I’m sure that you’ve heard again and again that having “secure passwords” is essential to online security, but usually this advice is met with a shrug if you ask how to create and memorize such secure passwords.
One common piece of advice is to use password managers, like 1Password, which can generate and securely store unique passwords for each and everything you log in to. This is a great approach, but there are some cases you cannot (or should not) store passwords (see the “when to use this” section at the end of this article). In these cases, you need to create a secure password that you can remember.
This is where most people get stuck. The two goals (being secure and easy to type/remember) often seem to be at-odds. Patterns are what make a password easy to type/remember, yet patterns are also what make passwords breakable. We need some way to create a pattern which the brain can remember, yet which creates a secure password that does not have any pattern. It might sound impossible, but I’ll explain how you can do this easily.
This blog is about memory and learning, and I’m a computer programmer with a neuroscience background. The technique I’ll describe in this post steals from both disciplines. The human brain is very bad at some of the things computers are good at (like long division) yet very good at some of the things computers suck at (like abstract reasoning). The trick to creating and remembering an unforgettable, secure password is to use the things computers are bad at to your advantage.
Free from Skill Cookbook
How to improve focus, practice better, stay motivated, and everything else you could want to know about better studying.
An Evidence-Based Approach to Self Improvement, available from Amazon and on the Kindle store.
The Joy of Craft
Briefly, What Makes a Secure Password?
It’s important to at least have a general idea of what makes a password secure before you try to make one.
No doubt, you’ve seen a website which forces you to include a combination of uppercase, lowercase, symbols, etc. This is because the greater diversity of letters you use, the more possible passwords can be created in the same space. The equation is:
[# of possible passwords] = [number of possible characters] ^ [length of password]
So if you only use the 26 lowercase letters of the alphabet, and only create a 4-character password, there are 26^4, or about 457,000 passwords that can be created. That might sound like a lot, but a computer can make that many “guesses” in no time at all. If you simply include uppercase letters and numbers, the same 4-character password increases to about 14,760,000 possibilities.
How many possibilities are “enough?” That’s tough to say. The faster computers get, the more guessing they can do in the same amount of time. Fascinatingly, all of digital security is based on this arms race. As computers get faster at guessing, humans must invent techniques which create more and more possibilities (this is why the standards for the encryption that protects your credit cards online has gotten stronger and stronger over the years).
When you use letters, symbols, numbers, uppercase and lowercase in a password of 10+ characters, we’re getting into pretty darn “safe territory.” Unless, of course, you make a critical mistake…
The Critical Mistake of Many Passwords
Even though a password may seem secure, many people are using insecure passwords.
One common (and flawed) technique for creating passwords is to use a phrase, word, book title, etc. and substitute characters for numbers and symbols. The problem is that hackers know about this technique. There’s a whole online business, in the underbelly of the internet, where information about you is bought and sold (yes, you). If a hacker can learn about your tastes, and maybe find one or two passwords you’ve used in the past (which were leaked online) then his search to crack your passwords will be much easier. He has some place to start, so he’s limiting the number of possibilities he needs to test.
For a bit of nerdy humor, this XKCD comic strip explains why this is a mistake.
Unfortunately, as some security experts have pointed out, even this nerdy comic misses an essential point. By using english words, we’re again limiting the number of possibilities. If a hacker starts with the knowledge that English words might be used, cracking the above password becomes quite easy.
How do we create a secure password, then? The flawed technique of replacing letters with numbers actually contains a nugget of wisdom. For the brain, the easiest way to remember something is to start with something memorable and then apply some transformation to it. The transformation, like replacing letters with numbers, is called a heuristic. These work very well for creating passwords, unless the heuristic is known to the hacker. Since replacing letters with numbers is such a common heuristic, it becomes nearly worthless.
To create a secure password, then, you should instead focus on the heuristic…
Your Personal Heuristic
Bear with me for some technical details for a moment.
