On creating memorable passwords

![XKCD: Random, easy to remember, terrible idea](http://imgs.xkcd.com/comics/password_strength.png)

The above XKCD Comic describes a common problem: choosing a secure online password. There have been numerous methods of password selection given to users over the years. None of them are perfect, most are good, but some are less good. Below, I’ve outlined some major problems with passwords and my advice on the best solution for choosing and remembering passwords. It should be noted that ATM pins, security questions, and other secure strings follow these rules as well.

# General Guidelines

1. **Do not** use “password”. It doesn’t matter if you capitalize some of the letters, or make some of the letters into numbers or symbols. Anyone with any skill will guess it.
2. **Do not** use your birthday, nor the birthday of anyone who means anything to you. Additionally out are anniversaries and the last four digits of your social security number. – Also, if anyone ever asks for JUST the last four digits of your social, and you’ve never given them your full social, treat it as a pin and give them a fake number. I’ve had banks and cable companies ask for my full social at sign up for a credit check, so they get my last 4 when they ask. Everyone else gets a random 4 digit number.
3. Do not use identifying information. Family, friends, and pet names are all out.
4. If a website has a “Security Question” that’s also a password. Don’t put in real information, [because it’s easy to guess](http://www.huffingtonpost.com/2014/09/02/hackers-celebrities_n_5753270.html).

# Who wants my password/pin/etc?

Generally, people who want to access things. They fall into three categories:

1. Online attackers/identity thieves who do not personally know you (Bad).
2. People who know you and want to snoop/steal.
3. People who have physical access to your equipment (Worst).

The bad news is that if someone has your computer/cell phone/etc. then odds are that given time, they can get whatever they want from it, regardless of your password. Apple/Google are getting better at protecting devices, but unfortunately lots of people don’t put locks on their phones. Microsoft has Bitlocker, but it’s a Windows Pro feature not everyone has access to (and probably has [NSA backdoors](https://www.schneier.com/blog/archives/2015/03/can_the_nsa_bre_1.html))

Luckily, if someone breaks into your house or steals your purse, they are more likely interested in the quick sale than in recovering any data. However, there are [constant](http://www.computerworld.com/s/article/9233701/NASA_breach_update_Stolen_laptop_had_data_on_10_000_users) [stories](http://www.knoxnews.com/news/2012/oct/18/blount-hospital-laptop-stolen-with-27k-patients/) of how [laptops](http://www.knoxnews.com/news/2012/oct/18/blount-hospital-laptop-stolen-with-27k-patients/) and hard drives with business/financial/customer data are [stolen](http://www.faronics.com/2013/hipaa-doles-out-50000-penalty-to-hospice-center-in-wake-of-data-theft/) or lost. Odds are that even if ***your***equipment is secure, someone else who isn’t has your information and it will be stolen.

Not *if*, but *when* it’s stolen, it will likely be put into a database and sold to people who make their living off of fraud and identity theft.

# What should my password be?

Ideally, in a perfect, utopian world, your password would be a million character long string of letters, numbers, and symbols in varying caps with no repeating patterns. This is impossible to implement. Therefore, your password should follow the following criteria:

1. You should be able to remember it.
2. You should not chose an easy to guess password
3. Your password should be for only one website/account/etc.

# Why is the XKCD comic above wrong?

The method above is a good way of choosing a password, but it fails in two regards: It is both easy to guess and hard to remember. Or rather, hard to remember more than one. If your password is correcthorsebatterystaple, you may very well remember that, but you WILL forget to which website it belongs. If you choose a password like that for your GMail, your bank, your Amazon account, and your PayPal, you will have no identifying information as to WHICH password goes where.

The “bits of entropy” calculation is also completely false/nonsense as we’re talking about things people type with keyboards, not encrypted data represented as text. Additionally, if you choose four (or ten, or one hundred) easy to guess words, any password cracker could be modified to compensate for multiple words.

Given that most websites allow passwords between 7 and 15 characters, here is your algorithm: 1. Pick a word with less than 15 letters. 2. Try it. 3. If there is still space, add another word. 4. Try it. 5. Continue 3-4 until there is no more space. 6. Remove the last word and add a new one. 7. Continue 3-6 until there are no more words. 8. Go back to 1.

If you want to see a list of common English words used by password crackers, try [here](http://wordlist.sourceforge.net/).

# So how should I store passwords?

This depends. If you are in a business, you need to check with supervisors/IT about password requirements, how often (if ever) you need to change them, and their policies about storing them.

