Passwords: Complexity equals easy to forget

One of the key components of a good security policy is the enforcement of strong passwords. In many cases, a strong password requires the following:

• six or more characters
• change every 30 to 60 days
• restriction of changing a password in less than two-to-seven days (i.e. minimum required age)
• prevention of re-using six-to-24 previous passwords (i.e. managing password history)
• use of at least three different character types: upper case, lower case, numerals, keyboard symbols
• prevention of use of any part of your real name, e-mail address, computer name, phone number, social security number or any other personal ID number, name or phrase.
• prevention of use of common dictionary words, slang or industry acronyms

Seeing these restrictions often leads one to think that users must select a password that is so complex that they often can't remember it, Such as oA16I8aCCp.

But in fact, "oA16I8aCCp" is an easy to remember password if you know one simple fact:

As humans, we can remember activities, events, people and occurrences. We especially remember things that happen to us or near us that are either exciting, dangerous or at least out of the ordinary (subjective to each individual).

Using this fact, I suggest to users to think of an event that they can easily remember. When they think of that event, try to think of a simple sentence to describe that event. In most cases, the sentence will be the one you generally use to communicate the event to someone else. Such as "Hey Bob, I just saw the weirdest thing during lunch," or "Amanda, I just went hang gliding in the Virgin Islands!" Now, add a date to the sentence: "On July 5, I saw a weird thing during lunch."

Next, take the first letter of every word, and keep any numbers: OJ5Isawtdl

You can elect to drop common words such as "a," "in," or "the." You can also choose to alternate capitalization. When possible, change out a letter (or entire words) for numbers which are similar, such as three for e/E or one for i/I/l/L or even eight for "ate." You could even throw in a number sign "#" before the mention of any numbers from your initial sentence.

In my first example, oA16I8aCCp is created from the sentence "on April 16, I ate a Chucky Cheese pizza".

With this simple method, you can train your users to create very complex passwords that meet all complexity requirements without forcing them to extreme measures to remember a random password or cause them to write it down.

If users still have problems remembering their passwords using this method because they forget their initial sentence, you can suggest that they write down a short phrase that reminds them of the sentence, as long as that phrase does not contain any significant word from the initial sentence. Ideas might include "bright-green eye shadow is strange," "I crashed into an ice-cream cart," or "I love pepperoni and extra cheese."

One final idea on complex passwords. If you have a two or three digit number (less than 255) which is either easy to remember or becomes evident during the sentence to password conversion process, you can use it as a high-order ASCII character instead of just plain old keyboard numerical digits. Just press and hold the ALT key while entering your numerals. If you only have two numerals, enter a zero ("0") first. This will place a high-order ASCII character into your password. It still counts as only a single character even though you will press four digits to create it. The best part about ALT-generated characters in a password is that most brute-force password-cracking tools do not use these characters in a standard attempt to extract passwords. Instead, they usually default to (or are programmatically limited to) the keyboard-based characters.