So I signed up for a password manager, and even got a complex password. But how do I remember the password? It’s a random combination of upper and lower case letters plus numbers. I suppose I could use space repition software to memorize it, but wouldn’t that be insecure?
I learned a few interesting memory tricks from the movie Memento. One thing you can try is to tattoo important information on yourself, so that you don’t forget it.
I can think of a few security caveats for sensitive information though:
It’s probably better if you choose a location that’s not easily visible (e.g. chest, part of your arm that’s covered by a shirt), though you should probably choose a location that’s still somewhat accessible (i.e. not your lower back)
If you absolutely have to use a more visible location, like your forehead, make sure you get the sensitive information tattoo’d BACKWARDS, so that only you can read it (and only when you’re looking in a mirror)
On a more serious note, I find it much easier to remember random alphanumeric characters “kinesthetically” (i.e. by developing muscle memory for the act of actually typing the password), as suggested by polymathwannabe. The only downside to this approach is that it’s extremely difficult for me to enter such a password on a cell phone.
I endorse the serious note—I have a key layout I use for throwaway passwords based on taking an initial character from the website name, which is quick and easy to type on keyboards (but admittedly hard on iPhone). Eg I went back to confused.com (insurance comparison site) recently after a year and got in with a couple of guesses.
Emphasise throwaway passwords though—I use XKCD method for anything that gives control over other stuff (Gmail especially) but it takes some cognitive load off the unimportant stuff while still protecting against password leaks.
Despite my other comment, there are cases when we simply can’t choose. My university gave me an alphanumeric sequence that I am able to remember because I’m a trained typist. So I didn’t memorize the letters and numbers; I memorized the finger movements.
Just write it down. Eventually, you’ll memorize it. It will be faster if you challenge yourself each time: see how many characters you can type before having to look.
It’s important to keep in mind threat models. The biggest threat is that someone attacks one website you use and uses that password to take control of your account on another website. The password manager solves this problem. (It also give you strong passwords, which is overkill.) People physically close to you that might steal the piece of paper with the password aren’t much of a threat and even if they were, they probably wouldn’t figure out the meaning of it. But you can destroy it after memorization.
I use a passphrase, which has higher entropy than a short password and is easier to remember at the same time.
Take a dictionary of 50k words and choose a sequence of 6 words at random. (Use software for this; opening a printed dictionary “at random” won’t produce really random results). This provides log2(50000^6) = 94 bits of entropy. This is a similar amount to choosing 15 characters from an 80-character set (lowercase and uppercase letters, numbers, and 18 other characters) which would produce log2(80^15) = 95 bits.
It’s much easier to remember 6 random words than 15 random characters. You can generate some passphrases here to estimate how difficult they might be to remember. (Of course you wouldn’t generate your real passphrase using an online tool :-)
On my Ubuntu install, /usr/share/dict/words is symlinked to /usr/share/dict/american-english, which has about 100k words. log2(100000^6)=100, which surprised me by being not that much bigger than log2(50000^6) = 94. Bad math intuition on my part.
The word “set” in my dictionary has a definition spanning an entire page. Most other pages have between 20 and 50 words on them. This implies that the word “set” will be chosen about 1 in 1000 times, giving only 10 bits of entropy, whereas choosing completely at random, each word would have about a 1 in 50,000 chance of being chosen, giving about 15 bits of entropy.
In practice, picking 5 random pages of a 1000 page dictionary, then picking your favorite word on each page would still give 50 bits of entropy, which beats the correcthorsebatterystaple standard, and probably a more memorable passphrase.
Take a 100 page book, get 100 random numbers from that, then do an analysis of the numbers.
First of all, how do you decide right page/left? Likely by generating randomity in your head, which may not be so good. First few pages and last few are unlikely. Probably other things also. For one, words with longer definitions are more likely depending on the exact method.
I don’t think using a computer is a very secure solution once your going to that level anyway. Try using dice.
It’s well known in the security industry / compsci that humans are are very bad at generating, and recognizing, random numbers. I can’t recall if there’s a name for this bias; there’s the clustering illusion but that’s about recognizing random numbers, not trying to generate them.
This paper tries to analyze why this is hard for humans to do.