I personally use [https://lastpass.com/](https://lastpass.com/ “https://lastpass.com/”). They have plugins for Firefox, Chrome, etc which can automatically fill in passwords for you.

If you pay $12/year, you can even get the mobile version for Firefox for Android or Safari on iPhone. It’s a case where they perfectly priced it and if you log into things on your phone a lot, it’s worth the money.

Additionally, I would not trust your browser’s “Remember this password” feature. Most are better then they once were, and many encrypt passwords, but they are still vulnerable to viruses and malware.

You can sign up for an account at [PBworks](http://pbworks.com) to make a personal wiki. There you can privately store personal information. If you are at home, it is very easy. Write them down in a notebook. Do not label the notebook as anything to indicate it’s an obvious collection of your accounts. Keep it near the computer, but again, not obvious.

# So how should I make passwords?

As for choosing a secure password, this is how I do it.

1. Create a random base of 4-8 characters. Go [here](http://www.random.org/strings/?num=10&len=8&digits=on&upperalpha=on&loweralpha=on&unique=on&format=html&rnd=new) to do so. You will memorize this, and use it for multiple sites.
2. For a given website, choose a word you will not forget (shopping for Amazon, email for GMail, etc.)
3. Combine them. For example: 1. I choose jUGBLwJn as my random string.
2. I am making a password for Amazon, and I choose shopping. 1. jUGBLwJnshopping
3. I am making a password for GMail, and choose mail. 1. jUGBLwJnmail
4. Additionally, you could use 1. shoppingjUGBLwJn, mailjUGBLwJn
2. jUGBshoppingLwJnjUGBmailLwJn

In doing this, you make your password thousands of times more secure than most people currently out there because you are choosing secure passwords that are not duplicated across sites. Additionally, you are making passwords that are easy for you to remember, as you only need to memorize one random password. If you write down jUGBLwJn, nobody knows that it’s only part of a password.

# One important note about the above method:

I created classes of passwords based on how important the website was. For my banks, I use one password base, for my shopping another, and a third for websites that I don’t care if I lose my password. In this instance, if a random website gets hacked, and the hackers are clever enough to see that I use a formula password, I only have to worry about changing a few passwords, and they won’t be able to access my bank account.

 

Cave Men and Ice Powers: Danielle Johnson

On 2012/01/23,

> I’d say it probably depends on the climate, couldn’t they just put whatever they’d want to freeze outside their cave? If the cavemen were in a generally warmer area I’d say they wouldn’t have any ice powers, unless their cave was deep and dark enough to support freezing temperatures.

–Danielle Johnson ([Danz](http://zdanz.com/), [Computer Magic](http://thecomputermagic.com/))

Cave Men and Ice Powers: Ryan Q North

On 2012/01/24,

> You’re not going to like my answer, but I think the answer is YES, in that we all have similar powers, simply by existing on a planet where things get cold sometimes. Put something in the Arctic and it will freeze and get generally colder.
>
> I remain unhelpfully yours,

—[Ryan Q. North](http://http://about.me/ryanqnorth) ([Dinosaur Comics](http://www.qwantz.com/))

Cave Men and Ice Powers: Michio Kaku

On 2007/08/25:

> No one has the power to make things colder, except by mechanical means. We use
> expanding gases (e.g. in the pipes of a refrigerator or air conditioner) to cool down our food and our homes. But you cannot cool down a room without such a mechanical device.

—[Prof. Michio Kaku](http://mkaku.org/)

Quick Quip: Date Format

I think the hubbub over date formats is stupid. In America, it is thus:

> Month/Day/Year

In the rest of the world:

> Day/Month/Year

It should be greatest significant digit to least:

> Year/Month/Day

Which is how I write the date whenever possible (though I have gotten people confused writing “2012, November 12″).

Grid Cypher

I was recently attempting to solve the cyphers presented by ToTheArk’s newest video ([Surveillance](https://www.youtube.com/watch?v=cFQKzg-yXgo)) when I came up with an idea (I wasn’t the only one).

