Gasser, M., A Random Word Generator for Pronouncable Passwords, MTR-3006, The MITRE Corporation, Bedford, MA 01730, ESD-TR-75-97, HQ Electronic Systems Division, Hanscom AFB, MA 01731. NTIS AD A 017676.
FIPS Standard 181, Automated Password Generator (APG)
In my workplace, I started out using comic book characters and the issue of their first appearances, never 1’s (e.g., Starman61, Legion247)
When I ran out of easy-to-remember ones, I used my wife’s name and our anniversary, then each of my children’s names and their birthdays.
When I ran out of those, I turned to my tourism hobby, so I did these two:
All50States
And10Provinces
Since using those, I actually use each state or province in the order that my wife and I first visited it, with the month & year of our visit.
There are 61 of those (including Washington, DC) so by the time I burn through all of those, the recent passwords list should be short enough that I can go back to the beginning again.
I resent password coding that requires specific kinds of alpha-numeric combinations. For many years, I used a particular password that I knew no one could possibly guess or figure out. I even had my wife try to figure it out, and nobody knows me better than she does. I never even told anyone the mnemonic device I used to remember it.
I’ve had to abandon that elegant little password because, increasingly, it doesn’t meet the criteria for passwords any more. But it was the safest password ever. And that’s a shame, because it was uniquely mine.
I only use a couple of different ones - generally my kids’ or old dogs’ names, with the addition of one or two old addresses if numbers are required. My work password must be changed every month - for the past several years it has been the same phrase followed by the number corresponding with the month.
Anything more complicated I’m not going to remember, leading to it being posted on my monitor or nearby with a sticky
I have to come up with 3-5 new passwords around every 5-6 months, and they each have to follow different rules–some must be alphanumeric; some cannot use non-alphanumeric characers like $; some allow LEET while others say “Sorry, that is a dictionary word.” It’s very exciting to keep track. I use anything but initials, important dates, nicknames, pet names, and keyboard patterns. Whatever my passwords are, I don’t want someone who knows some facts about me to be able to guess them.
You have a password such as: We23$6423bdc*#KsL all memorized. Why change it every 90 days? Are there programs that go around trying random things to break into the systems that can hack that password?
Or are people so stupid that they write it down on their cocktail napkins and leave it so the femme fatelle can scarf it up and sell it to the Mafia? Then they can hack your SDMB account and cause massive destruction?
Making people redo big complicated passwords on a regular basis is more of a security problem than just having an individual or program force the needed complexity on each password. Right? Or? What am I missing?
Not a thing. And there are a few smart people in the security biz who actually make that point. However, the local geek who decides to try out every bell and whistle on the security software rarely reads essays by people who think, so you get stuck with odd things.
I have no trouble with requiring periodic password changes. (We can argue whether periodic should be 30 days or 180 days.)
I have no trouble with requiring both numbers and letters. (It adds to the number of combinations that an outside password breaker has to run through to find a match, although simply permitting letters and numbers does the same thing.)
I don’t have too much trouble making passwords case sensitive for the same reasons as using alphanumerics. Of course, permitting does the job as effectively as requiring without forcing users to perform stupid tricks.
I have no problem with requiring more than four characters, although requiring ten is simply stupidity in a geek dress.
In case this is not a whoosh - smile and cry respectively.
Presently, I am using a 24 character password because I thought I would try something different. I also have a 26 character wi-fi encryption key memorized.
If anything, this thread is proving that I am a little paranoid.
I use my cats’ names for my passwords. Since most passwords at work require a combination of letters, numbers and/or symbols, I substitute the vowels accordingly:
a=@
e=3
i=1
o=0 (zero)
u=2
I sometimes also double each letter in my passwords so they don’t pass a dictionary check. For example, if I were to use my username as a password (I don’t), it would appear as “DDWWCC11997700”.
1)My example snippets (from Gulliver’s Travels) mix uppercase and lowercase characters almost equally, since English in those days (I gather from examples I’ve seen) capitalized common nouns (like German to this day). Of course, you can get the same effect with any bit of text by capitalizing all the nouns (or whatever, as long as it’s something easy to remember and apply consistently).
2)Use a phrase that includes punctuation, and don’t strip it out – e.g.:
Generally it’s based on a whatever story or article I’m writing. For instance, say I was writing a story about a four English children during the Blitz who discover a passageway to a fairyland where they meet an avatar of Christ in leonine form; a charater in the story mentions a prophecy about the children, saying “The four thrones at Cair Paravel must be filled.” I’d morph that into T4t@CPmbf. It’s an easy mnemonic for me.
As others have said, this makes a lot of sense, and is a great tip! Thanks!
I do have a question, though – let’s say you have passwords to 20 different sites, none of which have anything to do with each other. How do you remember which password goes where, or do you then use something like a3a7h3C5 for each of those sites?
You could write a list of sites with an oblique hint (the first word of the phrase, or a related phrase) for each.
For instance, if I used these passwords (and the mnemonic system I described in my earlier posts – first letter followed by letter count for each word, nouns uppercase, keep punctuation):
SDMB: d4w8a1S6c3 (mnemonic: does whatever a spider can)
Bank: i2y3v5y4L5,b2s9e4 (mnemonic: if you value your lives, be somewhere else)
HR Self-Service: I1a2n3a1C5 (mnemonic: I am not a crook)
I could jot down hints:
SDMB: Spidey
Bank: Delenn
HR Self-Service: Nixon
That would be enough to identify which of my mnemonics goes with which site, without giving all that much of a hint to anyone else (especially if I chose more obscure mnemonics in the first place).
Years ago, I was assigned a fairly complicated password of a random 7-letter word, plus 3 random numbers, plus a random sign – like (but obviously not) Tabletop945$.
I still use it, and when I have to reset the password, I just move the last character to the start:
$Tabletop945
5$Tabletop94
45$Tabletop9
etc. etc. By the time I’ve cycled all the way through the word, I’m past the “10 resets” and can go back to the original password. The only problem is that sometimes I forget exactly where I’m at for a day or two after reset (“Is it 45$Tabletop9? Or 945$Tabletop?”) but my system gives me three tries and I can always get it by the third try.
Nonsense words/fictional languages are a great source of passwords, i’ve used the same 4 character password for years and no one has ever cracked it, you’d have to know me very well to figure it out, the only way to crack it is letter-by-letter, number by number
now with the prevalence of translator sites, i could do something really silly, like translate an Elvish word to Japanese, then to binary, then to hex, and use that
There’s another good method if you’re a fast typist. Instead of abbreviating a familiar phrase, use the entire phrase as your password. Punctuate and capitalize it normally and stick a number in the middle of one of the words and you’ve got a very strong password that’s very easy to remember. This doesn’t work in a lot of places but can, for instance, be used for Windows domain passwords (assuming you don’t have to log in from any Win9x machines).
