An Approach to Creating Strong Memorable Passwords

There is an eternal quest for strong yet memorable passwords, yet we are usually only told what we shouldn't do.

Don't use names.

Don't use dates.

Don't use something in any dictionary in any language.

Don't use a short password.

Don't reuse a password.

Don't write it down.

It's no small wonder why most people distain passwords, technical and "civilian" alike. This breeds the bending of the rules as much as possible. And that includes the "don't do's" listed above.

Passwords don't have to be such a difficult "key" to access. There are a number of memorable methods online for strong passwords.

There are three critical requirements for a strong password:

Length is clear enough. But how long? The Wikipedia page on "Password Strength" provides some insight. The question is tied to that universe of characters the password contains. Quality and quantity go hand-in-hand.

Consider using "All ASCII printable characters" which means all the characters available on your particular locale's keyboard. Create a large pool of possibilities for each character in your password by including upper and lower case letters and symbols. Notibly, numbers, as in 0-9, has little significance in password strength.

"Diversity" of characters refers to avoiding common combinations. This means regular words should be avoided. Use an array of the regular characters available. In US English, the letters e, t, a, i, o, n are the most commonly used. But letters like f and z are not.

What then, is a decent method for a strong password?

Scrolling down from the above Wikipedia page, there is a chart entitled "Lengths L of truly randomly generated passwords required to achieve a desired password entropy H for symbol sets containing N symbols." Quite a mouthful. Yet it does provide a useful guide.

In the column entitled "All ASCII printable characters", password lengths (5, 7, 10, etc.) align with rows of bits. A password using numbers, upper and lower-case letters and symbols needs only 15 or 20 characters in length to be 96 or 128 bits in entropy, which is a fancy word for randomness.

A password length of 15 or 20 characters might seem exhausting and easily forgotten. With a little creativity, and decent touch-typing skills, it is a surmountable feat.

To put the chart into perspective, a password composed only of Arabic numbers 0- 9, requires about 39 digits in length to be 128 bits in strength. But that pass word only has to be 22 characters in length if composed of both upper and lower-case letters, plus numbers. Throw in some symbols and 128 bits is attainable with passwords only 20 characters in length.

Consider creating a phrase of horribly incorrectly spelled words. Are you a native US English speaker? Speak the phrase in a stereotypical Boston accent, or any other accent. The worse the accent, the easier this task becomes.

wae kun eya pahk mah kahr

Not a brilliant password in itself. But it's certainly better than "where can I park my car".

That ugly phrase becomes the base of a strong password. It's already 25 characters long, and exceeds the 96-bit criteria of strength, even though we are only using lower-case letters.

Adding entropy to this password, with a selection of different characters such as upper-case letters, numbers and symbols should be easy enough. Pick a standard list of symbols, such as \ @ % ^ and place each between each word. Capitalize letters that are exaggerated in speech, or make the whole phrase capitalized, doing to reverse for emphasis.

How does this password remain memorable? Can you remember the phrase "where can I park my car" in an exaggerated Boston accent?