“`
A,B,C,D,E,F,G,H,I
J,K,L,M,N,O,P,Q,R,
S,T,U,V,W,X,Y,Z,A,
B,C,D,E,F,G,H,I,J,
K,L,M,N,O,P,Q,R,S,
T,U,V,W,X,Y,Z,A,B,
C,D,E,F,G,H,I,J,K,
L,M,N,O,P,Q,R,S,T,
U,V,W,X,Y,Z,A,B,C
“`

That is the 9×9 cypher that formed the basis of my theory. At the time, the message contained only pairs of numbers [0-9]. I went to work brute forcing solutions. When that failed, I tried altering the starting letter of the grid. That failed too. Finally, I tried arbitrarily increasing the size of the grid, at one point getting to 100×100 (but still only using the upper-left most 9×9 as coordinates). These all failed. Ultimately, this didn’t even turn out to be the solution, but when I figured that out I had already written most of the script that I’ve posted below.

“`bash
#!/bin/bash
XM=$1
X=$2
Y=$3
F=$4
CO=$5
if [ “x$F” = x ]
then
F=65
elif [ “x$F” = “x!” ]
then
F=65
BRUTE=1
else
F=$(
echo “ibase=16;
$(echo $F | hexdump | tr [a-z] [A-Z] | awk ‘{print $2}’)” | bc
)
fi
function grid
{
A=0
B=0
GRID=””
Q=$1
while [ $A -lt $Y ]
do
ROW=””
D=$(echo $(($A))|sed ‘s/^\([0-9]\)$/0\1/’)
ROW=”$D”
Z=0
while [ $Z -lt $X ]
do
if [ $Q -gt 90 ]
then
Q=65
fi
ROW=$ROW”…”$(echo -e “\x$(echo “obase=16;ibase=10;$Q”|bc)”)
let “Z++”
let “Q++”
done
LROW=$(echo $ROW | sed ‘s/^..//;s/\.//g;s/\(.\)/\1,/g;s/,$//’)
GRID=”$GRID $LROW”
let “A++”
done
for Z in ${GRID[@]}
do
echo ${Z[@]}
done
}
function decode
{
GRID=($(grid $2))
if [ x$1 = xv ]
then
for ZZ in ${GRID[@]}
do
echo ${ZZ[@]}
done
fi
PHRASE1=””
PHRASE2=””
COORD=($CO)
echo ${#COORD[@]}
for XX in ${COORD[@]}
do
X1=$(($(echo $XX | sed ‘s/,.*//’) – 1))
Y1=$(($(echo $XX | sed ‘s/.*,//’) – 1))
X2=$(($(echo $XX | sed ‘s/,.*//’) – 1))
Y2=$(($(echo $XX | sed ‘s/.*,//’) – 1))
R1=($(echo ${GRID[$Y1]}|sed ‘s/,/ /g’))
R2=($(echo ${GRID[$X2]}|sed ‘s/,/ /g’))
PHRASE1=$PHRASE1″”${R1[$X1]}
PHRASE2=$PHRASE2″”${R2[$Y2]}
done
echo $PHRASE1
echo $PHRASE2
}
#
# Encode
#
function encode
{
GRID=($(grid $2))
if [ x$1 = xv ]
then
for ZZ in ${GRID[@]} do echo ${ZZ[@]} done fi COORD=($(echo $CO|tr [a-z] [A-Z]|tr -dc A-Z |sed ‘s/\(.\)/\1 /g’)) for XX in ${COORD[@]} do YP=$(($RANDOM%${#GRID[@]})) COUNT=$(echo ${GRID[$YP]} | grep $XX |wc -l) while [ $COUNT -lt 1 ] do YP=$(($RANDOM%${#GRID[@]})) COUNT=$(echo ${GRID[$YP]} | grep $XX |wc -l) done LINE=($(echo ${GRID[$YP]}|sed ‘s/,//g;s/\(.\)/\1 /g’)) XP=0 for YY in ${LINE[@]} do if [ $YY = $XX ] then echo -n “$(($XP+1)),$(($YP+1)) ” break else let “XP++” fi done done echo } # # Do Encode # function doencode { if [ “x$CO” != “x” ] then if [ x$BRUTE = x ] then encode v $F else while [ $F -lt 90 ] do encode a $F $3 let “F++” done fi else echo “tta e X Y BASE msg” fi } # # Do Decode # function dodecode { if [ “x$CO” != “x” ] then if [ x$BRUTE = x ] then decode v $F else while [ $F -lt 90 ] do decode a $F let “F++” done fi fi } # # Grid # function dogrid { GRID=($(grid $2)) if [ x$1 = xv ] then for ZZ in ${GRID[@]} do echo ${ZZ[@]} done fi } # # Help # function help { echo tta command x y root message } # # Command Menu Parse # if [ “x$XM” = xe ] then doencode elif [ “x$XM” = xd ] then dodecode elif [ “x$XM” = xg ] then dogrid v $F else help exit fi
“`

Things I don’t like about OSX

I recently started a new job, and my desktop at my workstation is a Mac, running OSX 10.6. This is the first time I’ve spent more than an hour on a mac since 2nd grade, when I played with an Apple II. The process has been a constant sting of Google searches (I had to look up how to take a screenshot too, because it’s 100% different from every other OS as well).

