Memorable Passwords

Much has been written on the subject of making memorable yet secure passwords. Here’s another small contribution.

It has been said that passwords are generally more memorable when they are pronounceable. However, for obvious reasons dictionary words do not make good passwords, and so people have focussed on generating single fairly short nonsense words from lists of pronounceable syllables. However, it seems to me that length only loosely related to memorability, and that real words are probably easier to remember and type than nonsense ones.

It’s also said that good passwords have characters from at least 2 of the sets “A-Z”, “0-9” and “punctuation”. So why not generate passwords containing two words separated by a symbol? If you give them the form [adjective][punctuation/number][noun], such as beheaded!octopus or distressed$asphalt, then they are memorable because of their weirdness, and because you can have a single mental picture to remember – your asphalt with an unhappy face, or your decapitated octopus.

The Parts of Speech Database available from Kevin’s Word List Page has 50,000 adjectives and 100,000 nouns. If you then say there are about 40 numbers/punctuation marks, that makes a possible 200 billion passwords. Quite enough to be going on with, I think. Perhaps not all the adjectives and nouns are usable, because they might be too obscure to be memorable, but you could also use pairs of adverbs and verbs to expand the possibilities.

If anyone wanted to knock up a quick web page which generated passwords from that list, we could see how well it worked in practice…

13 thoughts on “Memorable Passwords

  1. 200 billion = 2*10^11. Compare to a “word” of 6 syllables of consonant-vowel. Say there are 20 consonants, 5 vowels. That gives 100^6 = 10^12 possibilities. So yes, you have about the same information, and a form that is probably more memorable. On the other hand, check out http://www.tothink.com/mnemonic/. They took a similar approach, except carefully chose a select number of words that are “nice” — short, memorable, all quite different from each other, etc. They have 32 bits per 3 words, so to reach 10^12 possibilities would be 4 words.

    BTW: the upper/lower and punctuation recommedations you mention are purely to encourage users to add more possibilities to what their password will be. They have no intrinsic value.

  2. http://happyandlost.co.uk/passwordgen/

    There you go. It’s very slow, because it’s written in a disgusting way. It’s also written in ASP, which isn’t my language of choice but it’s the only thing I could hack and host at short notice. I’ll be refining it and moving it to another URL over the weekend, but this will act as a proof of concept.

  3. Colin:
    Your password generator seems to like the + punctuation seperator inordinately much. I got it 7 out of 10 tries, with the others being @ and =. Hmmm… anyway, pretty cool.

  4. Very nice, Colin . . . and once a master password has been created in this manner, one can then visit http://angel.net/~nic/passwd.html and generate unique individual passwords for each site, server, router, &c. by putting a completely obvious name for that resource in the “Site name” field.

  5. The VBScript random generator might not be up to much, plus there are only five symbols to choose from – that won’t help. I’ll revise this tomorrow.

  6. Colin: great job! If the delay is in reading and parsing the file, could you get it to provide ten suggestions per page? Then people can pick the one which appeals to their memory.

    mozeoff: or use PwdHash or PasswordMaker or any of the other similar Firefox addons/web pages.

    glob: seems like there aren’t all that many possibilities for that scheme. And I think numbers are probably harder to remember than words, and there’s no easy way of remembering whether a particular number is letters or digits. Also, the last part is dependent on the first few so you have extra characters for no increase in randomness.

  7. The 2-word idea reminds me of the activation passwords that came on free-trial Compuserve disks years ago. I don’t remember any punctuation (maybe it was always a slash), but it was always two quirky words like “melancholy aardvark” or “spatula dumbfound.”

  8. Gerv: Everything’s wrong with the code – it was done as quickly as possible since I was at work! I didn’t have time to sort out the source file, so it’s reading every line in a 4 meg text file using VBScript’s readline method. Very bad news.

    I’ll be recoding it tomorrow in C#, and will sort out the source files. Once I remove the entries I don’t need, separate nouns and adjectives, and pad out each entry to uniform length it’ll be lightning fast.

  9. Another idea I heard was to memorize an entire phrase and construct a password out of the the first letter of every word. eg. “Why Can I Never Remember My Password?” would become “WCINRMP” And some words in the phrase could be replaced with numbers, like “Like you are one to talk” could become “LYA12T”.

  10. Colin: Great :-) Having played with it, it seems obvious that we need a word list with fewer obscure words in it. How about one of the “12Dicts” packages from the WordList page linked in the original? Do they include parts of speech information?

    Also, again I think it would be good for the page to generate ten or twenty passwords, so you can pick the one that produces the best mental image. Saves on reloading.

    Lastly, I got at least one password where the right-hand word was null – empty.

  11. Yes, it seems a little buggy and having names of chemicals pop up isn’t so useful :)

    I’ll have a play around with it tonight and make these changes.