University of New Orleans Department of Computer Science

How do I create a secure password?

Attached is an article that explains a simple method for creating secure and easy to remember passwords. Read the article and if you have any additional problems contact the help desk people in Math building room 319.

More Secure Mnemonic-Passwords: User-Friendly Passwords for Real Humans
by Stephan Vladimir Bugaj

No matter how many expensive security measures you have on your network, if you have users with passwords, then these passwords are the most vulnerable part of your net- work. There are various complex or expensive solutions (such as one-time passwords) that are applicable in some situations, but the fact remains that many people will use vanilla password systems on their machines and that they will use "dog" as their password if given the opportunity.

It's simple to enforce minimum password lengths, character requirements, and password aging; but these are not quite enough. You either wind up with passwords like "2dogdog" or, if you follow most expert recommendations, you get something like "v3%-/Bl+bQ}", which nobody will ever remember. What is going to happen with "v3%-/B 1 +bQ}" is obvious: users are going to write their password down on a Post-it and stick it to their monitor.

There are a lot of discussions about how to strike a balance between the security of random passwords and the security of passwords that are simple enough to be memorized. Simple passwords are too easily cracked, so random passwords are generally preferred (though not necessarily generally used). I suggest that administrators encourage what some people (like myself) already do when creating passwords: employ mnemonic devices to make the pseudorandom pass- words that I call More Secure Mnemonic Passwords.

MSMPs are passwords that are derived from simple pass- words that the person will easily remember but that use mnemonic substitutions to give the password a more random quality. These passwords are easily constructed and easier to remember than random passwords. Because they follow an obvious pattern, they are more easily cracked, but imperfections abound in any security system. Here are a few examples of construction MSMPs:

batman » b@man » b@mAn » b@m4n
cheese » ch33s3 » ch33s3!!
chillywilly » chillywilly » ch!llyw!lly

In constructing MSMPs, you can use both phonetic and typographic substitutions. The "@" in b@man sounds like "at," whereas the "4" in b@m4n looks like a capital "A." It is possible to make a formalized set of these substitutions for use in an organization, but this will make it more difficult for individual users to create meaningful (to them) MSMPs.

MSMPs can also be constructed using mental associations and logical (or illogical) conclusions drawn from the original password idea. The original concept can be a word or a phrase. Formal rules can be made for substitutions, but it increases the security and memorability if you just encourage users to follow their mnemonic instincts. Here are a few more complex MSMPs that undergo both mnemonic character substitution and associative morphing:

Dr. Seuss » the cat in the hat » thec@intheh@ » lc@=>lh@
I live for UNIX » !1!ve4unl* » @"#&%-cOreDump!
i voted for Pat Robertson » ivOted4P@RObertsOn ® !me=666!
fnord » fnOrd » ?23skidOO?

Passwords are susceptible to several kinds of attacks. The level of knowledge about your users i s a major factor in many kinds of attacks. User knowledge is a big advantage for an attacker, and knowing the name of someone's pet is almost as good as knowing where he or she keep their Post- its with their passwords on them.

With MSMPs there is a lot more work involved in being able to guess passwords based on background knowledge of the user's life. It may be a trivial effort to find out that someone has a dog named Duke, but it would take a lot more effort to follow this line of reasoning:

i have a d og that is named duke
i got the dog from the ASPCA while living in New York my uncle Al lives in New York
uncle Al liked the Mets, especially Darryl Strawberry therefore my password is $tr4wb3rry

Whether or not this is a ridiculous line of reasoning the general idea is to encourage users to make deeper associations in creating their passwords and then to make mnemonic character replacements when spelling out the resulting word.

This scheme should give your users' passwords better protection against both manual and automated attempts to break them. They are not as secure against automated attacks as truly random passwords; but in a system where truly random passwords are viable, user sophistication will be at a level where even more complex precautions may be viable. However, if you have unsophisticated or numerous users, this scheme should help mitigate what I like to call "the ridiculous password problem."

This is no single solution for all your password problems. Indeed, in our organization, we have people who can't remember any passwords at all, and even those who can are still susceptible to social engineering. Nothing is a substitute for a comprehensive security plan and good understanding between administrators and users, but I hope this system can help you develop both. Besides, it's a fun way to make new passwords.