{"id":24024,"date":"2021-07-30T08:00:09","date_gmt":"2021-07-30T15:00:09","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=24024"},"modified":"2021-07-21T17:56:31","modified_gmt":"2021-07-22T00:56:31","slug":"passwords-in-your-head","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/07\/passwords-in-your-head\/","title":{"rendered":"Generating Random, Secure, Memorable Passwords in Your Head \u2013\u00a0by Allister Jenks"},"content":{"rendered":"<p><a href=\"http:\/\/1password.com\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-thumbnail wp-image-18131\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/04\/1Password-logo-200x200.png\" alt=\"1Password logo\" width=\"200\" height=\"200\" srcset=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/04\/1Password-logo-200x200.png 200w, https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/04\/1Password-logo.png 256w\" sizes=\"auto, (max-width: 200px) 100vw, 200px\" \/><\/a>In late 2020 AgileBits, the folks behind <a href=\"https:\/\/1password.com\" target=\"_blank\" rel=\"noopener\">1Password<\/a>, published a blog post entitled <a href=\"https:\/\/blog.1password.com\/randomness-or-things-humans-do-poorly\/\" target=\"_blank\" rel=\"noopener\">Randomness (or things humans do poorly)<\/a>. It\u2019s a fascinating article on randomness in computers, but near the beginning is this paragraph.<\/p>\n<blockquote><p>As I\u2019ve alluded to with the title of this post, humans are notoriously terrible at creating randomness.<\/p><\/blockquote>\n<p>You\u2019ll doubtless have heard this concept before. Indeed Allison mentioned it in her recent, and excellent, <a href=\"https:\/\/www.podfeet.com\/blog\/2021\/06\/icloud-keychain-vs-1password\/\">rundown of everything a password manager can do for you<\/a>. But\u2026 while we are <em>naturally<\/em>\u00a0poor at randomness, we <em>can<\/em>\u00a0learn!<\/p>\n<p>A lot of years ago I was visiting a company office in another city when the manager, Denis, called me into his office. These were the days of dumb terminals connected to a central, large computer. That large computer was my area of responsibility and he was trying to log in but could not remember his password. The passwords on this system were short \u2013 between six and ten characters \u2013 but did require the use of at least one digit.<\/p>\n<p>It was at this time I developed a simple method of coming up with new passwords I would be able to remember, as we had to change them every 60 days. Think of a topical word, between six and ten characters in length, that has at least one letter \u2018i\u2019 or \u2018o\u2019 in it. Your password would be that word with any \u2018i\u2019s replaced with ones and \u2018o\u2019s replaced with zeroes. An example might be \u201ch0sp1tal\u201d if you\u2019d recently had the misfortune to visit one, or \u201ch0l1day\u201d if you were looking forward to one. I had taught this approach to Denis on a previous visit and had suggested he look around his office for inspiration. I asked him if he had followed my advice last time he changed it and he confirmed he had, so I told him to look around the room and see if he could spot what it was. It was then he told me that the source of his randomness had been a truck driving past his window!<\/p>\n<p>Coming forward to today, ten character passwords are not good enough, but <em>memorable<\/em>\u00a0passwords are still a good idea and can be very secure. I\u2019ve been a long-time user of Bart\u2019s <a href=\"https:\/\/xkpasswd.net\/s\/\" target=\"_blank\" rel=\"noopener\">XKPasswd.net<\/a> web site and even built automated actions so I could generate new passwords right on my Mac with my favourite recipes. If you can\u2019t access XKPasswd you can likely use your password manager to generate memorable passwords, and hopefully it\u2019s on your phone which you always have with you. But sometimes you might not have access to a suitable generator, or, like me, you prefer the XKPasswd recipes and your password manager can\u2019t produce them like that. For most use cases, any password will do, but there are some places I know I will log in a lot from different places and I would like it to be super easy for me to remember the password. At times like these, I generate them in my head.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-24026\" src=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/07\/edge2edge-media-uKlneQRwaxY-unsplash-300x200.jpg\" alt=\"Photo of rolling dice by Edge2Edge Media on Unsplash\" width=\"300\" height=\"200\" srcset=\"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/07\/edge2edge-media-uKlneQRwaxY-unsplash-300x200.jpg 300w, https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/07\/edge2edge-media-uKlneQRwaxY-unsplash-272x182.jpg 272w, https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/07\/edge2edge-media-uKlneQRwaxY-unsplash.jpg 640w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/>Let\u2019s do this as an exercise. I\u2019m going to help you generate a suitably random password that would be difficult for anyone to guess. A quick note here that this process does require that you be sighted, though I imagine folks with vision impairment could come up with a variation that works for them.