8

Let's say I am following good security policy and picking passwords that are:

  • Long
  • Complex (passphrases where possible, otherwise random strings with special characters)
  • Unique (completely independent for different sites/things)
  • Changed regularly

Let's also say that for this particular set of passwords, I do not feel comfortable keeping it written down or in a database like LastPass. We are only using good old fashioned memory.

What's an effective way to remember several infrequently used passwords? For example, one could conceive of the following naive algorithm:

When you set a new password, take a sheet of paper
Repeat 100 times:
    Write password on paper (while spelling it with your internal voice)
    Fold that part of the paper so you can't see the password
When finished, destroy the paper

How can this be improved upon? Do you have experience with similar methods, which can be applied quickly at the time of creation of the password, to memorize it?

To restate the problem: You have decided that you will not store a number of passwords anywhere other than your memory. These may be passphrases, or they may be strings of random ASCII characters, or even 4-digit PINs. They are always randomly generated and periodically changed. The passwords will be used infrequently (perhaps once in a few weeks or days), so usage alone will not be able to ensure retention. What do you do to make sure you won't be hitting the "forgot password" link in a few weeks?

As per the good subjective question guidelines, please try to provide answers that are:

  • In-depth rather than short
  • Ideally draw on your personal experience
  • Explain the rationale behind your method (if you know of any research regarding the effectiveness, even better)
Superbest
  • 1,104
  • 8
  • 21
  • Also, consider having a look to this quite similar question: http://security.stackexchange.com/questions/662/what-is-your-way-to-create-good-passwords-that-can-actually-be-remembered – kiBytes Mar 17 '14 at 08:08
  • @kiBytes It is related, but different. In my question, the password rules are "upstream". Besides basics like passphrases, passwords are generated without thought to how easy they will be to remember (which keeps entropy high). I am especially interested in methods that would work if adversaries knew exactly how you generate your passwords (eg. a passphrase). This means memorization strategies which can handle very high entropy input, and don't rely on security through obscurity. – Superbest Mar 18 '14 at 05:07
  • I'm more and more starting to favor the [battery staple method](http://xkcd.com/936/), myself. – Shadur Mar 18 '14 at 08:44
  • I subscribe to [The only secure password is the one you can’t remember](http://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html) and use a password manager. You can remember the master password is by rota, although the battery staple method is appropriate too. – SilverlightFox Mar 19 '14 at 10:59
  • The way our memory works for things like that makes it impossible to _remember_ something like this for a long time. You have to repeat it at certain intervals for it to stick. No way around it other than avoiding to have to remember something in the first place (like some answers suggest). – RomanSt Apr 15 '15 at 13:12
  • An infallible algorithm is to use a password manager. – ThoriumBR Sep 08 '21 at 19:58

6 Answers6

6

Maybe the best way is sticking to an algorithm for your password. You might have two or three algorithms to cover complexity restrictions, you might, for example learn the following algorithm:

For any service: 

1. Select a reusable secret string
2. Add some common pattern, ie: the name of the service
3. Add some Caesar like algorithm: a=@ e=3 i=g1n d=|) g=Y1 o=()...
4. Add some logic to alternate the strings you have (one char from 1, and one char from 2).
5. Add some random text depending on the length of the service (add a number every length(name of the service)/2.

Build it up, ie:

  1. Secret password: "algorithmpass"
  2. Service: "stackexchange"
  3. Caesar: "@lY1()rg1nthmp@ss" and "st@ck3xch@nY13"
  4. Alternate strings: "@sltY@1c(k)3rxgc1hn@tnhYm1p3@ss"
  5. Add numbers every len(stackexchange)/2 = 13: "@sltY@1c(k)3r1xgc1hn@tnhYm12p3@ss"

And that is that's you password, it is very hard to remember but "quite easy" to rebuild it.

The disadvantages are clear: once someone crack your algorithm he get access to all the related accounts. The pretty thing here is that you can make really simple algorithms that build great passwords. Also, the passwords generated can be quite complicated to remember, so you should choose your algorithm carefully to meet day to day usability criteria.

kiBytes
  • 3,470
  • 16
  • 26
  • 1
    Also the biggest issue to passwords like this: websites that limit your password from 6 - 10 chars, and don't allow you to use punctuation. Those are the absolute worst. – theGreenCabbage Mar 19 '14 at 19:16
2

I have not explicitly used a method like this for remembering passwords, but I found flashcards to be quite effective for learning a foreign language and English vocabulary.

