Re: Password Cracking

From: Fireglyph (
Date: 01/25/03

From: Fireglyph <>
Date: 25 Jan 2003 21:59:40 GMT

Mark H. Wood <mwood@mhw.ULib.IUPUI.Edu> wrote:
> Fireglyph <> wrote:
> [snip]
>> the randomness involved in the generation process. A password like
>> "#A!+Opz/" is as good as "TzPMjkL" if both were generated truly
>> randomly, but "Orange" is definitely a weak password.
> Good as far is it goes, but please remember that "#A!+Opz/" is a weak
> password for an entirely different reason: nobody will even *try* to
> learn such a monster by heart.

I agree with you.

But people don't remember such "monsters", because they don't know how.

According to my own theory, the problem we're facing here is that
what makes a password strong (a high entropy) is exactly the reason
why our brain isn't able to remember it. Our brain is so very capable
and efficient because it is good in compressing the input it gets.
Strings with a high entropy almost aren't compressable.

The field of cognitive psychology tells us that we're remembering
especially those words well which have a personal meaning for us and
can be associated with emotions, sounds and/or images. Some
memorization techniques make use of that knowledge by associating
numbers with images, for example, or by associating single characters
with words which have meaning for us.

Let us assume that we have a password consisting of eight characters
which were generated by a truly randomly process:


Once we got the password, we look up each character in a table which
associates it with a word. Of course, we could also use a dictionary
to look up words with the first character equal to the one we're
searching for. That might give us the following words:


Taking the words, we create a small story which could be as crazy
as the following:

"A bunny born in the USA was hand-cuffed by the police, because it had
stolen some jewels. But it found the key, took a taxi to the zoo and
returned to the mafia."

For most people, it is much easier to remember words than single
characters. People with a good visual memory will easily imagine this
story and think of a little bunny clad in stars and stripes, whose
paws are cuffed by a frightening officer, biting him to get the
shining key and freeing himself. Then bunny is jumping into a taxi,
gives some bucks to the surprised driver who is driving to the zoo,
where godfather is eagerly awaiting the jewels and our little
criminal. People with an auditive memory could stress all sorts of
sounds, like the bunny singing the anthem of the USA, the clicking
of the cuffs, the shouting of the officer and the screeching tyres
of the taxi.

Special characters can also be replaced. For example, "#" could
be associated with a fence, "$" with dollars, " " with a spaceship,
"*" with a star, etc.

What we're doing here is reversing a rule for producing passwords.
The rule says that we could take a sentence easy to remember and
generate a password by assembling it from the first characters of
the words. By reversing the rule, we can ensure that the characters are
generated really randomly (and not taken, for example, from a very
famous book), but nevertheless are easy to remember.

Of course, that's paranoid. As long as the words are randomly chosen
and connected to a sentence or a little story, the original
rule should work as well.

I hope you can see that it isn't too difficult to remember even
complicated and long passwords as long as one knows how our brain
stores information and how human memory works.

Even more important, I believe that the process of inventing crazy
or emotional stories is fun and therefore very motivating for people.
Remembering "a monster by heart" suddenly becomes inventing a horror
story with monsters eating hearts. Nice, isn't it? ;-)

I'm administering a network together with two co-admins. When I needed
two passwords for the firewall, I generated both according to the rule
proposed above. Both look very cryptic. Recently one of my co-admins
needed access to the firewall and I told him the passwords. I made a
test. He wrote down the first password, because he couldn't make
any sense of it. Together with the second password, I also told him
the sentence from which it was generated. He didn't write it down,
but I heard him repeating the sentence three times and suddenly
he said "okay".

It works and it works the better, the more crazy, funny, emotional
and extreme the story is.

Try it yourself.

And search for books written by Tony Buzan.

(Since most memorization techniques still aren't public knowlegde
or teached to us in school, I think that in the future we'll use
biometrics and smart cards to authenticate ourselves to computer
systems, but as long as those aren't available everywhere, we can
use rules like the one proposed above.)