You’ll get used to it. All my passwords are long (~20) strings of random alphanumeric characters. Initially, when I started using this system, I had doubts that I would be able to memorize them all, but after a while it got easy.
If you’re really in need of some outside help, write it somewhere in rot13; since it’s random, nobody can guess through the pattern of the letters that the rot13 version is not the actual password; a random string of letters and its rot13′d version are much the same for all practical purposes. And if you want some extra security and you’re not worried about getting tangled in all your weird personalized decoding rules, write it backwards; write every number as ten minus that number; make all capitals lowercase letters and vice versa; add known short strings of characters at the beginning and/or at the end, etc. But I really don’t recommend going down that route.
Keep it written down and read it consciously every time you need to enter it(ideally, often). Whenever you have it memorized, destroy the physical copy.
That comic makes a good argument against the kinds of alphanumeric passwords most people naively come up with to match password policies, but the randomized ones that a password manager will give you are far stronger. Assuming 6 bits of entropy per character (equivalent to a choice of 64 characters) and a good source of randomness, a random 8-character password is stronger than “correct horse battery staple” (48 bits of entropy vs. ~44), and 10 characters (for 60 bits of entropy) blows it out of the water.
Of course, since you typically won’t be able to remember eight base64 characters for each of the fifty sites you need a password for, that makes the security of the entire system depend on that of the password manager or wherever else you’re storing your passwords. A mix of systems might work best in practice, and I’d recommend using two-factor authentication where it’s offered on anything you really need secured.
That comic got me to change all my passwords. I now have a stack of virtual movieposters in my head using that principle. Nothing written down anywhere, not forgotten one yet, far more secure. Works fantastically well for any password function where you are permitted long passwords. I start swearing at places that impose limits, now.
The problem is “correct horse battery staple”-style passwords are easy to remember, but annoying to type. Memorizing a random eight-character password is hard, but typing one is easy.
So I signed up for a password manager, and even got a complex password. But how do I remember the password? It’s a random combination of upper and lower case letters plus numbers. I suppose I could use space repition software to memorize it, but wouldn’t that be insecure?
I learned a few interesting memory tricks from the movie Memento. One thing you can try is to tattoo important information on yourself, so that you don’t forget it.
I can think of a few security caveats for sensitive information though:
It’s probably better if you choose a location that’s not easily visible (e.g. chest, part of your arm that’s covered by a shirt), though you should probably choose a location that’s still somewhat accessible (i.e. not your lower back)
If you absolutely have to use a more visible location, like your forehead, make sure you get the sensitive information tattoo’d BACKWARDS, so that only you can read it (and only when you’re looking in a mirror)
On a more serious note, I find it much easier to remember random alphanumeric characters “kinesthetically” (i.e. by developing muscle memory for the act of actually typing the password), as suggested by polymathwannabe. The only downside to this approach is that it’s extremely difficult for me to enter such a password on a cell phone.
I endorse the serious note—I have a key layout I use for throwaway passwords based on taking an initial character from the website name, which is quick and easy to type on keyboards (but admittedly hard on iPhone). Eg I went back to confused.com (insurance comparison site) recently after a year and got in with a couple of guesses.
Emphasise throwaway passwords though—I use XKCD method for anything that gives control over other stuff (Gmail especially) but it takes some cognitive load off the unimportant stuff while still protecting against password leaks.
Despite my other comment, there are cases when we simply can’t choose. My university gave me an alphanumeric sequence that I am able to remember because I’m a trained typist. So I didn’t memorize the letters and numbers; I memorized the finger movements.
Just write it down. Eventually, you’ll memorize it. It will be faster if you challenge yourself each time: see how many characters you can type before having to look.
It’s important to keep in mind threat models. The biggest threat is that someone attacks one website you use and uses that password to take control of your account on another website. The password manager solves this problem. (It also give you strong passwords, which is overkill.) People physically close to you that might steal the piece of paper with the password aren’t much of a threat and even if they were, they probably wouldn’t figure out the meaning of it. But you can destroy it after memorization.
Write the password down on paper and keep that paper somewhere safe.
Practice typing it in. Practice writing it down. Practice singing it in your head.
Set things up so you have to enter it periodically.
I use a passphrase, which has higher entropy than a short password and is easier to remember at the same time.
