Creating and Remembering Strong PasswordsSubmitted by David Vaughan Investments, LLC on April 4th, 2017
by AnneMarie Brinton
Information Services Coordinator
April 5, 2017
Recently, the National Institute of Standards and Technology (NIST) lightened their recommendations for creating a complex password. This does not mean that the old recommendations of integrating numbers and special characters into your passwords were frivolous and that your single word passwords were plenty secure as they were. Far from it. A password’s strength really does lie in its length and complexity (mixing uppercase letters, lowercase letters, numbers and special characters).1 The strength of your password grows exponentially with every additional digit of length and type of complexity. NIST simply gave up fighting human behavior.
Requiring users to include numbers and special characters was in spirit a great way to increase the security of passwords, but in practice, the overwhelming majority of users ended up using the same, minimally invasive work-around: they added a “1” and an “!” to the end of the same flimsy password they always used.1
Then there are patterns. Patterns are user friendly. Patterns are easy to remember, easy to fall into, and also easy to hack. Using consecutive or repeating characters is one of the most common password formats. Changing from “Password A” to “Password B” and back again every required number of days may follow rules, but it’s really only twice as secure as using the same one all the time. You may use a brand new password every 90 days, but if your last two passwords were “Fall2016” and “Winter2017” we can guess what your current password is. While names can be unique, the idea of using a child’s/grandchild’s/pet’s name for a password is not, and names of family members are often one Google search away.
This is where following the spirit and the letter of the recommendations can seem painful; in addition to longer lengths and multiple complexities, the best practice is to never use names (people, places or companies) nor words that can be found in the dictionary in general.1
So, what are you supposed to do? Smash your hand down on the keyboard and never access your account ever again? How do you create a password that is secure, but that you can actually remember? One of my recommendations is, rather than creating a secure password with all kinds of random characters and trying to force that into your memory, start with something you already remember and create a password from that memory that seems random, but has tangible meaning to you. Let’s look at an example.
The name David, as in David Vaughan Investments, always reminds me of my first love, David Larabee. Every June his family would throw a regatta party and I would watch from a distance as he would pick some lucky girl to dance with. It was never the same girl, but always the same song, Isn’t It Romantic. It wasn’t until I returned from culinary school in Paris in the summer of 1954 that he finally picked me. Ok, so it’s not a memory of mine. It’s the first act of the movie Sabrina,2 but if I use one of my real memories, I’ll lose a perfectly good password. So for this post, I’ll try my best to fill Ms. Hepburn’s shoes.
Now that we have a memory picked out, let’s make a password. David always danced to Isn’t it Romantic, which is perfect because I already know those song lyrics from years of listening to it, dreaming that David was dancing with me. So let’s take the first three lines “Isn’t it romantic / Music in the night / A dream that can be heard”3 and write down the first letter of each word with a slash after each line. Then we get “Iir/Mitn/Adtcbh.” Then, I was asked to dance in June of 1954, so let’s add a “6” to the front and “’54” to the end.
Put it all together and you get: 6Iir/Mitn/Adtcbh’54
That is a 19 character long password that has a mix of all 4 character types, no names or words, and every piece is something that I already have rattling around in my memory. Is it overkill? Perhaps. I could have stopped after “Music in the night” and been just fine. Having 8-10 characters in a password is plenty good especially if it mixes in all four character types. Adding the third line of the song felt like the natural place to stop to me, and in my experience, I have a lot more success in remembering a password if I follow my natural inclinations.
There are so many factors of cybersecurity that, as a user, we have no control over, but making sure that our passwords are not the weak links in the chain is one of them. Take that piece and own it. Tap into those thousands of little tidbits that swirl through you memory —pieces of songs and poems, lines from historical speeches and documents, adages and quotes, lists of everything from ingredients in your favorite recipe, to the bones of the face, to the starting line-up of the 1985 Chicago Bears—and make them into mighty passwords. Be the person who makes the hackers say, “It’s too strong. It will take too long to crack. Let’s just move on.”
1) NIST Special Publication 800-63B, Digital Identity Guidelines, Section A.1-3
2) Sabrina, Paramount Pictures, 1954
3) Isn't It Romantic, Music by Richard Rodgers, Lyrics by Lorenz Hart, 1932