]
digits=["0","1","2","3","4","5","6","7","8","9"]
lowercase=["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]
uppercase=["A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z"]
symbols=["!","@","#","$","%","^","&","*","(",")"]
alphabet= alphabet + digits + lowercase + uppercase
if(symb==1):
    alphabet=alphabet+symbols

password=""
for n in range(a):
    password=password + alphabet[random.randint(0,len(alphabet)-1)]

print password

Example:

Code:

>>> 
Are symbols allowed? (1/0) 1
Maximum length of password: 20
G554uRq79Y0B1#xk7vDY

Dictionary attacks can go die and stop wasting electricity, they ain't gonna work on my secure passwords....

[Knaight]

By the way, this will always have less entropy than the normal sentence (you are removing information) so you might as well just use the sentence. (Unless you're on a site which limits how long your password can be)

Typing speed also comes into this. I can type extremely quickly if I know exactly what I'm typing and if it's practiced (also if it doesn't have too much in the way of odd symbols), and as such could easily get away with a whole sentence for a book. At 180 WPM (well above generic typing speed, but quite possibly below my password typing speed as those are very practiced patterns), a sentence isn't a big deal*. At 30 WPM, it's a very irritating thing, and I know people who can't type much faster than 30 WPM.

*Though I assume a relatively short sentence, and not something like one of the longer ones in A Tale of Two Cities.

[Max™]

The entropy largely depends on the length of the string and the possible character sets it is drawn from.

A given length with all lowercase has less than a given length with mixed case which has less than a given length with mixed case and numbers which has less than mixed case with numbers and punctuation which has less than mixed case with symbols drawn from the full ASCII character map.

That's why I suggested trying to trace words which include at least one trip across the number row with and without shift.

[Grif]

Is it bad I just string together words (and sometimes folder names) together as my password?