mailto: blog -at- heyrick -dot- eu


There are three kinds of passwords in the world. The idiotic ones such as "secret" or "password", the cryptographically secure such as "2DM@NTeSr)9aGsCf", and the ones that you might stand a chance of remembering.


Category 1 - the simple

If your password is in the first category, then please unplug your computer from the network and never go online again.

While "password" is an eight character password, which in theory would have a search space of around 26^8 (or about 217 billion possibilities), we can discount all of those as one of the first things any hacker would try before attempting to brute-force the password by creating random patterns is to try a simple dictionary attack. This means to walk through a list of words trying them one by one. And how long would it take to guess "password"? Well, as it is the second most widely used password (after "123456"), you can work out how weak it would be as a password.
If I was trying to break into an on-line site just by entering random passwords and I only had five guesses before the account was locked, I would try:

  • 123456
  • password
  • secret
  • qwerty
  • a1b2c3
And as you can see, I'd be in on my second guess.


Category 2 - the 'secure' passwords

There are no shortage of password generator sites around. offered me 2DM@NTeSr)9aGsCf, and Chrome on Android will suggest equally gibberish passwords.
Now, these are cryptographically secure as there's nothing there that would show up in any dictionary, and to hit that exact combination of characters during a brute force would mean scanning upper and lower case letters, numbers, and symbols, for a 16 character password. According to the GRC password tester, this password would give us a search space (how many possibilties would have to be scanned to find this password) of 44,480,886,725,444,405,624,219,204,517,120 combinations. To break into this if you could manage a hundred trillion guesses per second would take a little under one and a half hundred million centuries. It's written weird like that because he's American. For the rest of us that's 14,100,000,000 years (or "about fourteen billion", much simpler!). Given that our dinky little star is due to turn into a red giant in about five billion years (it's too small to either go supernova or turn into a black hole), I don't think it's a timescale worthy of attention.
Of course, future advances in quantum computing could maybe bring this sort of attack down to the realms of mere years, but really that's a ridiculous amount of effort to break into eBay to see if you bought a Chinese sex doll, when it would be much cheaper, quicker, and more effective to hire somebody to place the barrel of a gun to the side of your daughter's head and say "your password, now".

You will notice in the section title that I wrote 'secure' in quotes. You see, the problem with these sorts of passwords is that they are gibberish. Which means that while an average person could, perhaps, memorise one such password, if you have twenty passwords for twenty sites, it's game over. And, honestly, a password like that for a flippin' forum? Why?

This means that you would be obliged to rely upon external sources, whether it be a password manager tool or a set of PostIt notes, which means the password is no longer a secret exclusively between you and the site. This is where the security breaks down.

A little anecdote. Many years ago mom used to visit her bank in the UK for various things and she would talk to an adviser. A friendly woman, brought up in banking in the days when people used to handle actual money and decisions would be made according to the manager's "gut feeling" rather than machines running algorithms that assume by default that you are lying.
I think the bank was running NT, because she used to have to press Ctrl-Alt-Delete to log in, which I found amusing given what that combination is for on home and small office PCs. And, much to her chagrin, the policy was for a monthly rotation of passwords. So what did she do upon failing to log in? She remembered that it was the first day of a new month, so she flipped her keyboard over and read the password off of a label stuck to the underside (other previous passwords having been crossed out). It looked like the password was a short but random selection of upper and lower case letters. It looked automatically generated.

While you can argue that she shouldn't have done that, was a bad employee, and so on... the truth is that we just aren't that great at remembering arbitrary bollocks. If she had been given the chance to pick a good password for herself, then she probably would have been okay, but to be forced to have to accept a random bunch of rubbish every single month? I'm sorry, but I'd probably be writing it on a sticky label too.


Category 3 - something you can remember

Now for my suggestion of how to make a password you can remember. We shall assume that all passwords will need mixed case letters, numbers, and symbols.
It helps to follow this assumption, and these rules, even when the site does not require it, in order to be consistent.

In the first three categories below, pick one option.

