One of those simple easy ideas someone should have done a long time ago.
posted by stbalbach at 5:45 PM on July 20, 2008

Opera users: this tool won't work in your favorite browser. Can't believe I didn't figure this out earlier because it never made any sense.
posted by Foci for Analysis at 5:53 PM on July 20, 2008

1. Build useful, straight up password creation device on a website.
2. Wait several months, watch traffic increase.
3. Insert AJAX password submission code into Javascript.
posted by TheOnlyCoolTim at 5:54 PM on July 20, 2008 [8 favorites]

Also, the generated passwords aren't very strong despite being 15 chars long.
posted by Foci for Analysis at 5:56 PM on July 20, 2008 [1 favorite]

While this is a strong password, it's hardly memorable.

Best advice I have received is to use a pneumonic expression: "I have 7 sisters and 0 brothers," yields Ih7sa0b, which is also a strong password!

It's just easier to remember an expression rather than a string/sequence of symbols. If you can use special characters, you can create some really fun expressions: "I can eat greater than 1 slice of pizza!" yields Ice>1sop!, but ice and sop are dictionary terms, so be careful! Using proper names boosts your capital (uppercase) content. : )
posted by quanta and qualia at 5:58 PM on July 20, 2008 [14 favorites]

Seems more difficult than it should be. Password managers are much better, remember one difficult password (ala quanta and qualia's suggestion) and then let the password manager handle both the generation and storage of the rest.

I don't remember 98% of my passwords and change them frequently. I just go through the password manager to update them as necessary.
posted by purephase at 6:03 PM on July 20, 2008

One of those simple easy ideas someone should have done a long time ago.

People have. I read a post on Bruce Schneier blog that said you should write down your passwords, and there was a suggestion (from somewhere) that you ought to create a chart that explained your password in a way that only you could read. I actually posted this to metafilter

I don't like the over-use of random case mixing, since it makes the generated password a lot harder to remember, and who wants to always be referencing the card?
posted by delmoi at 6:04 PM on July 20, 2008 [1 favorite]

Best advice I have received is to use a pneumonic expression: "I have 7 sisters and 0 brothers," yields Ih7sa0b, which is also a strong password!

If the system is capable of long, complex passwords, just use the original phrase. If the system isn't, uh, run away.
posted by secret about box at 6:04 PM on July 20, 2008

This tool sounds like a good idea, but it gains you absolutely nothing over just concatenating the passphrase and password together; the set of possible keys generated by one of these charts is at most the same size, and possibly smaller.

If you want as much security as possible, use a real random character generator, not something derived from a passphrase. If ease of memorization is more important, go with a Diceware password, preferably with actual dice.
posted by teraflop at 6:07 PM on July 20, 2008 [1 favorite]

For my work computer, where I have to change passwords often, I choose a favorite album, one I have memorized, and use the beginning of the lyrics of each song to base my password on, then add a number and special character to the end.

For example, if the album is Dark Side of the Moon, the opening couplet:
Breathe breathe in the air
Don't be afraid to care
might become the password BbitaDbatc1*

My next password would be based on Time, the next song with lyrics. This comes in really handy, because it's not uncommon to change your password and forget the new one because the old one is so firmly in your head. This way, if you remember the old one, you know how to figure out the new one.

Once I've used up all the songs from that album, I pick another one.
posted by Fuzzy Skinner at 6:09 PM on July 20, 2008 [3 favorites]

Please remember not to use passwords generated by others on anything you care about. The people behind this get a juicy list of passwords and matching IP addresses. If you need passwords, get an open source password generator and run it locally.
posted by CautionToTheWind at 6:11 PM on July 20, 2008 [1 favorite]

I agree with Mikey-san. Use passphrases, not passwords. They're easy to remember by themselves, and they are quite strong.
posted by me & my monkey at 6:11 PM on July 20, 2008

The method I've been using for years involves drawing shapes with the keys on my keyboard. It can be a pain in the ass occasionally when I sit down at a non-standard layout keyboard but they are very strong passwords...in fact thanks to doing things that way, even I couldn't tell you what most of my passwords are.
posted by JaredSeth at 6:17 PM on July 20, 2008 [2 favorites]

Unless I'm missing something this is a really stupid idea. It not that hard to generate readable secure passwords. You can also use a browser add on to manage passwords for websites. This looks like a straight forward substitution cipher. The fact that it maps a single character to multiple characters actually decreases it's security. If you repeat a character in your seed, then you get a repeated sequence in your password which is a pretty obvious hint that you're using a substitution cipher. Also, if I enter the same chart phrase and password it always gives me the same password. I know almost nothing about cryptography but even from my position of ignorance this doesn't seem smart.
posted by rdr at 6:23 PM on July 20, 2008 [1 favorite]