This concept of a “heuristic” is what computer programmers would call a “hash.” When software stores your password somewhere (like when a website creates an account for your username), it is software gospel that it must not save the “plain” version of the password. The software first “hashes” the password before it stores it. Hashing is an operation that changes the password into a long, indecipherable string. For example:
If I apply a common computer hash called “md5” to the word “hi,” I will get the same string every time: 49f68a5c8493ec2c0bf489821c21fc3b
So if the password were “hi,” the computer would instead store that long version above. If the software wants to check that a user entered the correct password (“hi”) it would apply the same hash to the input, and compare the results. Importantly, hashes cannot be reversed. There’s no way to get back from that long string to the word “hi.” The password can be hashed into the same thing every time, but that thing cannot be turned back into the password.
This is exactly how a good mental heuristic for creating a password works. With the example of replacing letters with numbers, it’s still pretty easy to get back from “Tr0ub4dor” to the word “troubadour.” This is one reason it’s not a good heuristic.
Instead, the most secure thing yet memorable thing you can do is to invent your own heuristic which is unique to you. I’ll show you how it works…
Example of a Secure, Easy to Remember Password
To demonstrate just how this works, I’ll show you how one of my old passwords worked.
The heuristic I developed took advantage of the fact that I speak Chinese, Spanish and French in addition to English, and I am a computer programmer, and a huge nerd. I started with the famous quotation from Lord of the Rings, “Speak ‘Friend’ and Pass.” Even though this is a common quote that all nerds know, my heuristic turned it into a great password. Here’s what I did:
- Took the phrase Speak “Friend”
- Translated “speak” into Chinese Pinyin (“Shuo1”) and “friend” into Spanish (“amigo”) and replaced vowels with numbers, for good measure
- Took the new phrase and turned it into a Regex string (a special way computer programmers do searches)
Here’s the results:
It’s very easy for me to remember and reconstruct this phrase because of the way I developed the heuristic. I learned Chinese, then Spanish, so the order of languages is easy to remember. Both words are very easy in their respective languages, and Pinyin (Chinese) already has numbers in it. I write Regex several times per day, so turning it into a Regex string takes very little effort. Despite all of this, the exact way I approached these tasks is unique to me. There is some intentional ambiguity in my heuristic.
Another key trait to a good heuristic is that you can apply it at roughly the same speed you can type. If it takes you 30 seconds to reconstruct your password, it’ll become a pain. A good heuristic, instead, lets you remember the “seed” (the original phrase) and create the password on-the-fly.
Critically, my heuristic would be a terrible one for you because you don’t have the same life experiences. That’s the point. The precise operations you use create a fingerprint that’s nearly impossible for someone else to guess. So not only do they need to know your taste profile, but they need to know how your brain operates.
Using a Memory Palace
For even more security, I could have used a better starting phrase.
A quotation from Lord of the Rings is not exactly the most random string to start with. Having a more random “seed” would make the password even more secure. You can do this by coming up with some random nouns and verbs and then using the same basic techniques of a memory palace to remember them.
The idea is simply that you create a visualization to remember strange words, taking advantage of the brain’s ability to remember surprising imagery. What’s cool here is that the brain can use the techniques of the memory palace to easily recall things that a computer (or even another person, without context) would consider totally random and unrelated.
When To Use This Technique
As I said in the introduction, it’s best to have unique passwords for each service/site/tool.
In most cases, your best option is to use a truly random password generator and store your passwords in a safe, like 1Password. Such single-use true-random passwords make a hacker’s life very very hard. However, there are a few cases where this won’t work:
- The password to the safe itself
- The password to your computer
- Other places where you don’t have access to the safe
These are your “keystone” passwords. They protect your other passwords, and should never be written down anywhere. Anything that protects other systems falls into this category; you might consider your Google or Apple password a keystone password as well, since a hacker who can access your email or iCloud has access to many other things.
Do you have a good heuristic? Some way I can improve upon this article? Please let me know in the comments! My goal is to help everybody be a bit more secure online.