1. 12

Yesterday I’ve asked this community how many bits of entropy is “safe enough” for offline-storage, and I’ve mentioned “memorable passwords”. Although I’ve said I would like to focus the discussion away from that, replies have started touching that subject.

So here, in this question, I would like to focus on this subject: what password patterns, passphrase generation schemes, word lists, memorization techniques, etc. does the community find easy to memorize.

I would like to hear what others are actually using and what works for them.

  1. 11

    What makes a password memorable has little to do with the password itself, but rather how it is used. If you use a password a lot, you will have memorized it within a week or two, regardless of how it was generated.

    I have a couple of passwords which I use frequently, for things like logging into my workstation and my password manager. These are generated randomly, and I memorize them. When I change them (which is very infrequently) I keep a written copy to hand until I have memorized them, and I keep a written copy in a safe place. Everything else my password manager remembers for me.

    My memorized passwords do not have to obey other people’s rules about character selection, so I can tune them to be easier to type: they are only lower case letters. This makes it more reasonable to use a long password even on my phone where FaceID’s unreliability means I have to type it more than I would like.

    My current passwords are 16 letters (75 bits, more than enough), which I wrote down as 4 groups of 4. The 4x4 rhythm helped with memorising. I found I remembered the groups first, then it was a matter of remembering the right groups in the right order in each password.

    1. 5

      For the sake of completeness here are a few word-based passphrase techniques (I’ve not used myself any of these), although I question how easily memorable they are:

      Then I’ve found two other techniques that can generate passwords (I’ve not used this myself):


      Myself, I’m using (for more than 15 years now) exclusively passwords with the following pattern cvcv cvcv cvcv cvcv (where c stands for consonant and v for vowel); for example:

      >> z-tokens generate -c 10
      
      xufu fuso kozo sosu
      wele gapu lihu woyo
      vole peju huho macu
      qogu lesa taxu ziko
      zupi wewo keru lihe
      mepu buka juco rife
      sofu yaqi hapo paxi
      doso yemu saho vadi
      neno juju vuve yaqe
      zewa tozo toto zeyu
      

      They have 53 bits of entropy (each “word” has exactly 10k variants), which is good enough for online authentication. They are also (somewhat) easily pronounceable and after a bit of practice they are definitively remediable.

      If any site is “picky” and wants upper letters, digits or symbols, I just change the last word to upper-case, or replace it with CVds where d is a digit and s is a symbol.


      And last, as shameless self-promotion, I’ve submitted a few days ago to this community my own password generator z-tokens. But I really want to find out what other techniques people are finding usable.

      1. 3

        I wrote a similar tool that I’ve been using ever since: https://github.com/timkuijsten/rpass

        As you can see in the README on that page I also did a little calculation on how strong a password should be, depending on hashing function and how much an attacker is willing to spend on cracking your password.

      2. 3

        For passwords that I need to remember (that won’t go in my password manager), I use a 7-word passphrase generated with diceware using the EFF’s word list.

        1. 2

          I made an app to generate easy to memorize strong passwords: https://ezmempass.ihsan.io/. It is free on Android and IOS.

          I can memorize 10-word passwords (100 bits of entropy) with 5 days on more-than-once-daily usage. I only have a few such passwords, for my password manager and email.

          I’ve posted an extensive comment about this topic here: https://lobste.rs/s/li7v9e/let_s_settle_password_vs_passphrase#c_outuax

          1. 1

            I see a description of your app at that link, and an email address, but no links to app stores nor anyplace to download it. Is that intentional?

            1. 1

              Thank you for pointing this out, I fixed this mistake and added links to the Apple App Store and Google Play Store.

          2. 2

            I just use high-entropy passwords (random characters). It works fine for me. The procedure I use to memorize it, and to be sure that I have actually memorized it and will be able to recall it under a variety of conditions, has far more effect than what kind of password it is.

            My own memorization techniques would be unlikely to work for others because they’re based on my observations about how my brain stores things.

            The question does ask what works for me, so I’ll give some detail anyway. In particular, for me the phonetic representation and the written representation go together and I need to make sure both are correct in my mental recitals, and that both have all the information about the other. So for example I silently say “capital Z” to myself while reading a password I intend to memorize, not just “z” with a sense of emphasis, because the latter risks being unable to remember whether the emphasis meant it was capitalized, or where it went in the string… that sense-of-emphasis isn’t itself phonetic so it gets misplaced in my memory.