I don't work in anything requiring that much security, so I've always just used phrases and numbers which mean something to me, but which nobody else would imagine mean anything to me. For an example (one which I don't actually use, obviously), I love Donnie Darko. That's one of many, many movies that I love, though, so that shouldn't be too obvious to anu=yone trying to hack into whatever I'm doing. Still, though, I know that my favorite part of the movie, for some reason, is the bit about "Cellar Door," which has always stuck with me. This can't be discovered by anyone looking into my identity no matter how hard they try. Just change a little bit of this into basic 1337 and you get:

C3ll@rd00r

which is easy for me to remember, but which I'd have no reason to believe anyone would guess.

So I'm honestly asking those who know much more than me, am I being naive here? Is there any reason to think that someone would care enough about hacking my system as to try to game that (hypothetical) password?
posted by Navelgazer at 6:25 PM on July 20, 2008 [1 favorite]

These websites that offer services like this or a 'fun quiz' for apparently nothing in return always make me a bit suspicious.

Also, I think that should be ...mnemonic... not pneumonic. You'll have the health department after you....
posted by Kronos_to_Earth at 6:28 PM on July 20, 2008 [1 favorite]

I just use "demo" for all my passwords.
posted by yhbc at 6:30 PM on July 20, 2008 [3 favorites]

My password generator creates a different password for each site you visit, and uses simple SHA-1 hashing that anyone can duplicate. And it's a single self-contained Web page that you can copy and run on your own workstation - or just use the bookmarklet version.
posted by nicwolff at 6:30 PM on July 20, 2008 [3 favorites]

But is 12345 strong enough for my luggage?
posted by fijiwriter at 6:32 PM on July 20, 2008 [5 favorites]

I like to publicize my passwords for plausible deniability. If everyone knows my mefi password is 'abbarocks', then no one can pin the dumb shit I say on me.
posted by stavrogin at 6:39 PM on July 20, 2008 [1 favorite]

pwdhash is the same idea but runs fully client side with a slick little Firefox plugin
posted by Nelson at 6:40 PM on July 20, 2008 [1 favorite]

I use a reverse polynomial quantum regression algorithm based obscure Polish geometrics.

It's just coincidence that it spells out: MattHaugheyEatsWorms.
posted by RavinDave at 6:46 PM on July 20, 2008

I use what I thought was a great password for every site I register on, but last month I found out my sister and my father use the same one. Fail.
posted by HotPatatta at 6:49 PM on July 20, 2008

I use a unique 64-character alphanumerisymbolic encrypted phrase from my mother's favorite song, then I add my medical license number, which is 12. My passwords are so complex, I can only log on to a website twice before I forget them. This has the pleasant side-effect of curbing my online shopping addiction, and I don't have to deal with emails from irate former patients.
posted by Dr. Spaceman at 7:16 PM on July 20, 2008

BFD I can defeat any password. Just look at the Post-it note under the keyboard.
posted by Gungho at 7:19 PM on July 20, 2008

C3ll@rd00r

That's pretty common to get around rules that say that a password must contain a mix of letters and numbers, or letters, numbers and symbols. It's not especially secure though if the underlying word is in the dictionary, since it's very easy to create a dictionary that has all the alternate versions instead.
posted by smackfu at 7:25 PM on July 20, 2008 [1 favorite]

One thing I hate is when they require you use some special characters, and then block some. So, if you frequently use one special character in your passwords, and you come across some other site that doesn't let you use that character, it can fuck up your shit.

The problem with pass phrases is that you can forget the punctuation and capitalization. I had one issue where I typed in the wrong password more then three times on a credit card site, and I actually had to call up to get my account unlocked. This is a pretty obvious problem if you use more then one password and log on to multiple sites.

So, they try to ask me security questions like "what high school did you go to". Now, obviously I know this (and it wouldn't be hard for an identity thief to look it up, which is why I probably used fake info anyway) but it turns out that the answers to security questions are case sensitive on this site. WTF?

It's completely ridiculous.
posted by delmoi at 7:34 PM on July 20, 2008

I always just use Guest. With my student loans, I pity the fucker who steals my identity.
posted by jimmythefish at 7:42 PM on July 20, 2008 [1 favorite]

I like using a phrase and then typing it one with my hands misplaced on the keyboard (you have to wrap around if you go off the edge obviously). That or use a combination of leet and txt to misspell it.
posted by 445supermag at 8:04 PM on July 20, 2008

What were the first and last names of your favorite high school teacher?

oyster bar

What make was your first car?

meow

What was your mother's maiden name?