Take a dictionary of 50k words and choose a sequence of 6 words at random. (Use software for this; opening a printed dictionary “at random” won’t produce really random results). This provides log2(50000^6) = 94 bits of entropy. This is a similar amount to choosing 15 characters from an 80-character set (lowercase and uppercase letters, numbers, and 18 other characters) which would produce log2(80^15) = 95 bits.
It’s much easier to remember 6 random words than 15 random characters. You can generate some passphrases here to estimate how difficult they might be to remember. (Of course you wouldn’t generate your real passphrase using an online tool :-)
If you often need to generate XKCD-compliant passwords on Linux machines, you may find this command line handy:
(It will work on a Mac if you install coreutils and change shuf to gshuf.)
On my Ubuntu install, /usr/share/dict/words is symlinked to /usr/share/dict/american-english, which has about 100k words. log2(100000^6)=100, which surprised me by being not that much bigger than log2(50000^6) = 94. Bad math intuition on my part.
How is a computer more random than flipping pages?
The word “set” in my dictionary has a definition spanning an entire page. Most other pages have between 20 and 50 words on them. This implies that the word “set” will be chosen about 1 in 1000 times, giving only 10 bits of entropy, whereas choosing completely at random, each word would have about a 1 in 50,000 chance of being chosen, giving about 15 bits of entropy.
In practice, picking 5 random pages of a 1000 page dictionary, then picking your favorite word on each page would still give 50 bits of entropy, which beats the correcthorsebatterystaple standard, and probably a more memorable passphrase.
Take a 100 page book, get 100 random numbers from that, then do an analysis of the numbers.
First of all, how do you decide right page/left? Likely by generating randomity in your head, which may not be so good. First few pages and last few are unlikely. Probably other things also. For one, words with longer definitions are more likely depending on the exact method.
I don’t think using a computer is a very secure solution once your going to that level anyway. Try using dice.
It’s well known in the security industry / compsci that humans are are very bad at generating, and recognizing, random numbers. I can’t recall if there’s a name for this bias; there’s the clustering illusion but that’s about recognizing random numbers, not trying to generate them.
This paper tries to analyze why this is hard for humans to do.
You’ll get used to it. All my passwords are long (~20) strings of random alphanumeric characters. Initially, when I started using this system, I had doubts that I would be able to memorize them all, but after a while it got easy.
If you’re really in need of some outside help, write it somewhere in rot13; since it’s random, nobody can guess through the pattern of the letters that the rot13 version is not the actual password; a random string of letters and its rot13′d version are much the same for all practical purposes. And if you want some extra security and you’re not worried about getting tangled in all your weird personalized decoding rules, write it backwards; write every number as ten minus that number; make all capitals lowercase letters and vice versa; add known short strings of characters at the beginning and/or at the end, etc. But I really don’t recommend going down that route.
Keep it written down and read it consciously every time you need to enter it(ideally, often). Whenever you have it memorized, destroy the physical copy.
For my non-phrase passwords, I make myself enter the password at least once per day, and I recite it in my head frequently.
Alphanumeric passwords are overrated.
That comic makes a good argument against the kinds of alphanumeric passwords most people naively come up with to match password policies, but the randomized ones that a password manager will give you are far stronger. Assuming 6 bits of entropy per character (equivalent to a choice of 64 characters) and a good source of randomness, a random 8-character password is stronger than “correct horse battery staple” (48 bits of entropy vs. ~44), and 10 characters (for 60 bits of entropy) blows it out of the water.
Of course, since you typically won’t be able to remember eight base64 characters for each of the fifty sites you need a password for, that makes the security of the entire system depend on that of the password manager or wherever else you’re storing your passwords. A mix of systems might work best in practice, and I’d recommend using two-factor authentication where it’s offered on anything you really need secured.
That comic got me to change all my passwords. I now have a stack of virtual movieposters in my head using that principle. Nothing written down anywhere, not forgotten one yet, far more secure. Works fantastically well for any password function where you are permitted long passwords. I start swearing at places that impose limits, now.
What really annoys me is places that won’t let you use those passwords because they’re too long and they don’t have any numbers in them.
The problem is “correct horse battery staple”-style passwords are easy to remember, but annoying to type. Memorizing a random eight-character password is hard, but typing one is easy.