            Passwords based on word lists would be dramatically harder for me because there’s too much risk I’d apply thought-tools meant for other contexts, contexts where precision isn’t as important.

            I have a bunch of other little observations about my memory, but I’ve looked into the research and have every reason to expect they’re mostly specific to me, so I’ll stop there. My advice to others would be to study how YOUR memory works, and keep track of what helps and what doesn’t. When you find yourself making an error, ask what caused it and what could have prevented it.

            1. 2

              I built an implementation of Diceware for my password generator app which in my experience generates fairly memorable passwords.

              1. 1

                Where’s your implementation? I’d love to take a look.

                I wrote a general base conversion tool that’s works with any sided dice, for example 20 sides. It takes 60 rolls with 20 sided dice to generate 256 bits.

                1. 1

                  Is it the implementation of the Diceware method, or is there something unique to your implementation? How many words do you use? How many such passwords have you currently memorized? Any other feedback?

                  1. 2

                    Nothing unique about it, it’s a straight forward clone with the word list replaced by EFF’s. I use a default length of 5 words, and have memorized 4 passwords at the moment which I semi-frequently need to enter on machines where my password manager is not accessible.

                    My only “problem” with this is websites with inane password rules around capital letters, digits, special characters and such will usually not be happy with the output from a Diceware generator, so I had to tack on the ability for user-provided suffixes to assuage these websites’ requirements.

                    1. 2

                      You could just add an A1! at the end of every password for such sites.

                      Because we all know that having upper letters, digits and symbols increases your password strength by 1024 to the 1024 bits. Smart sites these are. ;)

                      1. 1

                        My only “problem” with this is websites with inane password rules around capital letters, digits, special characters and such will usually not be happy with the output from a Diceware generator,

                        I think the conversion tool is pretty good at addressing that problem as well. For example, using a base 91 alphabet gives plenty of special characters in the ouput. If any character isn’t allowed, simple remove it from the output alphabet.

                  2. 1

                    I’ve thought about questions related to this for quite a while!

                    A few years ago I used Google Books data to create a few word lists of common words from books, based on the assumption that those words would be generally easy-to-remember. I even made one for 1Password to consider using and a few other lists optimized for inputting on TVs.

                    I also became very interested in methods for making a word list uniquely decodable, a property that allows users to safely combine words without a delimiter (like “dispatchentertainfastnessbarbecueneutronmascot”). I ended up using a modified Sardinas–Patterson algorithm to make lists uniquely decodable with minimal word cuts.

                    Lastly, I’ll link to a Rust tool I wrote to help me work with word lists which might be of interest to readers of this thread. I also listed a bunch of word lists in the README.

                    1. 1

                      For a short, memorizable password to be typed frequently: possibly the correct-horse-battery-staple scheme in xkcd.com/936. Personally, however, I don’t recommend or use this scheme for memorization. My passwords are in a password manager; the master password for the password manager is the only one I memorize—and even it can be salvaged using other methods besides solely memory.

                      For a longer, not-often-typed passphrase that does not have to be wholly memorized: a sentence from a book. You would then only have to remember the book’s name and a keyword/chapter number [*], using which you can later retrieve the sentence from a copy of the book (you will know when you come across the exact sentence as you browse the chapter). If the passphrase is particularly important, you may want to write the book’s name and chapter number in a notebook, or make a habit of recalling the detail every morning when you wake up.

                      It’s also worth differentiating between memorizable and memorable, as I see it: the first scheme in my comment makes a memorizable password; the second scheme makes a memorable password. I think memorizing is an ultimately unreliable exercise. Having something be memorable isn’t.

                      [*] ideally the book is a non-translated work, otherwise you may have to remember the translator

                      1. 1

                        For a longer, not-often-typed passphrase that does not have to be wholly memorized: a sentence from a book.

                        I don’t know how secure that is… I bet one could construct a statistical model based on many digitized books and just start with that. How many word sequences, that actually form a phrase and thus aren’t nonsense are there?

                        I think we should always assume that our attacker knows everything except the password, but including the exact method we’ve used to come up with the password, all our preferences (this includes the books we own or read or accessed in a library).

                        Given all that, I do hope it’s a book written by a dadaist writer, that was long forgotten it ever existed, and which no one has seen you read or own… :)

                      2. 1

                        Diceware, with the EFF word list. The one with 6**5 = 7,776 entries.

                        I honestly only remember my passwords for logging into League of Legends, the rest I just use a manager &/ don’t type that much.