Mitigating Complex Password Atrophy. (Difficult Passwords Made Easy)
January 25, 2012
Password Atrophy: The Forgetting of Complex Passwords Through the Lack of Use Over Time
If you’re anything like me, you have several websites and applications that require passwords. Keeping all these passwords unique, complex and memorable can be a daunting task. A long complex password can be difficult to generate and maintain without a process.
Coming up with one password that is significantly long and consists of alternating characters can take some time to think up. Of course, we could use a password generator, but unless you’ve got a photographic memory, it will have to be written down or stored in a password safe. And if you’re willing to write down passwords, you’re doing it wrong. Password safes are a good solution, but there are some concerns about availability. So how do we create a unique password that is both long and complicated (perhaps like a high school romance)?
I’m no rocket scientist but I did sit next to one on a recent flight from Texas. (She was with a leading national space program. I’m not sure if I can name it, so a hint will need to suffice here.)
I learned two things about rocket scientists while sitting next to her for nearly five hours:
- Even rocket scientists have trouble remembering multiple complex passwords.
- There is a reason they are chosen as a watermark to measure high intelligence and aptitude.
I have created a three-factor method that simplifies the process of generating a unique and suitably long password that can be memorized instantly. I shared this method with the rocket scientist, and she said this was the best idea since solid fuel propulsion. (OK. She didn’t actually say that aloud, but I could see it in her eyes.)
The Tri-Factor Method The three components are:
Website/Application Attribute - This is some component of the website. I use a piece of the domain or the application name with a simple cipher. For this example, I’ll use the last four characters of the website and reverse their order.
- a. www.fishnetsecurity.com
- rity becomes ytir
We now have our first four characters of our new password
If there are not four characters in the domain, repeat the cycle or find a creative way that will create four characters. For example, www.ABC.com becomes something like “CBAC” as in “CBAC”BA or CBAA like “CBAA”BC.
The Complex Component – This is the part that we actually need to memorize. Use a password generator to create a strong six-character password. This will be the only component you will need to commit to memory, since it will be used in all your passwords. Below is the one that I generated using an online tool:
That gives us another six characters
Anything You Like – Here you can use anything you like, as long as it is at least four characters. Make it something you will remember. It’s OK to use birthdays, addresses, favorite Olympic Curler, favorite color or anything else. Generally, these options make for terrible passwords on their own, but since we are getting complexity from the other components, we don’t have to be overly concerned.
Here is a phrase I just thought up that I will remember:
That’s another 10 characters.
Next take the three components and order them however you like. Use the same order for each password you create. I’m going to use mine in the order that I listed them:
- 1. ytir
When combined, we get the following: ytirdr=78iHanShot1st
We now have a 20-character password for www.fishnetsecurity.com, which is long, complicated, unique and easy to remember!
According to howsecureismypassword.net *, it would take nearly 6 sextillion years for a desktop PC to break this password. That’s 21 zeros! Just be sure to change your password by then. * Do not use howsecureismypassword.net to test actual passwords. Use a substitution for your password. I haven’t found any method that a password input here could compromise your password. It’s just not a good idea to test live passwords in generators.