Blog The life and ramblings of just another data scientist.

Easy to Remember, Secure, Passwords

A few years back XKCD, as it so often does, got me thinking; this time about my choice of passwords. Up until that point I had always seen it as an intellectual challenge to memorize long random passwords for all my logins; usually 16 random characters, numbers, and symbols. But I've since learned that it is easier, and more importantly, more secure, to pick easy to memorize passwords. But how can we do this and still ensure the password is actually secure, it seemed a more in-depth analysis was in order.

XKCD: Password Strength

Picking a Secure Password

The first thing we need to break down is the bits of entropy mentioned in the original XKCD comic; what is that all about? Simply put if i had a password that was a single bit long it would basically be either a 1 or a 0, therefore it has a single bit of entropy. This means there are only 2 possible passwords, and as such it would be extremely easy to guess. However when we evaluate words, instead of letters or numbers, we have to ask "how many possible words are there?". If we were truly picking from every single word in the English language this would be huge; there are tens or even hundreds of thousands of words in the English language. However in reality your vocabulary probably isn't quite so comprehensive, and even if it were it might be hard to remember a password like this one.

Pseudoturbinal_Huswifery_Climbable_Eburin

Instead we want to choose a more limited, and easier to remember, vocabulary from which to generate our passwords. Similarly if we want to calculate the difficulty in hacking a password, via a brute force attack, we should recognize the possible vocabulary we want to target. For example if I chose to write a script to hack your account, and the script tries every possible combination of the 200 most common vocabulary words in various sequences, then it will eventually hack your account; it is just a question of how long it would take.

Lets run those numbers and see what we get. How long would it take to hack your password if you picked 4 words from the 200 most common English words, assuming the script used to hack the account could make 1000 guesses per second.


\\(200^4 = 1,600,000,000\\) possible passwords

\(\frac{1,600,000,000}{1,000} = 1,600,000\) seconds

\(\frac{1,600,000}{60} = 26,667\) minutes

\(\frac{26,667}{60} = 444\) hours

\(\frac{444}{24} = 18.5\) days


For fun we can also figure out how many bits of entropy that represents.
\\(1,600,000,000 = 2^n\\)

\(n = \frac{log(1,600,000,000)}{log(2)}\)

\(n \approx 30.575\)


Of course we can't have a fraction of a bit, so we round n up to the nearest whole number indicating that the current password scheme would give us exactly 31 bits of entropy.

It is clear from the math above that there are 1,600,000,000 possible passwords that can be created when using 200 of the most common English words combined in any combination of 4 words. If we can try each possible combination at a rate of 1,000 per second then it would only take 18.5 days to determine the password. In reality this is doable on a basic desktop computer, and could be hacked in a much shorter time on a Mainframe computer. Clearly that won't do.

If we truly want a secure password we are going to have to increase the number of bits of entropy, but hopefully without making the password significantly more difficult to remember. One way we can do that, as we already discussed, is simply by increasing the vocabulary used to generate your password. Lets try it with a vocabulary of 5,000 words.


\\({5,000}^{4} \approx 6.25 \cdot {10}^{14}\\) possible passwords

\(\frac{6.25 \cdot {10}^{14}}{1,000} \approx 6.25 \cdot {10}^{11}\) seconds

\(\frac{6.25 \cdot {10}^{11}}{60} \approx 1.041 \cdot {10}^{10}\) minutes

\(\frac{1.041 \cdot {10}^{10}}{60} \approx 1.736 \cdot {10}^{8}\) hours

\(\frac{1.736 \cdot {10}^{8}}{24} \approx 7.233 \cdot {10}^{6}\) days

\(\frac{7.233 \cdot {10}^{6}}{365} \approx 19,818.61\) Years


and the entropy...
\\(6.25 \cdot {10}^{14} = 2^n\\)

\(n = \frac{log(6.25 \cdot {10}^{14})}{log(2)}\)

\(n \approx 49.151\)


Well that looks much better. Now we have 50 bits of entropy which would take about 19,818.61 years at 1,000 tries per second to figure out your password. That is probably secure enough, however a Mainframe could probably still crack it in under a year. But unless the CIA is trying to get into your account, you are most likely safe if you wanted to stop there. For reference check out this site for a list of the 5,000 most common words in the English language. You can even use this list to generate your password by picking words from the list at random.

Still I am left wondering if there are any other simple steps we can take to increase the security without sacrificing anything. One thing you can do is add one more word into the mix that is not in the list of 5,000 most common English words, but still easy to remember; even better if the word is entirely unique. Some good examples might be a friend's nick name, an uncommon last name of a friend, or a proper noun of an obscure person, place, or thing; a good example would be a character from a little known book or play. This would expand the vocabulary needed to hack the account well beyond the 5,000 word vocabulary and as such would significantly increase the Security of the chosen password.

Make It Easy to Remember

Now that we know how to pick a secure password it still may not be terribly easy for you to remember. One trick you can use to get around that is to make your passwords into sentences that are easier to remember, but obscure enough that it isnt easy for a computer to guess. The following are a few examples.

