Improved Mnemonic Password Policy

by Ian Murphy (a.k.a., Backspace) (back_space@hackermail.com)

     This article is in response to Agent ZerO's article, Password Memorization
Mnemonic in the Spring 2008 issue, in which he outlines his method for 
generating and remembering complex passwords that would not be easily guessed. 
There are a few fundamental flaws in the password generation process.  Most
notably, there is a commonality or "crib" within the passwords such that if 
anyone of the passwords is compromised, it would compromise all other passwords
generated using this algorithm.

Password Generation

     Suffice it to say that most of us enjoy music and/or literature.  This will
be the root of our password generation algorithm.  The idea is to take a phrase,
poem, or lyric that you already have memorized and leverage that knowledge to 
generate a long, pseudo-random string that will be easy enough to remember.  
Let's say that in your idle and misguided youth, you actually memorized the 
lyrics to "Ice Ice Baby" (remember that this is only being used as an example,
I admit to nothing!).  The lyrics go, as the Internet remembers them, as 
follows:

	"Alright stop, collaborate and listen, Ice is back with my brand new 
	invention"

     Step 1: Take the first letter of each word and write it out as a single 
string:

	AscalIibwmbni

     Now we have a 13 character non-English word.  Not too bad, but it still 
wouldn't take a bruteforcer too long to crack, as we're only using the 26 
characters of the English alphabet.  We need to up the password complexity, 
somewhat.

     Step 2 : Add some special characters and numbers.  As far as this goes, I
normally perform a character substitution to the string to get something like 
this:

	Asc@l11bwmbn1!

     As you can see, I've added a bit of complexity to the password as well as
adding a punctuation mark to the end.

Vectors of Attack

     Naturally, this method generates a password that is highly resistant to 
brute-forcing (at least without considerable resources).  As always, this will 
not prevent you from having your passwords stolen, either from the website you 
deal with, or because you practice unsafe logon by sending unencrypted 
passwords across the Internet.

The Benefits

     One of the benefits of this method is that your passwords are as easy to 
remember as that song that won't leave your head or that Dear Penthouse letter 
you memorized as a teen.  Additionally, it is an extensible algorithm in that 
you can add password length by using more of the lyric/poem.

The Drawbacks

     The major drawback I see in this is that there is no direct link between 
the password and the website or resource you are requesting.  If anyone can 
suggest a suitable method, please let me know.

Conclusion

     I've been using this mnemonic for the last five years and found that it 
has worked well to date.  I have noticed a few sites that don't want me to use
special characters in my passwords, so I've had to work it around a little bit 
by lengthening the source string and limiting myself to alphanumeric passwords.
I have noticed that this is changing over time and that most sites I access now
permit the use of special characters in my passwords.

Many thanks to The_rick and Typoninja for reviewing the article.  Shouts to the
old Dievo crew!