Wednesday, June 8, 2011

Constructing strong and memorable passwords

The recent Sony PlayStation Network (PSN) hack has revealed that weak passwords are still all the rage with classics such as "password", "123456" and bizarrely "Seinfeld" (considering PSN was launched in 2006, well after the final show in 1998) making up the top passwords selected for access to the PSN.

It's an age-old problem of computer security that no matter how secure the system, users will always be the weakest link - and that weakness is often expressed in password choice. Most users will excuse weak passwords or the re-use of passwords by arguing that "its impossible to remember", which is true if you expect that they'll remember a random collection of numbers and letters. The best way to construct a strong password is by the use of memes - and if you make your memes fun then people will use them to construct their own passwords.

An article in the Fairfax press suggests choosing a nursery rhyme (or other memorable phrase), taking the first letters of each word and substituting some for numbers and symbols will form the basis of a strong password which you can then customise for each service by adding a letter, such as 'F' for Facebook. Although this is a good method it still doesn't pass the memorable test because the nursery rhyme or whatever is not associated with the service. Also adding the letters to designate which service makes the password guessable if one is compromised (a fact the article acknowledges).

A method that I have suggested to people which tends to be effective is to choose a song that they can associate with the service and follow the method suggested in the article. This makes the password memorable and creates vastly different passwords for each service. A few examples that came out of this excercise were a favourite ABBA song for a NAB internet banking password (NAB sounds like ABBA apparently), Please, Mr Postman by the Beatles for a mail service and Taking it Easy by the Eagles for eBay (Taking it eBay, possibly?!). Regardless of the memes used (or their taste in music), each of these elements were memorable to the person making the password. From there it is a simple matter of constructing it along the lines outlined in the article (although I also suggest a consistent substitution scheme for example the first substitution is always a symbol).

So for example, if you chose U2's "I still haven't found what I'm looking for" for your Google services:
IsHfwILF goes to 1sHfw1LF and if your service allows symbols: !sHfw1LF, which isn't a bad password even though the attempt at irony in the song selection is terrible.