3
posted by jfuller at 8:09 PM on July 20, 2008 [4 favorites]

Use passphrases, not passwords. They're easy to remember by themselves, and they are quite strong.

So she can get a sensual seduction.
posted by bwg at 8:22 PM on July 20, 2008

Is there any reason to think that someone would care enough about hacking my system as to try to game that (hypothetical) password?

Unfortunately, yeah. What smackfu was talking about in his comment is a dictionary attack. Given that it's easy and lucrative to add the leet-speak variants of any word to a dictionary, your password doesn't really pass muster.
posted by invitapriore at 8:33 PM on July 20, 2008

Several years ago, I was helping my son with his taxes, and the site we used required a strong password that mixed numbers & letters. It was a brilliant one and we both promised we would remember it. We even created a mnemonic for it. As it turned out, we may as well have created a pneumonic or a moronic, b/c even when the system returned our mnemonic for the password hint, neither one of us couuld remember WTF the clue meant. We were pretty sure it was a good password, though!
posted by beelzbubba at 8:51 PM on July 20, 2008

Foci for Analysis: Opera users: this tool won't work in your favorite browser.

Works OK for me in Opera 9.51.
posted by Western Infidels at 8:58 PM on July 20, 2008

"Bosco" has always worked fine for me.
posted by Knappster at 9:01 PM on July 20, 2008

I like PasswordMaker. It uses one pass phrase and generates unique passwords for each site. There's a FireFox plugin.
posted by muckster at 9:07 PM on July 20, 2008

Best advice I have received is to use a pneumonic expression: "I have 7 sisters and 0 brothers," yields Ih7sa0b, which is also a strong password!

Well, it was.



Jerk.
posted by Alvy Ampersand at 9:07 PM on July 20, 2008 [1 favorite]

neat
posted by vertigo25 at 9:16 PM on July 20, 2008

My personal fave is APG (Automated Password Generator). Also used by many system admins I know. It doesn't look like there is a binary (executable) release for anything but Windows, but it compiles easily. There may be other sources for binaries (eg, for OS X), but I don't know of any offhand. Extrelemy versatile, and you can tweak the parameters to make very memorable/pronounceable passwords.

There's also a good OSX desktop widget called Make-A-Pass.
posted by foonly at 9:18 PM on July 20, 2008

What were the first and last names of your favorite high school teacher?

oyster bar

What make was your first car?

meow

What was your mother's maiden name?

3

I did something like this once. I saved the answers in an encrypted .dmg file. Then my Macbook Pro died and I got a Linux laptop.

Oops.

Luckily, I have no idea which website I used that on, so I guess I'm not likely to visit it again.
posted by dirigibleman at 9:33 PM on July 20, 2008

On occasion I'll feel that I'm being too lazy with my passwords (since I use the same password for everything except for my financial stuff and other important sites) but every time I try to make my passwords more secure it ends up seeming like more trouble than it's worth.
posted by Mr.Encyclopedia at 9:49 PM on July 20, 2008

That's nifty, nicwolff, thanks!
posted by treepour at 9:53 PM on July 20, 2008

I've been using NicWolfs' password generator for it's ease of use... however, another password generator worth mentioning is GenPass.
posted by acro at 9:59 PM on July 20, 2008

I always hate the sites that demand your password contain numbers, mixed cases, and special characters, and then require that your security question be something on public record like your mother's maiden name.
posted by shakespeherian at 10:14 PM on July 20, 2008

There's also GoodPassword.
posted by mrbill at 10:25 PM on July 20, 2008

neustile: They may get a juicy list of IP addresses, but not the passwords. When using the site nothing is transferred back to them-- the computation to generate the hash table and resulting suggested password all happens locally on your machine. The owners of the site have no idea what you typed into either of the boxes.

Anyone with both the knowhow to be able to and the desire to go ahead and check this probably doesn't need to be told how to come up with a strong password. The people who are in the habit of using weak passwords should be told not to rely on an online password generator site, not least as when they next want a password they may just google for another site and there's no guarantee from you or anyone else then that they're being given one the site owners won't know.

Better to just cultivate broad-spectrum paranoia in your peers than tell them "this site is OK to use".
posted by edd at 12:45 AM on July 21, 2008

Passphrases are great, but so I also funny words in another language spelled with numbers. Like 514gr00m (slagroom = whip cream in dutch).
posted by dabitch at 12:49 AM on July 21, 2008

Opera users: this tool won't work in your favorite browser.Works just fine for me with Opera 9.51.


