How to make your password memorable but strong In the fairy tale of the elder brother of Ali Baba, died in the secret cave. “ Ali Baba and the Forty Thieves ,” Kasim, Kasim goes to the cave, taking a donkey with him to take as much treasure as possible. He enters the cave with the magic words. However, , he forgets the words to get out again and ends up trapped. The thieves find him there and kill him. in his greed and excitement over the treasure People think that Kasim died in his greediness. But as I see it, this story could have a happy ending if he knew one thing. One thing that we often forget and are frustrated about. “Open Sesame” when he wanted to leave the cave with treasures in his hand. No one in real life would forget a passphrase like this, but we are no better than Kasim in many perspectives. Kasim forgot the password What is a weak password? Password rules are always the first thing in my awareness training for customers. This is the most related rule for all employees, with different levels or different units. This time, let me share it with all of you so that more people know about this. To build an easy to remember and adequately secure password, let’s explain the opposite examples. According to , the most common passwords are: SplashData 123456 123456789 qwerty password 1234567 12345678 12345 iloveyou 111111 123123 Other common passwords including: Nothing Secret Password1 Admin If you use one of the above, you should . Before that, it is better to understand what kind of password is more susceptible to be cracked. consider changing it right after seeing my password rules Hackers use with a giant password database to try passwords. From the example above, , and all their variants would be included in the “password table” of hackers. The simple rule is not to use those as it is susceptible to be cracked within minutes. password cracking software using a single word or numbers are not as good as those Zen password rules Most websites with login would include a , such as special character, upper and lower case, and alphanumeric in nature. password policy that forces the user to create a password with a certain complexity level All these rules are trying to increase the complexity of a password. Therefore, I would suggest you keep them in all your passwords so that you do not need to re-type repeatedly when creating an account. PLM — Password Length matters This is from a study in 2015 , “the effect of increasing the length dwarfs the effect of extending the alphabet [adding complexity]. ” also follows the same recommendation. They pointed out, “Instead of using a short, complex password that is hard to remember, consider using a longer passphrase.” where this is originally from the . FBI Tech NIST Special Publication 800–63B Key Point: Longer passwords, even simple words or constructs, are better than short passwords with special characters. Open Sesame 2.0 The following is my step-by-step guide on how to generate an “Open Sesame 2.0”. 1# Create a “Seed” for passwords Computer systems use the seed to generate random numbers. What is a “seed” for you? It is the start point of creating all your passwords. You can use your company email and do some transformation or making one from your name. There is only one requirement for this rule — keep it secret. Seed should be related to you that helps you remember but at the same time complex enough to prevent guessing. It can be your name or the name of your favorite TV character, i.e., MrRobot. 2# Letters Transformation If you are like me, is a fan of the TV show — , you would probably notice this from each episode’s official titles. Mr. Robot Mr. Robot (TV Series 2015-2019) - IMDb www.imdb.com Created by Sam Esmail. With Rami Malek, Christian Slater, Carly Chaikin, Martin Wallström. Elliot, a brilliant but… “eps1.0_hellofriend.mov” “eps1.1_ones-and-zer0es.mpeg” “eps1.2_d3bug.mkv” “eps1.3_da3m0ns.mp4” “eps1.4_3xpl0its.wmv” “eps1.5_br4ve-trave1er.asf” Hackers normally communicate in forums using this kind of letter transformation to bypass past detection or keyword blocking techniques. However, they are less effective when AI is introduced in the scenarios. Still, it is beneficial for creating a complex password that could easily remember but hard to guess. For examples: “0” as o or O, e.g. zero → zer0 “1” as I or l, e.g., traveler → trave1er “4” as A, e.g., brave → br4ve “@” as a “3” as E “2” as Z You can use your 0wn tr@nsl4tion, . Using this rule, you can fulfill most of the complex password policies. but the rule is t0 k3ep 1t consistent 3# Make it rememberable As the computer is part of life, we integrate with different systems and websites, no matter the job or leisure, which requires us to log in. While it is frustrating to click the forgot password button every time you go back to a website, you seldom use it or are just forgetful. It is also a bad idea to use a SINGLE PASSWORD for all your accounts ( If you do, change it now!). Please do not do that. The second rule that helps you to remember is Yes, you read it correctly. I am asking you to consider including the website’s URL in your password. to include the URL in your password. Some companies require users to change their passwords every 30 days or so. It is a good practice and part of some security standards. It would be a challenge if the user cannot remember what they type in. In that case, I suggest you consider e.g., 20201201 for 17th December 2020. adding the date during the change in your new password, 4# Combining 1# to 3# to come up with a great password So now you know how to transform letters into complex password elements. It is also easier to in your password to help you remember The rule and combines it with a variable related to when or where your account belongs. have the URL or date where and when you type it. uses a “seed” Key Point: Seed + URL (+date) = Strong but easy to remember Consider the following walk-through example: Let say wants to join . When creating an account, he can first transform his name “MrRobot” into “MrR0bo4” (use it as seed) and “Netflix” into “N3tf1ix” (variable). As a result, a good password option could be: Mr. Robot Netflix MrR0bo4@N3tf1ix MRatN3tf1ix MRatNetfl1x MrR0bo4@Neflix.com Can you follow it? If he wants to join amazon.com also, then the possible password combinations could be : MR@Am4z0n.com MrR0bot@Amazon.com MrR0bot@4m@zon.c0m The key is keeping the seed but changing the remaining part. Remember NOT to tell anyone about what remain unchanged. The seed is the ultimate secret and cannot be written down or tell anyone. 5# Test your created password The test result of password “MrR0bot@4m@zon.c0m” | screenshots by the author After some practice of thinking, you can use it anywhere. But before start changing passwords from different websites, you can test your password strength using the following portal: Password Strength Test - My1Login www.my1login.com If you're reading this section, then good - the quickest way to get hacked online is to be too trusting or assume… The Weakest Link Image by from Melk Hagelslag Pixabay First thing first, you should know by now that (except Mr. Robot). Hackers try not to penetrate a system with complex malware or tools. It is because it is the most labor-intensive and cost-ineffective. hackers in real life are not like in most movies or TV shows Instead, they often get in by compromising . Therefore, as a security professional at work, one of the most concerning areas is . the weakest link — people password security “Pwned” One thing that is not the same in the digital world and the physical world is If your wallet is stolen in the physical world, you know it when you put your hand in your pocket. Because it is not there, right? the concept of steal. But . Therefore, it is a good start, to begin with in the digital world, what is stolen is still there how to check if your identity is stolen —or pwned. Let talk about what is “Pwned.” According to Merriam-webster: Pwn own p o is a lot like own , then, in the sense of 1b, “to have power or mastery over (someone).” (This is, of course, no coincidence. The word likely has its origin in a mistyping of , what with the and being so close to one another on the QWERTY keyboard and all.) From a security point of view, being pwned In most cases, pwned means something was stolen, no matter your credentials or that of someone who has access to yours. means gaining unauthorized access to your account. So how to check if my account is safe? Yes, some good guys try to help. One of them is Troy Hunt, the creator of HIBP. 1# Have I been pwned ( ) https://haveibeenpwned.com/ Screen capture of HIBP | copyright by the author Have I been pwned — HIBP is a free and public website to check if your email account is a victim of recent hacks or compromised recently. It is also the most mentioned website for the general public. Final Words Password is the first line of many security measures. If you use a simple password, then all the followings become useless, no matter how advanced the tools are. While making a complex password is challenging for some people, I hope that by sharing my Zen password rules, you get some ideas about generating a good password that is easy to remember. And please feel free to check your status of current accounts by HIBP. In Summary, here are my Zen’s password rules: —Password  Length Matters PLM How to generate a good password? Create a seed (Do not tell anyone) Letter Transformation Anchoring with URL or Date (Seed + URL + Date) Generate (Practice) and test the strength Thank you for reading —happy reading and strengthening account security.

Alphabet

Amazon

Netflix

Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.

What Ali Baba Should Have Taught His Brother Before Entering The Secret Cave

Too Long; Didn't Read

Companies Mentioned

@z3nch4n

RELATED STORIES