The idea can be adapted for passwords:

  1. Keep a file with a screenshot of the login page of every site you want to remember. For non-website passwords, like magnetic cards, use a photo of the card or the device which reads the card.
  2. Print one or more sets of flashcards which have the screenshots on them.
  3. Write down the password on the back of each card.

  4. Repeat until you reach a satisfactory rate of success:

    1. Shuffle cards
    2. Look at each card, and try to remember the password (by spelling it out, writing on paper, or "typing" on a disconnected keyboard)
    3. If you forget a password, look on the obverse of your card

  5. Destroy flashcards.

The advantages of this method:

  • You directly associate the password with the place where you will use it, strengthening recall and providing a helpful cue.
  • No computer sees the password (besides when you actually use it), eliminating a potential weak link.
  • All passwords are practiced every time you need to memorize a new one, providing a mechanism for regular repetition.

Disadvantages:

  • Requires a printer. Due to this, generally not feasible unless you either only set new passwords where you have access to your flashcards (and can generate the new one), or when you anticipating the need to set the password in advance.
Superbest
  • 1,104
  • 8
  • 21
1

Without a master of some kind for each password there's no way to actually check if you're correct short of using it to log in. This means if you're wrong most sites will lock you out, so I don't recommend this. That being said:

Preparation USE A PENCIL. Make one flash card for each site that lists the site's url, i=0, l=today's date, n=today's date

algorithm
while any flashcards have n = today's date
   replace l with today's date
   try logging in
   if successful
      if i = 0
         replace with i = 1
      else
         replace with i = i * 2
      replace n with today's date + i days
   else
      replace i with i = 0
      replace n with today's date

When any password is changed
   replace i with i = 0
   replace l with today's date
   replace n with today's date
   do memorization algorithm

This is a somewhat simplified version of the SuperMemo SM-0 algorithm which results in more frequent early practices.

cdm014
  • 111
  • 1
0

Type your password once per line about 100 times into a text editor that does NOT auto-save. You can also repeat it aloud to yourself to further help. The main benefit of typing it is that you will very quickly develop muscle memory for typing the password making it easier to remember. Close the text editor when done.

Harvey
  • 153
  • 4
0

More a reframe than an answer.

If you don't trust password managers, you can build your own. There are already countless modules (single-board computers, microcontrollers) with good security, well documented SDK and online documentation, so you can build your own and be reasonably sure it isn't backdoored.

Or you can buy a dedicated hardware, like the Mooltipass. I don't use it, nor am affiliated with them in any way, but the foundations are very good.

Don't trust your mind to create good passwords.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
  • *... the foundations are very good* ... including the great name! https://www.youtube-nocookie.com/embed/RdqiaNsKR2E – brynk Sep 09 '21 at 05:09
0

Since you can choose the password, I would stick with a sentence and take the first letter of each word. Maybe replace every s with 5 and a wit 4 an so forth.

I personally can remember rhymes very good. If you take a poem and learn it, you can an probably salvage multiple password from it. Although the question is, how safe are password created from known phrases.

But even if you can remember the passwords, you still have two problems.

  1. Which password belongs to which login?
  2. What if a websites password policy doesn't work with your passwords? Then you would have to break your own rules which would result in hard to remember passwords.

To sum up, it' possible but another choice between security and 'convenience'. Even though I'm not sure it's more convenient than a password manager...

mohrphium
  • 280
  • 1
  • 3
  • 9
  • Replacing letters a la 1337 speak is not useful- all password crackers will use these. – Rory Alsop Mar 17 '14 at 12:12
  • It's all about entropy. In normal words, e.g words that are usually used in dictionary attacks, leetspeak doesn't ad much. But for made up number/letter/special combinations it does ad (some) entropy since cracking it comes down to brute force. It's out of the question that it's still not as good as completely random strings, but good luck remembering them without a pw manager. – mohrphium Mar 17 '14 at 16:38