Can We Make Passwords Easier to Remember Yet Harder to Guess?

If you use a number of websites, applications or corporate systems, it's a fair bet you have to use a password to get into them.

It's also a fair bet that you reuse the same password on many systems and that it's fairly easy to remember. And also easy to guess.

Of course, many people go that extra mile and put strange characters in their passwords, using a '$' for an 'S' and replacing 'E' in their name with a '3'. Unfortunately, hackers are wise to these techniques, and they don't deter those who really want to get at your accounts.

And if your password is difficult to remember, there's a likelihood you've made a note of it somewhere. On a Post-It note stuck to your monitor anyone?

Happens all the time, you're not alone!

There have been many methods proposed that will make passwords go away, here are a couple and their obvious downfalls.

Biometric scanners

These work on the principle that much of what makes us human is that we have unique characteristics. Although there have been experiments with eye-scanners, face recognition and others, the most popular one at the moment is the fingerprint scanner.

You'll have noticed that many mobile phones now come with them as standard, and they seem to be an ideal solution to securing access to your devices, but there's a huge drawback, one which I discovered recently.

Having secured my phone with a fingerprint, I was doing some DIY in the house, and I got a small cut on my finger, the one I used to unlock the phone. This meant the fingerprint was no longer recognised, and I couldn't unlock the phone using it.

Of course, there's a backup. There's also a PIN to allow you to get into it should the biometric system fail, but this falls back to that old problem again - I have to remember it.

Fingerprint scanners are available for some computers, but they suffer the same problem. You have to have a backup in case your finger is unrecognisable, they're not much use in industrial environments, and they're pretty easy to bypass.

Swipe cards

These work well - if you remember your card.

Many companies use them as a way to access their premises, offices and their computer systems. They also suffer from the problem of damage, though, but it's not quite as bad as if your fingerprint is unrecognisable. At least in these cases, you can get in touch with your IT department to get a new one.

Patterns

These work well on phones but haven't really made their way to desktop computers yet, although I have seen them used in some enterprise applications.

They comprise of a grid of dots, and you set a pattern on those dots to give you access. When you want to log on, you make the pattern, and you're in.

There are a couple of problems with these, though, the most obvious being that they can be fairly easy to defeat.

As we're all sweaty humans, if we're using a touchscreen, we are going to be leaving a pattern of grease (yeah, I know, when you think about it, it's gross) on the screen. I discovered this when my son gained access to my phone one day.

On a laptop, you'll probably be using the mouse to make the pattern, so it's not quite such a big problem, but they've not caught on.

So what's the solution?

Well, there may be a very simple solution to all of these problems, and it's been staring us in the face all these years - the passphrase.

A passphrase is simply a long password, but it's a sentence, a proper one that you'll find very easy to remember, but which is extremely difficult to guess. Some security experts say they're impossible to guess, even when they just use standard characters.

However, we're creatures of habit, and there's a good chance that given the chance, we'll think of a passphrase that others have already thought of, and therefore can still be guessed. For example, how many Led Zep fans will choose "There's a lady who's sure all that glitters is gold" as their banking passphrase given the chance?

Luckily, there's a way of doing it that means you can remember it easily, and it's impossible for others to guess, and it's called Diceware.

This method uses dice to generate a five-digit number which corresponds to a word in the English language. Roll the dice a number of times (at least four to be secure) and you have your passphrase.

For example:

  • arnold tent pluck vellum blow
  • weave foggy will leak grater mush
  • bauble spew whelm up brave yodel

Look ridiculous don't they? But try and remember them. After you've recited them to yourself a couple of times, I bet you'll be able to type them out quickly without thinking.

This works because of the way human memory is stored, and how those memory masters remember things on magic shows.

Essentially, the more absurd and strange something is, the more away from the norm it appears, the easier it is for us to remember.

You can find out more about Diceware here: world.std.com/~reinhold/diceware.html

And maybe you can change some of your existing passwords and see how you get on?