Is it hard to compose easy to remember yet complex passwords?

KeyWe’ve all been in situations where we forgot our password, wrote it down, used a certain pattern, even used the word “password” or whatever common word just for the sake of easing it up for our memory.

Composing a complex password which is fairly hard to break by several known techniques such as guessing, brute force, dictionary or any other form of attacks is pretty hard especially when it comes to follow a set of rules of a certain security policy forcing the use of alphanumeric characters in a certain combination of a minimum defined length, disabling the re-usage of previous passwords, setting a reset expiry date, and so on. Each organization, website or any system having password authentication have such defined set ranging from simple basic rules to much more complex and strict ones.

We need to keep in mind that with increased security, we can be sacrificing good user experience and functionality.

With too many accounts to handle on different websites (Blog, Social media, e-mails, etc…) and various devices, several problem arises and proves how our memory can sometimes fail us. So we end up using weak, redundant passwords making us an easy fish for attackers.

Update: “THROUGH 20 YEARS OF EFFORT, WE’VE SUCCESSFULLY TRAINED EVERYONE TO USE PASSWORDS THAT ARE HARD FOR HUMANS TO REMEMBER, BUT EASY FOR COMPUTERS TO GUESS.[1]

As part of my readings I remember The Usability of Passwords post by Baekdal suggesting that passwords such as “this is fun” can be more secure than “$TiF12aSP#” and the good part is its easy to remember. The idea is simple it consist of choosing a set of common or uncommon words that are constructed in a way that made sense to the user and can be easily remembered such as “word sec cool blog” now this is an example and Ii believe its still weak, so to add a little bit more complexity we can add some symbols instead of spaces, some capitalization and a number leaving us with something like this “worD&Sec-cOOl-12Blog“.

Password Strength

Now still thinking about the idea behind it and it’s making sense to me yet these words can be found still in dictionaries, could that be a possible problem? Then the light bulb shined in my mind; since I am from Lebanon my native language is Arabic and as form of communication on the Internet we chat with each other using the English letters yet representing Arabic words and where some pronunciations require us to add a numeric representation. So what if we used that as a form of password generation? for example my password could be “Kelmet-Sirr-2awiyeh” meaning in English a powerful password, it’s easy to remember and very strong based on the following password strength meters:

Now the concept can be applied in other languages using English letters as a form of chat language representation.

What do you think of such technique and concept? Can we consider it as a strong complex password generation method?

Image courtesy of xkcd

8 responses to “Is it hard to compose easy to remember yet complex passwords?

  1. I have one very complex password that I practiced to remember, and with that I can access my Local Password Software on my MacBook and Iphone (called DataVault), which I use to create most complex passwords as possible (depends on how many symbols are allowed for particular accounts). Thus, I just have to remember 1 password and still everything should be kind of secure.

    • Hi Sebastian, no doubt that your technique and the usage of a password manager can be considered as secure with complex generated passwords which only one has to be remembered. Yet in some cases for some users such approach could cause access difficulties from various places and machines since for example in your case the password manager is you personal MacBook.
      Is it hard for you to access your accounts when you don’t have access to your MacBook? and is portability an option in DataVault?

      • That’s not a problem at all. There is also an DatVault iOS app that I use, for example if I have to log in using my iPhone directly, or if I need access on another machine I use my iPhone to look the password up. Sync works over Wifi, and since I only sync between MacBook and iPhone over my pretty secure home wifi, it should be quite safe. Furthermore I use this password manager to safe all kinds of data, e.g., Social Security number, Driver’s Licence ID etc. Thus, the data is always available (as long as I don’t forget to take my iPhone with me ;))

  2. Pingback: 5 Important Steps For Better Computer Security | Salim's Blog·

  3. Salim, the idea discussed here sound pretty good particularly when other languages other than the English language is involved.

    However, many languages also have dictionaries and with the power of Cloud computing, is password or anything really safe or unbreakable?

    • Hello Orho, Thank you for your comment.
      You made a very valid point and I do agree with it, with the increasing computing power especially cloud computing, cracking passwords and encryption is becoming easier posing exponential threats on our security. And that not mentioning the existence of Rainbow Tables which are precomputed hash values to be compared in a brute force attack again stolen password hash tables.
      At the end what we can do is enhance our security and put more obstacles in the way of attackers. What do you think?

  4. Pingback: Administer Passwords With KeePass | Salim's Blog·

  5. Pingback: Stop Turning into a Phishing Victim | Salim's Blog·

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s