SunDestroysVirginFlowers
AppleHurtsBabyTongue
LispKillsNewDevelopersJoy

To make it even easier to remember you can pick passwords which might remind you of the topic of the website it is to be used on. For example the first password of "SunDestroysVirginFlowers" might be the perfect password to use on a website for gardening. It may also help to remember if you make the sentence structure the same for every password. Here are some examples all using the same sentence structure.

HelpCatsWantLove
AdoptABabyINeedCompany
MakeJuiceQuenchThirst

In all these cases we have a verb, followed by a noun, followed by the reason the action was taken. By following a consistent structure your brain will have more clues to remember the password and thus will make remembering it much easier. Also you will notice I capitalized the first letter of each word, one variant that is slightly more obscure is to pick some other pattern of capitalization. You could pick the last letter of every word, or even the second letter, just be consistent with all your passwords so it is easier to remember.

Make Sure It Can Be Used

The only other consideration is to make sure the password can actually be used on the desired site. Also if you tend to reuse passwords, which isn't the best of ideas, then you want to make sure the password will be accepted by most websites. Since websites have some rules to make sure a password is acceptable we should pick a password that can pass most of these rules. Usually you are covered if your password has at least one of each of the following: capital letter, lower case letter, digit, and symbol. We already covered the capitalization, so all we need to throw into the mix are some digits and punctuation. Punctuation is easy, since we are already using sentence-like structures we can just throw in some punctuation.

Help!CatsWantLove.
AdoptABaby.INeedCompany.
MakeJuice,QuenchThirst!

Digits are a little more difficult. You have two options; the first is to replace letters with a number that looks similar to the letter being replaced.

3 -> B
1 -> I
7 -> T

The other option is to use the number to represent a word that has the same sound.

2 -> to, too
4 -> for
6 -> sex
8 -> ate

The key here, again, is to be consistent so you don't get confused. So for example if you choose to replace the letter with the number it looks like, make sure you replace the same letter with the same number in all your passwords. This way you don't need to remember what pattern you used on a case by case basis. It is important to note if you use the number to represent an entire word it should not replace one of the four typed words chosen earlier but rather should be in addition to it. This ensures you don't reduce the overall entropy of your password.

In the end you should wind up with some passwords like the following:

Help!Cats8AllTheFood!
AdoptABaby.No64Me.
MakeJuice4Tolkein!

Conclusions

It should be clear now that it is trivial to create easy to remember passwords that are also secure.The only other thing I'd suggest is to keep the number of passwords you need to memorize to a minimum. Use a secure password store like LastPass to store all your passwords and instead only memorize a master password for encrypting your LastPass vault. This way you can make sure your master password is secure and you only need to remember one password. I like to have about 5 or 6 passwords I memorize for all my high security stuff like root login, LastPass, or encryption keys, and then keep the rest stored in LastPass. Any password which I rely on LastPass to store I won't need to memorize so they are psudorandom strings.

I hope that helps. Stay safe everyone.

Holy Guardian Angel

Giving part of one's self so another can thrive,
no greater a gift could I ever contrive.
Thus my soul I do give to your worthy embrace,
to an endless quest, for your fears to displace.
Oh!
To give you a world where your happiness thrives,
that fate I shall seek through both of our lives.

For once the great goal is no longer self pride,
the entire vast universe does stand by our side.
Not a fault can we have that we don't overcome,
the whole of our parts is the lesser to our sum.
Ah!
To make us a life where our true selves do reign,
what a glorious cause I shall never need feign.

So here we do stand with our flaws to be seen;
the trust in each other does wash it all clean.
My love for myself is my love for you too,
for your love is my love, we both can imbue.
See!
I need naught from you, for its part of myself,
and to give from that part only strengthens ourself.

But what if the chaos does haunt us one night?
Our blessed holy guards will then give us true sight.
For chaos is born of illusion's worst fear,
be true to ourselves so it shall never be near.
Eh.
The storm was a dream, not a thing to contend,
I have found us clear skies that never will end.

If the body only gives what it will there receive,
then the mind will be hollow with no hope to relieve.
Thus I use all I have just to light up your eyes,
because I wish you to live, to reach past compromise.
So!
To bring you to life is all I ever did want,
your soul just to smile, not a trophy to flaunt.

Take all that I give, because you give it to me,
since two are the one it brings both of us glee.
Consume all my love, never fear you'll do pain,
for truth of one's self is never heart's bane.
Ah-ha!
The key to our world is the truth held inside,
So forever will I seek ourselves to confide.

--Jeffrey Phillips Freeman

A poem I wrote inspired by Amanda. She has really opened up with me lately, and me to her. I'm glad I get to talk to her as often as I do, she inspires great poems. So this poem talks about finding ones "Holy Guardian Angel" or in occult terms "one's true self". The conversations is directed both at Amanda, and at my HGA simultaneously.