[![One page of about 50.](http://michaellubert.com/blog/wp-content/uploads/2013/01/Screen-shot-2013-01-14-at-2.29.32-PM-300×241.png)](http://michaellubert.com/blog/?attachment_id=32)
One page of about 50.

In my searches, I’ve found that, generally, anybody who A) can code for OSX and B) has used ANY other operating system has created apps for OSX to mimic features that Apple saw fit to ignore/break the convention of/spit on. Also, these developers charge, because what are you going to do, install Linux? On your Mac? Anyway, I came across the following article, which echoed my sentiments exactly: [A Small Matter of Programming: The trouble with OS X window management](http://blog.wuwon.id.au/2012/06/trouble-with-os-x-window-manager.html).

I’ve decided I should also compile a list of conventions that I have come to expect from years of working with Windows 95/98/XP/7, GNOME, KDE, Unity, and Black/FluxBox shells which OSX breaks.

1. The green plus sign is inconsistent. Sometimes it maximizes, other times it moves a window to the left side of the screen, and the app then can’t be resized.
2. The inconsistency between apps and the OS. Where in Windows and Linux I would use Ctrl, OSX inexplicably uses Cmd. Ctrl-C, Ctrl-V, Ctrl-X, Ctrl-A all become Cmd-Whatever. 1. This breaks focus when working in screen, as it’s Ctrl-A Ctrl-[0-9] to pic a window, and then Cmd-C to copy text, then back to Ctrl to switch windows, then back to Cmd to paste, and then back to Ctrl for Ctrl-C. It’s needless movement, and the Ctrl combos aren’t even USED by anything.
2. Also, in Firefox, it’s Ctrl-Tab to change windows, but Cmd-W to close and Cmd-T for a new tab. I also can’t fathom why they make Cmd-d, which were it Ctrl-d anywhere else, add a bookmark instead of going to the Titlebar.
3. Home and End keys do not behave like in other operating systems (I had to download [KeyRemap4Macbook](http://pqrs.org/macosx/keyremap4macbook/))
4. Programs continue to run until you quit them. This can cause confusion, as closing the last window doesn’t quit. I’ve found if I open a large PDF in Finder, then close the PDF, Finder can hold on to the memory and cause a noticeable slowdown.
5. Cmd-Tab and the Dock only show one icon per window, and offer no way of knowing what is on which desktop, or even if a program has more than one window open.
6. Yes, I know Cmd-~ can switch between windows of the same application, but this is 2 steps (switch to app, and cover whatever you WERE working on, then cycle through open windows) to fix a problem that should require one (alt-tab to the correct window).
7. Finally, I hate the menu bar at the top. Menus belong ON apps, in my opinion. Unity does this too, and it’s annoying to have a small app open, then you have to scroll up to the top of the screen to use the menu.

I know a lot of this is provably grandfathered in, or somebody has some sort of design reason for it, but computers aren’t in a vacuum anymore. Everyone copies everyone else. In my last job, I worked on a Linux laptop to remote into Windows server, then went home to a Linux media center and a Windows gaming computer, and had no problems. After 2 days with OSX, I was having trouble getting around my Ubuntu 12.10 laptop because my brain is starting to overwrite the key combinations of programs I’ve used for years. I wish OSX would allow you to [change](http://www.howtogeek.com/howto/ubuntu/assign-custom-shortcut-keys-on-ubuntu-linux/) how these things [behave](http://www.autohotkey.com/). As is, I’d have to buy a $14 piece of software for a work machine. Good luck getting that charge approved.

I had decided a few years ago that when I purchased a new laptop, I’d buy a mac. I appreciate their quality control (although in recent years this may be faltering due to their single-piece designs), and I wanted a laptop that would last another 5 years. I’m glad I didn’t buy one this Christmas, because it would have been a nightmare, and my Acer ultrabook running Ubuntu is just as slick, for 1/3 the price.