Easy-to-remember, secure passwords!

By | July 2, 2014

This is a brilliant animated GIF that should not only brighten your day, but also inspire your next password.

Passwords comprise an extremely notorious authentication mechanism. Let me explain why: you usually get a new password every time you 'forget' your password – thus making the password completely unnecessary, as you can just 'forget' it every time you need to log in, you don't actually need to remember your password anymore. You only need really need your email password.

That said, if you have to pick a password, at least have some fun doing so, and cuten up your passwords! Or, for the more geeky folk, you could try writing your favorite equations into that password field instead… the additional security comes from (1) more characters to brute-force, (2) multiple 'sets' of words, phrases, emoji, etc. to combine, and (3) combining 'sets' increases the number of possible passwords attacking algorithms need to sift through. This still, however, does not help against phishing, data theft, or other such possible measures.

/via +John Foster

Reshared post from +McAfee

Don't have boring passwords! Check out this gif on how to create fun passwords that are hard to crack. #PasswordDay. Learn more at passwordday.org

32 thoughts on “Easy-to-remember, secure passwords!

  1. Sophie Wrobel

    +Kagan Cengiz Hardware-based security is actually a rather old concept. The oldest iteration I can remember is the magnetic swipe card reader that you needed to be able to activate and authenticate a terminal computer (yes, terminal!).

    Let me know when you get your Yubikey NEO. I'd be interested to hear your experiences with it!

  2. Edward Morbius

    Clarifying on my "use no known passwords" comment:  this is something that should be enforce server side.  That is:  comparing a user's input to a known list.  And that really should be a part of online application frameworks everywhere.

  3. Kagan Cengiz

    +Sophie Wrobel No, I don't have any connection to them. Honestly, I became aware of such technology very recently after switching to LastPass. It had become too much of a trouble for me to control accounts. I didn't know much about password managers either and I am even more embarrassed now to tell you that I didn't know that there were other producers of USB  based security in the market before your mentioned above. Thanks for the heads up.  Anyway, you and +Bryan Jones are right about the extra burden of USB access. That's the reason I am waiting for this yubikey NEO to be released. They claim that the user will only have to tap or swipe yubikey neo, to any NFC  enabled mobile device or computer without inserting it (at least that's how I understand it). I use google authenticator too but I am not really comfortable with the fact that I am dependent on my mobile device… This yubikey thing sounds more practical to me, I would like to try once released. 

  4. Sophie Wrobel

    +Kagan Cengiz That's a good point – Yubikey (and other producers of USB-based security) is a small but present market of hardware-based authentication. Do you by some chance have a connection to the folk who work there?

    The biggest problem, as +Bryan Jones points out, is mobile compabitility: I use the internet 90% of the time from mobile devices… which have very sparse support for USB, let alone USB-based security!

  5. Edward Morbius

    +Forrest Sweasy Which means that there's actually a pretty good rule for passwords:  _use no known passwords_.

    There are large compendia of known passwords, and even just nixing the very most frequently used (10, 100, 1000, 1,000,000), would eliminate virtually all collisions.  If someone's trying to crack a system, they'll usually try for the most insecure passwords first (diminishing returns and all that).  Though if they're specifically targeting you, you'll want to practice good password hygiene. 

  6. Forrest Sweasy

    The simple fact that this post is here means these passwords are now in someone's "dictionary". Correct horse battery staple fun y'all.

  7. Edward Morbius

    +Kagan Cengiz I'll look at Yubikey.

    I've carried an RSA fob for gigs.  Their own security failings notwithstanding, the idea of a OTK generator that you've got with you and can use for multi-factor auth is a good thing.  My ideal is SSH key + passphrase + OTK.  That's three factors right there, and not too onerous.

  8. Bryan Jones

    +Kagan Cengiz, Yubikeys are a pretty good solution, but the downside is that it's an extra piece of hardware to carry with you, and you can only use it on a machine with a USB (i.e. no mobile access possible). 

    Google's existing 2-factor system using an app on your smartphone to give you a fresh login pin works really well. I use it where ever I can (many sites work with it). 

    Generally the best security has 2 (or 3) of 3 factors of authentication: Something you know (e.g. password), something you have (e.g. yubikey or smartphone with Google authenticater app), and/or something you are (e.g. finger print).

  9. Kagan Cengiz

    Actually all this ordeal with passwords might soon be over with Yubikey’s U2F initiative http://www.yubico.com/products/yubikey-hardware/yubikey-neo/yubikey-neo-u2f/  with their Yubikey NEO product (they haven’t released it yet) http://www.yubico.com/products/yubikey-hardware/yubikey-neo/ . This is a very small simple device that you can attach a key ring. It generates unique on-time characters each time you press a small button on it. You can use this password only once.
    They formed an alliance called FIDO https://fidoalliance.org/about which will eventually alter password systems and maybe make them obsolete in the future. Google is in! As far as I understand more banks, companies etc are expected to join.

