Improved Mnemonic Password Policy

by Ian Murphy (a.k.a., Backspace)  (back_space@hackermail.com)

This article is in response to Agent Zer0's article, "Password Memorization Mnemonic" in the Spring 2008 issue, in which he outlines his method for generating and remembering complex passwords that would not be easily guessed.

There are a few fundamental flaws in the password generation process.

Most notably, there is a commonality or "crib" within the passwords such that if anyone of the passwords is compromised, it would compromise all other passwords generated using this algorithm.

Password Generation

Suffice it to say that most of us enjoy music and/or literature.

This will be the root of our password generation algorithm.  The idea is to take a phrase, poem, or lyric that you already have memorized and leverage that knowledge to generate a long, pseudo-random string that will be easy enough to remember.

Let's say that in your idle and misguided youth, you actually memorized the lyrics to Ice Ice Baby (remember that this is only being used as an example, I admit to nothing!).

The lyrics go, as the Internet remembers them, as follows:

"Alright stop, collaborate and listen, Ice is back with my brand new invention"

Step 1:  Take the first letter of each word and write it out as a single string:

AscalIibwmbni

Now we have a 13-character non-English word.

Not too bad, but it still wouldn't take a brute-forcer too long to crack, as we're only using the 26-characters of the English alphabet.  We need to up the password complexity, somewhat.

Step 2:  Add some special characters and numbers.  As far as this goes, I normally perform a character substitution to the string to get something like this:

Asc@l11bwmbn1!

As you can see, I've added a bit of complexity to the password as well as adding a punctuation mark to the end.

Vectors of Attack

Naturally, this method generates a password that is highly resistant to brute-forcing (at least without considerable resources).  As always, this will not prevent you from having your passwords stolen, either from the website you deal with, or because you practice unsafe logon by sending unencrypted passwords across the Internet.

The Benefits

One of the benefits of this method is that your passwords are as easy to remember as that song that won't leave your head or that Dear Penthouse letter you memorized as a teen.  Additionally, it is an extensible algorithm in that you can add password length by using more of the lyric/poem.

The Drawbacks

The major drawback I see in this is that there is no direct link between the password and the website or resource you are requesting.

If anyone can suggest a suitable method, please let me know.

Conclusion

I've been using this mnemonic for the last five years and found that it has worked well to date.

I have noticed a few sites that don't want me to use special characters in my passwords, so I've had to work it around a little bit by lengthening the source string and limiting myself to alphanumeric passwords.  I have noticed that this is changing over time and that most sites I access now permit the use of special characters in my passwords.

Many thanks to The_rick and Typoninja for reviewing the article.  Shouts to the old Dievo crew!

Return to $2600 Index