Initiation

There in the living wood,
I found the moon,
and she gave herself to me.

She is mine,
though not to be owned.
Sitting high in the heavens,
radiating her grace for all to love.
Though still all the more mine.

All I knew was emptiness,
knowing of nothing,
blind to my existence.
Never seeing color.
Never seeing white, nor black.

Then,
there in the heavens,
there she hung,
the newborn moon.
Born to an endless darkness,
my world was given contrast.
Where once there was nothing
now lay mysterious shadows,
hinting at distant memories.
Her beauty crisp and clear,
merely a sliver,
a faint whisper,
a hint of her full glory,
yet glowing brightly.

She taught me.
Taught me shapes, lines, form.
Taught me light and dark.
She gave me a world beyond myself.
Gave me a reason to open my eyes.
A reason to be alive.

But her radiance grew,
and the stars themselves did envy her.
Yet she gave of herself freely,
turning envy to love.
So that they did dance,
the stars with the moon,
happily overhead,
for all to see.

And as blissful love shined down,
a pale blue earth was brought to my eyes,
giving my world substance.
Once all that was real hung distantly out of reach,
yet now it surrounds me,
giving me purpose,
revealing the depth of my kingdom.

In every crack there I find her,
reminding me she will always be there,
always sharing herself,
always lighting my path,
never letting go.

And though her light may wane,
it is never extinguished.
For all I need do is look to her,
and she will wax full again.

I no longer fear the night,
because the moon is mine.

--Jeffrey Phillips Freeman

This is a poem I just wrote about Amanda. I was feeling inspired and only wrote it over about 15 minutes. But I'm just glad poetry is coming so easy to me lately! I will be curious to hear what people think of it.

A Part of Me Forever

I am not the person from when first we met.
Back then I was only a seed, not even yet alive.
But watered by your love, you gave me my life.
So that my roots did imbibe you.
So that I did grow,
reaching towards the light,
while drawing you into me,
and you became a part of me.

Every thought of you,
will flutter its way,
from my naval to my heart,
carrying with it,
your intoxicating smile.

All the confidence I show,
will trickle it's way down,
from my crown to my chest,
suspended within it,
your tender passion.

The very peace I feel,
will stretch it's warmth out,
from my soul to my body,
glowing through it,
your loving touch.

No matter what may divide us;
I will always be able to find you.
There in my heart where you will sit,
making goofy sounds and scrunching your face,
curling your toes while we hold each other tightly,
smiling with a brilliance that makes my whole being sing.

Thus I sing my song of love for you,
so that I may always keep you in my heart.
There in my atrium,
happily content,
tapping to the beat,
keeping me in perfect rhythm.

There my love will sit,
forever smiling,
forever tapping.
For never can I sever a part of myself.
Then never can I separate you from me.
So there you will remain,
a part of me,
forever.

--Jeffrey Phillips Freeman

This is a new poem I wrote, inspired by Amanda and all the wonderful time I've been spending with her. It represents many of the wonderful feelings she gives me, and memories. Best yet, we create new ones every day :)

The Mage's Tavern

In misty lands that the pale moonlight brings,
There stands a tavern where it shines and it sings.
In this warm place eternal laughter does flow;
with a smile for each of the winds that will blow.

To seek this land out less must be so much more,
then set yourself free to drift to night's shore.
The familiar road finds unfamiliar friends door,
filled with mirth, merriment, magick, and lore.

When ready to pass open wide wooden gate,
a cool wind then blows that shows one their fate.
The room there well lit by passion's great fire,
it's smoke will hang thick from our love's own desire.

There in the sky dances god borealis,
and there on the bar sits the bust of the Pallas.
But never there seen is the raven of yore,
for only the wise can be king evermore.

There in the corner stands a gargoyle's head,
where out of it's mouth flows hot earthen lead.
Into a dirt cup it's flow does seek end,
but as shining gold it does then transcend.

The food and the drink shared to all those around,
Not one to the other was any one bound.
With plates of clear manna that did sparkle white,
and cups of ambrosia kept full through the night.

Here pixie's dust used in shakers to fill,
and surely dragon tails do remain in there still.
For what fool would eat from a dragon's great tail,
only to have all of their passions fail.

Moon's magick glow fills the room well dispersed,
While time's wanting path remains untraversed.
The moments found here are well unrehearsed;
The truth is abound, not found interspersed.

In this place here exists just the one,
Embrace silver moon, to become golden sun.
Odal reunites ancient gods of the night,
to let us be one, so we shine with their light.

--Jeffrey Phillips Freeman

I wrote a new poem. Not surprisingly to many of you it was again inspired by the wonderful Amanda and the most recent weekend I spent with her. She had a dream of a magickal tavern she told me about when I went to see her this weekend. As we enjoyed the weekend, oddly, it seemed to only reflect the energy from her dream. The following night I had a dream of the same place as the one from her dream. I wrote this poem to represent both the feelings from this weekend that borrows elements from the dream itself.