Tuesday, 3 January 2012

Passwords, memory and xkcd

I have various passwords on various systems, as you do...

For our main internal systems I regularly change my password and have, until recently, used mkpasswd to create a password with letters, digits, symbols and so on. Obviously I don't use this password on any external systems.

I would make a point of manually changing password on various systems so I had to type it many times - even so it would take me a few days to remember it, and so risk shredding the post-it!

Recently I changed to using an XKCD 936 password. This is four random words (adjective/noun/adjective/noun). This is long, but has lots of entropy so is a good password. It is important they are random words and not four words you pick yourself in order for this to be a good password.

The first thing I noticed is that I remember it - no need for a post-it note at all. That is to be expected and exactly what Randall was saying in the cartoon. I was able to create a contrived mental image to remember it, just like correct horse battery staple (no, that is not my password).

However, what is interesting is that I still had to think about typing it after days or even weeks. I.e. I knew the password but my fingers didn't. I am now just typing it without thinking, at last, but that took a lot longer than with the old shorter passwords. I suspect it is simply a matter of the length. Not really a problem but an interesting observation.

Another quirk I have noticed. With the old passwords I would immediately forget my old password when I made a new one. This was such an issue I would have to write down my old password just in case I had not updated something and needed to know it later. I cannot recall any of my old passwords from that system. But what is odd is that the new XKCD 936 password is not replacing the old password in my memory. I still remember the last mkpasswd based password and my new XKCD 936 based password at the same time. They obviously use different parts of the memory somehow.

The old passwords appeared to be remembered in the way it is typed, so much so that to say my password (which you never do) I would have the think about typing it and realise what keys I would be pressing.

I will change to another new XKCD 936 password at some point, and I wonder if I will forget the previous one or not. That will be an interesting test.

We will probably be moving to a system of OTPs for many internal systems in future - with keyring code generators. Shame, as I am starting to like the XKCD 936 passwords.

Isn't it funny how the brain works some times.


  1. The biggest problem with XKCD 936 passwords is that a lot of systems don't like very long passwords (max of 15, 10 or even 8 [mixed] chars) for the very reason highlighted in the cartoon - long /complicated/ passwords are very hard to remember.

    Maybe we could get systems to have an "XKCD 936" tick box option :)

  2. At work all our laptop drives are encrypted with BeCrypt. When new passwords are generated they seem to be "random" but always follow the following format:
    consonant vowel consonant consonant vowel consonant number

    so you get things like:

    which are almost pronouncable. I find this greatly aids memorizing them (still takes me a week to remeber the two which are needed to boot the laptop though!)

  3. I did make a password generator years ago that did a consonant or consonant pair (e.g. th) and then vowel sequence. It made passwords many of which I can still remember!

  4. I found affirmations make awesome passwords. There was one job I had where my password was GetANewJob for about two months. And then I got a new job :->

  5. I still use completely random gibberish (to read) passwords. I do not know what they are, I have a number of them. I know one starts with a l and one starts with an a, and so on, the password on my desktop at home is only used on that system, my g/f wanted to use it and I was (kinda) happy for her to have that password (I can always change it!) but I couldn't tell her what it was, not because I didn't want to but because my fingers know exactly what all of these passwords are, but I have no conscious clue about them. I guess this means I'll never be in danger of telling someone a password, I have around 15 of these passwords used in various places, some in only 1 place, others in a couple, I periodically change these and they take around 2 days for my fingers to remember, I can however still remember the old... Currently I don't have any that start with the same letter/number/etc, it would be interesting to find out if I change a password to start with the same character if I can remember the old one after a week or so...

  6. This is all fine for computers but my luggage is still 12345

  7. Chris, if you have an issue with a system not liking the length of an XKCD 936 password then just use a consistent system (hash it) for them. My example would be use the first 2 letters of each word.
    So "correct horse battery staple" becomes
    cohobast (or use a consistent number or symbol at the start and/or end if they have complexity requirements - 4CoHoBaSt0)

    I've been using a system like this for a while, old songs or quotes provides a fantastic source for me. e.g. "Help, I need somebody" becomes Heineso! or using 1 letter you can use longer ones such as "We all live in a yellow submarine" becomes "Waliays".
    If the song or quote is familiar then it's a short step to associate the song with the site.

    None of my passwords are this by the way. :)

    If you're interested, look up "Method of loci" as another useful memory tool. (One which I don't use as much as I'd like, but it really works well)

  8. I was discussing XKCD 936 passwords with someone today - he made the interesting point that while they are harder to brute force, in a lot of cases the system asking for the password will lock after n wrong attempts anyway, so the actual complexity in terms of brute force doesn't matter so much. Obviously there are exceptions, for example encryption mechanisms where you have the encrypted data, so can hit it as many times as you want etc.

    He then suggested that having a password made up of real words is perhaps easier to shoulder surf - as for a human remembering 4 words seeing them being typed in (even if you only see the first and last letter that's probably enough in most cases) is easy, vs remembering something with symbols etc in.

    I guess it therefore ultimately comes down to what are you protecting against, and what are the lockout parameters of the system you're putting the password in to...

  9. All with all security systems you have to consider complexity and risk in deciding what is appropriate.

  10. I'd be a bit wary of using long passwords made up of several english words, as some systems truncate long passwords.

    Older Unix systems truncated to 8 characters.

    Legacy Windows LM hashes (sometimes still seen e.g. for compatibility with poor single-sign-on systems) truncated passwords to 14 characters, stored as two 7-character chunks (vulnerable to both dictionary and Rainbow-table attacks if the hashes were compromised).

    Even with modern systems, it's not immediately obvious how many characters are significant. So an abbreviated XKCD style password such as 4CoHoBaSt0 might be safest.

    I'm a big fan of passwordless SSH logins using SSH public keys. I just wish there was an easy way to make HTTPS logins work in a similar way.

  11. It is a fair point, but I am only using on systems where I know they make a salted hash of the whole password.