  • Case
    The first part of the password is case. There are several ways in which you can handle this...
    • Camel Case
    • Only the first letter
    • oNly the second letter
    • oNLY THe CoNSoNaNTS
    • First and last letterS
  • Numbers
    A common way of handling numbers is to perform a substitution. For example 'i' becomes a '1', 'e' becomes a '3', 'h' becomes a '4', and so on.
    • Substitute all appropriate letters.
    • Substitute only the first of each letter.
    • Substitute all, but intentionally omit one (like never translate 'i')
  • Symbols
    Likewise, one could make 'a' become '@', 's' become '$', and so on.
    • Substitute all appropriate letters.
    • Substitute only the first of each letter.
    • Substitute all, but intentionally omit one (like never translate 'i')
  • Other options
    • Separate words using an underscore or dash.
    • Replace the second of double letters, with something like 'X' (so "lXama" instead of "llama").
    • Tack on "12ab34cd" as is necessary to pad the password to sixteen characters.

Now, you don't need to do or try to remember all of these options. Just pick one from each of the first three sections, then add in whichever other options you like, and stick to that.
Then you won't have to try to remember whether it was "Tr0u4dor&3" or whatever because you'll have a pattern of which substutions you make. You'll know where you put the capital letter, what the vowels become, and so on.

Now that you have a method, simply pick two or three words describing what each site means to you (either the site, what it does, or your opinions on the owner(s)).
Some examples:

  • Amazon - "giant tat bazaar"
  • Google - "data fetishists"
  • HeyRick - "frenchie twat"

Okay, I'm not French, but it's less typing than "that twat in France". ☺

Now, simply apply your chosen substitutions. Here I am using camel case, changing all symbols, but only the first of each digit, the second of double letters become 'X', and padding to sixteen characters.

  • Amazon - G1@ntX@tB@z@Xr12
  • Google - D@t@F3t1$hi$t$12
  • HeyRick - Fr3nc41eTw@t12ab

All of these passwords show up in GRC's test as being just as good as 2DM@NTeSr)9aGsCf, with the exception of the fact that these passwords now have some sort of meaning to you. Which, as long as your are consistent with how you change the words into passwords, will be memorable. You don't need to remember where symbols and digits are, you only need to remember two or three words, and the rules that you use to make those words a password.

But let's not rely upon just one site, especially one that simply runs an algorithm rather than looking at attributes of the password itself.
Let's try another. Google found me which said:

  • 2DM@NTeSr)9aGsCf - 2 trillion years
  • G1@ntX@tB@z@Xr12 - 331 million years
  • D@t@F3t1$4i$t$12 - 163 million years
  • Fr3nc41eTw@t12ab - 9 billion years

That's a much better test. Clearly my suggestions aren't as completely random as actual random, but they're better for being able to remember them. And the worst is 163,000,000 years so it's still in the realms of sufficiently complicated to pass muster.

Something of note is that while my rules might seem a little weird (especially the 'X' thing), it's designed to increase randomness. In "GiantTatBazaar" there are two 't's and two 'a's. We know G1@ntX@tB@z@Xr12 gets us a score of 331 million years. How about without the Xs? G1@ntT@tB@z@@r12 gets a mere 31 centuries. Which isn't bad, it still gets awarded "Very strong", but a simple removal of doubled characters makes it orders of magnitude more complicated.

Of amusing note is that "passwor" gets rated as taking 0.14 seconds to crack, whereas "password" gets a big zero seconds. Why? Because it's right at the top of the list of possible passwords to try first.

Now, your entropy and randomness should differ as I hope you won't use the same words I have. ☺ You should also avoid using things that are obvious. So don't try to make a password out of "SearchEngine" for Google. It's too obvious. Try to pick words that have a more personal meaning to you, but also have a good selection of replaceable letters. For instance, if I chose "Y0u$tup1dTw@t12a" for signing in to the service formerly known as Twitter, this only rates as "Strong" with a hack time of merely a single month. Which is unlikely to outlive the service, you'd need about eight more months, but still...



Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

Gavin Wraith, 21st October 2023, 17:03
Twenty years ago my neighbour, John R, a historian, came round and showed me two pages of coded text, taken from the diaries of Lady Gwendoline Cecil, daughter of Lord Salisbury, for Friday 9-th March 1888. Some of the words had been replaced by numbers. The historian Andrew Roberts had said of this text "Any clue as to which code was being employed has sadly not survived. Despite the best efforts of the Foreign Office Librarian, of the decrypters, GCHQ, and many kind readers of The Times' literary pages, including Bletchley Park alumni, it has proved impossible to decipher it, owing to its shortness ... ". The numbers were 5 or 6 digits long. My guess was that the first 3 digits were a page number, the 4-th was the number of words to be taken from the start of a line, and that the remaining digits were a line-number. It only remained to discover the book in Hatfield House used for the encoding. In fact somebody in GCHQ had already come to this conclusion. I wrote an article in Foundation Risc User 13 about this, as I had written some small Lua programs to analyze the numbers on a RiscPC. 
jgh, 22nd October 2023, 04:44
"Just pick one from each of the first three sections, then stick to that." 
The promble with that is you stick to a scheme you can remember, then some **$££^%^% website refuses to let you use that scheme, so you change your scheme, which means you then can't get into the other websites 'cos you've now been forced to move to a different scheme and can't remember that the *(*^&T$%(&%U you were using previously for the other website. 
And the one thing that REALLY gets on my mammaries is case sensistivity. I CANNOT REMEMBER THE *****ING CASE I USED, I JUST KNOW IT'S "FRED BLOGGS" SO *&^%*&^%*&% WELL LET ME USE WHATEVER "FRED BLOGGS" I HAPPEN TO TYPE. 
Second only to "Password or user name incorrect". Well, which TF is it? The password or the user name? So I keep attempting different passwords until I get locked out BECAUSE YOU NEVER TOLD ME I WAS ACTUALY ENTERING THE WRONG *^%$&^$%^$*&^ USERNAME!!!!! 
Rant over. Kettle on. 
Rick, 22nd October 2023, 06:35
That's why I find it useful to use the scheme even in places that don't require it - it allows me to pick a fairly strict scheme (mixed casing, numbers, symbols) even when not enforced by the site. 
Case is important, because if you accept a password regardless of case, you've just made it so much easier to hack. The idea is to keep bad people out, so all this symbol and number nonsense is in order to extend the number of tests necessary to arrive at a valid password. 
The idea of saying "Invalid username or password" is designed to prevent information leakage. Essentially it is not telling you anything you didn't already know, namely that combination doesn't work. However if it said invalid password, then it would be telling you that the username given *is* valid. 
This is also why a lot of sites that have password resets also say things like "if that was a known email address then we have just sent it a password reset message". You'll get the exact same response whether you use the correct address, or not. Because then there is no information leakage. Sites that say "sorry, that email address is unknown" are bad because should the message change, it's just told you what address is recognised. 
David Pilling, 22nd October 2023, 15:02
People in the future are laughing, like the space aliens in the Smash advert 
"...and then they replaced characters" 
"Arf arf arf" 
Passwords were things in children's games. Anyone coming new to the internet thinks, stop messing about, I'm not playing games. No but really you're supposed to have 200 passwords composed of odd symbols in no particular order. 
Everyone gets a mantra at play school. 
"Don't be stupid Jocasta you can't have forgotten your mantra, its ROT3, Tarquin is Camel case" 
Meanwhile the guys cracking the codes. Do we think they go for the low hanging fruit, or does Lord Evil instruct them. 
"Smeg, Alpha Centauri may explode but you will crack Rick's password and his blog will belong to me" 
"har har har" 

Add a comment (v0.11) [help?] . . . try the comment feed!
Your name
Your email (optional)
Validation Are you real? Please type 06285 backwards.
Your comment
French flagSpanish flagJapanese flag
«   October 2023   »

(Felicity? Marte? Find out!)

Last 5 entries

List all b.log entries

Return to the site index



Search Rick's b.log!

PS: Don't try to be clever.
It's a simple substring match.


Last read at 12:47 on 2024/05/30.

QR code

Valid HTML 4.01 Transitional
Valid CSS
Valid RSS 2.0


© 2023 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.


Have you noticed the watermarks on pictures?
Next entry - 2023/10/22
Return to top of page