Passwords: the secret assortment of characters which open the portal to your online data. As kids, we're told stories about magical bridges guarded by horrible trolls that only let you pass when you tell them the secret codeword. As adults, we still have guardian trolls. But instead of asking us riddles, they ask us to create an 8 letter word, with at least 1 capital letter, a number, and sometimes a non-letter character as well. Passing over the password bridge into our personal data is a fair bit of work.
While passwords are highly intuitive, there is a password problem - humans are very poor at creating passwords which are unpredictable and most importantly, secure.
While we can point the fingers at developers, I'm sorry to say that one of the greatest weakness of passwords are us (yes, you too): the users that create them. So how do we create passwords which are complex enough to dupe hackers, and memorable enough for our busy minds? The answer lies in one of humanity's strengths: storytelling.
Common misconceptions on 'weak' passwords
To understand what a strong password looks like, let us first explore what constitutes a weak password.
The classic password advice appears on a lot of websites. The requirements are usually:
- More than eight characters
- At least one capital letter
- One number
- One symbol
All of these rules are created help us think of strong passwords. Sounds reasonable right? Well, using all of those rules I could use the password: Password123$. This password fulfils all the criteria except the silent golden rule of passwords: the password should be unpredictable.
This is just one of the thousands of passwords that's easy enough for us to remember, and which hackers also know. Here's something scary: hackers don't randomly generate passwords to try and hack into systems. Instead, they have massive lists of commonly used passwords, which they can use like a dictionary to hack into all your personal stuff.
There's a list of 10,000 passwords commonly used by hackers, that you can view here. It's worth a look - even just to laugh at some of the more unsavoury ones. 10,000 is a lot to get through. So, here's a little taster of the list. It ranges from the super simple:
- 1234
- abc123
- asdfg
To some fun password related phrases:
- letmein
- password
- opensesame
To just some classic commonly used words:
- baseball
- fishing
- winter
Hackers then use an algorithm to change the capitalisation of letters, add numbers to passwords and even switch letters to numbers (e.g. a password of 'password' becomes 'p4s5w0rd' ). Meaning that even if you thought you were being super tricky by using "f1shIng" instead of just "fishing", their super slick algorithm will probably figure out your capitalisation and number-isation quickly enough, anyway.
No shame to those who have or are currently using a password similar to this, we have only a limited capacity to remember complicated passwords. Any by now you must be feeling like this password thing is a lot trickier than it seems. Because, if we can't use common words, and randomly generated characters are too hard for us to remember, what can we do to create memorable, but secure passwords?
The story of a strong password
Once upon a time there lived a weak, un-secure password who became big and strong with a little help from their friend called storytelling.
Humans have a particular knack for storytelling which we can use to our advantage to create unpredictable, creative and, dare I say it, even fun passwords! Humans are natural story tellers and if we can associate seemingly unrelated symbols or words into a story we are much more likely to remember our password. This also adds a new level of unpredictability and increased length to our passwords without much extra mental effort.
There are a number of techniques for creating these 'story telling' passwords:
- PAO (person action object)
- Letters in a sentence
- Diceware passwords
For a little more info on the psychology of memorable passwords, secjuice has a good article which you can read here.
PAO: Person Action Object Passwords
PAO passwords are created from a sentence that combines a person an action and an object, usually describing some type of interaction between the person and the object. For example, one study on people's ability to remember PAO passwords used 'DarthVaderBribing1Roach'.
These phrases are very visual and the unlikely combinations make them extremely memorable passwords. Notice the password is also long (8+ characters), includes capital letters, a number and is also unpredictable. A hacker's nightmare but a user's dream come true.
Letters in a Sentence
Letters in a Sentence is a similar technique but involves taking the first letter of each word in a sentence. If I had asked you to memorise the password Aalurfwayaf, I'm sure you'd just laugh at me. It's too complicated and the letters too random. But if I said that those letters represent the first letter of each word in the first two lines of the Australian anthem it becomes a lot more memorable!
The sentence should be something easy to remember and can consist of a line from a song lyric or quote, e.g. in Advance Australia Fair - 'Australians all let us rejoice for we are young and free' becomes - Aalurfwayaf. Add some symbols and different capitalisation to letters andddd congratulations, you've just memorised a long and unpredictable password!
Diceware
Diceware is a random word generator that you can then create an interesting story to remember it by. I recommend using this site: https://www.rempe.us/diceware/#eff. I got cilantro-bagel-contact as my password which is very appealing seeing how much I love food and bagels are no exception.
Password Managers
Password managers are also a great way to manage a large number of unique passwords without having to memorise them. Although it's not as successful between different devices, it can be helpful in the workplace where there are a number of passwords employees need to know. At Yarno, we use 1Password and I personally appreciate the autofill feature and the extra layer of security to our system.
Now that we've discussed the various password generating technique, the creative power is in your hands. The question is, what is your password story?