<\/p>\n<p>Look around the room you are in. It helps a lot if you are an untidy person like me. Look for an interesting word that is printed on some object. When I say interesting, I mean don\u2019t settle on things like \u201cthe\u201d or \u201cthis\u201d. Also, try to avoid words you\u2019d expect to see often like \u201cApple\u201d or any word on your keyboard. Looking around me right now I can see the following things.<\/p>\n<ul>\n<li>A packet of photo prints for \u201cNew Zealand\u2019s Leading Photostores\u201d \u2013 the word <em>leading<\/em>\u00a0is great.<\/li>\n<li>A mug with a cute message \u201cYou are my otter half\u201d \u2013 the word <em>otter<\/em>\u00a0is great.<\/li>\n<li>A membership card for a society that has the several good candidates including <em>treasurer.<\/em><\/li>\n<\/ul>\n<p>That last one is one where you can apply an additional technique. If the word is too long or too short, adapt it to another form, such as <em>treasure<\/em>\u00a0in this case. Continuing on\u2026<\/p>\n<ul>\n<li>A package with a label saying \u201caccepted\u201d \u2013 I\u2019d go with <em>accept<\/em>.<\/li>\n<li>A letter from an optometrist has plenty but I\u2019d choose <em>regular.<\/em><\/li>\n<li>A (sadly empty) chocolate box that gives me <em>ginger<\/em>.<\/li>\n<\/ul>\n<p>I could go on. The trick is to look and quickly choose the words to avoid bringing in biases but also spend enough time to eliminate the obvious and ideally avoiding anything permanent or semi-permanent in your environment. Let\u2019s look at the words we gleaned.<\/p>\n<blockquote><p>leading, otter, treasure, accept, regular, ginger<\/p><\/blockquote>\n<p>If you were <em>in my study today<\/em>\u00a0you might have some success at guessing these words, but it\u2019s still a very hard problem to solve. Now let\u2019s take a similar approach to get some numbers. I\u2019m going to make sure I use different objects to further randomise, and again avoid obvious numbers like dates and round numbers.<\/p>\n<ul>\n<li>A kitset box shows 260 pieces<\/li>\n<li>A battery charger has a product code of 185<\/li>\n<li>An invoice number is 1075<\/li>\n<\/ul>\n<p>You get the idea. So now we have six words and three numbers, let\u2019s pick a separator. I tend to stick to one of a handful of easy to type separators rather than trying to use my environment to randomise, but you could look around for inspiration even for that. I\u2019m going to choose a comma this time and then I will choose three words and two numbers. I will make sure the words don\u2019t \u201cmake sense\u201d together, for example avoiding \u201cginger otter\u201d. I will also avoid gravitating to the shortest words to keep the total length reasonable.<\/p>\n<p>260,leading,ginger,treasure,185<\/p>\n<p>You may notice that I\u2019ve arranged the words in a \u2018sentence-<em>like<\/em>\u2019 order so they are easier to remember, but the sentence is completely nonsensical. So there you have it. A 100% human generated, random, secure, and memorable password.<\/p>\n<p>However, just because you cleverly devised your password without the aid of technology, don\u2019t think that this is memorable enough to not have to store it in your password manager! If you don\u2019t have access to that at the time you create the password, write it on a piece of paper and put it somewhere safe until you can record it properly, then destroy the paper. note that you shouldn\u2019t write the name of the site or service on the paper, just in case.<\/p>\n<p>I\u2019ve used this technique probably half a dozen times and usually I will continue my hunt for words until I find some that particularly appeal to me, especially if I know I will use the password often without recourse to a password manager. I can even now imagine random passwords without referencing my environment based on making short, nonsense sentences like <em>squishy-purple-delivery<\/em>, but that requires a LOT more concentration to avoid obviousness.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In late 2020 AgileBits, the folks behind 1Password, published a blog post entitled Randomness (or things humans do poorly). It\u2019s a fascinating article on randomness in computers, but near the beginning is this paragraph. As I\u2019ve alluded to with the title of this post, humans are notoriously terrible at creating randomness. You\u2019ll doubtless have heard [&hellip;]<\/p>\n","protected":false},"author":29,"featured_media":24026,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147],"tags":[4691,134,4690,2105,50],"class_list":["post-24024","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","tag-human","tag-password","tag-random","tag-secure","tag-security"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2021\/07\/edge2edge-media-uKlneQRwaxY-unsplash.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=24024"}],"version-history":[{"count":4,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24024\/revisions"}],"predecessor-version":[{"id":24075,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24024\/revisions\/24075"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/24026"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=24024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=24024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=24024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}