    There is an informative article published last year on Forbes; it explains better I just did:

  10. Sophie Wrobel

    I agree completely with +Max Huijgen on the 'some intelligence is necessary' factor of secure password creation.

    What further complicates it is not just number of character restrictions, but also which characters you are allowed to use – one password check says 'maximum of eight alphanumeric ASCII characters', another says 'minimum of 16 characters, at least one special character, and no using your name'. Go figure.

    That said, there are also alternative authentication methods arising to the classic password – one of the most common being the two-step authentication (You may have seen the 'type your password, and the code just sent to your mobile phone' authentication method somewhere), another that is less popular the 'you have a matrix full of words. Enter the 1st, 6th, and 10th word  on your matrix' variant. While nothing is truly secure, it does add an extra stone in the path for attackers.

  11. John Hopkin

    I would think that most people's vocabularies are in the thousands, and anything in that range raised to the power of 4 is going to be a pretty huge number, especially if a dictionary attack were being used over the internet.

    Having said all this, I admit that a lot of the time I just let LastPass generate something long and horrible, and pray that I never have to type it in by hand on a smartphone …

  12. Edward Morbius

    +John Hopkin Part of the value of the xkcd password is that the words used are known.  I've got my own bash implementation which uses the local common dictionary, with some 235,000 words.  The lists it generates aren't spectacularly memorable, though I suppose on use you'd tend to remember:

    overmasterfulness viticulture glottiscope scapoid nasion
    unrewarding panhygrous drupeole off questionwise
    foraneous peripharyngeal fluviology naphthalene guydom
    musculodermic pedigreeless utrubi shrinker recuperate
    independently loudering mumpsimus vinifera panterer
    gee idiomatical nonconfirmative pumpkinish swatter
    amicably title dodger ultrainclusive preirrigational
    becarpet Dwyka sugarbush overshadow reeding
    carvership aphonia prehuman Chamos exoskeleton
    arthrobranch la lakeless gasteromycetous eucharistical

    Problem is that most people's active vocabularies are actually pretty small.  Looking at an archive of my own G+ posts (including comments), over 804,000 words, uniques are … hrm.  More than I'd thought.

    19,090 words with a frequency of 2 or more.  35,406 total.  Some are clearly bogus:  xdivgcphekfqbgcphekfqbczjxeybabafe, wwwwwwwww, and wwwgregthatchercomfinancialthatchertohowardpdf, for example.  Many are technical or terms of art:  xlsclients, yakshave.  Some are artifacts of my postprocessing:  wretchedhivejpg was "wretchedhive.jpg" likely at some point (I removed punctuation).

    I don't know whether to be upset at proving myself wrong or impressed by my vocabulary (with an assist from others).

  13. Kagan Cengiz

    Me too I use LastPass. Each of my password contains 20 distinct characters and I don't have to remember any of  them; but of course if master pass is compromised we are so in trouble…

  14. Bryan Jones

    I'm a fan of LastPass. I use arbitrarily long and complex passwords, and I don't have to worry about remembering them. Of course if LastPass were to be compromised I would be in trouble. All my password data is supposed to be decrypted client side, so LastPass and LastPass servers never see any of my actual passwords. Although I wish it were open source so I could know that it's all decrypted client side, and didn't have to take their word for it.

  15. John Hopkin

    +Max Huijgen: then that's a different question entirely. Even the best password scheme will fail if people use a less secure scheme instead.

    I second your comment about the limits on password lengths and contents, by the way.

  16. Max Huijgen

    The real problem is btw the limits on characters used on lots of forms. Microsoft restricts/ed you to 16 or 20 characters and no spaces…

  17. Max Huijgen

    If you were to select randomly from that large set of words it would work +John Hopkin but most people will use a non random selection from a much smaller set and there it goes wrong.

  18. Max Huijgen

    completely agree +Bryan Jones that's why  I said 'if done smartly'. If you break a long dictionary word with part of a formula somewhere in the middle entropy goes sky high while it's still easy to memorize.

  19. John Hopkin

    +Max Huijgen Who is saying that "correct horse battery staple" passwords are no longer safe?

    Given a vocabulary of 10,000 words (a rather low estimate) it would take 10,000,000,000,000,000 attempts to crack a four-word password, assuming that the attacker knew that it was precisely that type of password and the language used.

  20. Bryan Jones

    +Max Huijgen, if complex dictionary attacks can easily overcome 4+ random word variants, then anything like "password:-)" is completely worthless. Adding a couple random (if you can call emoji random) characters onto a single English word i a lot easier to brute force (with or without a good dictionary) than having 4 or 5 English words. If 4 words isn't good enough for you, use 5, that will make it somewhere between 8000 and 500,000 times stronger against a dictionary attack.

  21. Max Huijgen

    +Sophie Wrobel if handled with some understanding this will work well, if people still use the name of their dog and suffix it with a smiley, they will be in for a nasty surprise.


Leave a Reply

Your email address will not be published.