They've been mentioned a few times already, but aren't those "secret questions" the biggest hole in any log-in system? First you have to pick a password that no one should be able to guess, with both upper and lower case characters as well as numbers and non-alphanumeric characters. And then you have to fill in something which goes completely against the no-guessing/easy to find out rules (mother's maiden name, etc). WTF?
posted by bjrn at 1:55 AM on July 21, 2008

Vanity license plates! As easy to remember as a passphrase but much less typing.
posted by twoleftfeet at 3:03 AM on July 21, 2008

I always hate the sites that demand your password contain numbers, mixed cases, and special characters, and then require that your security question be something on public record like your mother's maiden name.

So, you say your mother's maiden name is "marilynmonroe" - just make it something you can remember. Who's going to check?
posted by SteveInMaine at 3:52 AM on July 21, 2008

I knew an admin who used 445supermag's method, and he always liked to brag that his passwords were so secure that not even HE knew them. Heh.
posted by Ian A.T. at 4:35 AM on July 21, 2008

> Who's going to check?

Righto. All they want is some string of characters. Go wild.
posted by jfuller at 4:39 AM on July 21, 2008

So, you say your mother's maiden name is "marilynmonroe" - just make it something you can remember. Who's going to check?

Quite. Ludicrously insecure to have some ID question that's externally checkable biography. While less checkable, "What was your first pet's name?" is another that isn't much better: if it's required, I usually answer make up something like "Bastardfeathers the Demonic Parrot God".
posted by raygirvan at 5:57 AM on July 21, 2008

So insecure passwords are bad -- gotcha. Anyone here actually have an account hacked because of an insecure password?
posted by garlic at 7:01 AM on July 21, 2008

Still rambling about the poster's link, even if the website makers do not get to see the passwords this generates, they get an IP list of people who have used a weak algorithm to generate passwords they may consider secure. There is little difference between knowing your password and having a list of 1 million passwords with yours in it.
posted by CautionToTheWind at 7:40 AM on July 21, 2008

So insecure passwords are bad -- gotcha. Anyone here actually have an account hacked because of an insecure password?

In high school I hacked a school fileserver due to ridiculously insecure password - if I remember right it was '7721', but definitely a four digit number. I used this to leave notes making fun of people in their networked storage.

This was nowhere near as bad as the time when an administrator needing computer help gave me a login/password that I'm pretty sure would have allowed me to change grades.
posted by TheOnlyCoolTim at 7:42 AM on July 21, 2008

Right... The auto-spell checker gave me lung inflammation rather than an easy way to remember things. : )

Ta-scgmlirtaewtrt.
posted by quanta and qualia at 8:58 AM on July 21, 2008

For a while I had a strong password system based around the fact that it wasn't a word or phrase at all, it was just something that was fun to type.

Something like 'WPeo39dka;' just because it has a nice left hand/ right hand syncopation to it. It stopped working when I had to briefly use a different keyboard layout and it really screwed me up because I wasn't remembering the actual password, just the pattern that I typed.
posted by quin at 9:36 AM on July 21, 2008

So insecure passwords are bad -- gotcha. Anyone here actually have an account hacked because of an insecure password?

I once guessed a friend's email password in three tries. It was his kid's nickname. I had some fun with it. Might be that insecure, personal passwords lend themselves more to acquaintance-related shenanigans than anything else.
posted by jimmythefish at 9:58 AM on July 21, 2008

Use passphrases, not passwords. They're easy to remember by themselves, and they are quite strong.

My user name is strictly a way to annoy people who use phrase-based passwords.
posted by 1f2frfbf at 11:54 AM on July 21, 2008

Yes my ebay account was hacked when I was using a rather primitive early internet password.
posted by Gungho at 6:25 PM on July 21, 2008

I knew an admin who used 445supermag's method, and he always liked to brag that his passwords were so secure that not even HE knew them. Heh.
posted by Ian A.T. at 4:35 AM on July 21

I have to admit that I don't know some of my passwords, just how to type them. Once, many years ago my email account at a university got cut off because I was over the size limit. The student manning the IT desk when I called asked my password so he could manually delete a huge file that someone sent me. I had no clue and had to go to a keyboard and see what keys my fingers were hitting when I typed the password.
posted by 445supermag at 9:09 PM on July 21, 2008

dd if=/dev/urandom bs=9 count=1 | mimencode
posted by flabdablet at 10:10 PM on July 21, 2008

C3ll@rd00r

The most beautiful password.
posted by rokusan at 3:29 AM on July 22, 2008

very interesting, yet at the same time too much effort for the number of passwords I use.
posted by meowN at 1:07 PM on July 22, 2008

If you're a nobody, like, say, me, Enigma-level password security probably doesn't need to be your top priority. But... but... if you happen to be the lead singer of a world famous rock band, DON'T MAKE IT YOUR FUCKING MIDDLE NAME.
posted by dgaicun at 3:03 PM on July 22, 2008