Improved Mnemonic Password Policy
by Ian Murphy (a.k.a., Backspace) (firstname.lastname@example.org)
This article is in response to Agent ZerO's article, Password Memorization
Mnemonic in the Spring 2008 issue, in which he outlines his method for
generating and remembering complex passwords that would not be easily guessed.
There are a few fundamental flaws in the password generation process. Most
notably, there is a commonality or "crib" within the passwords such that if
anyone of the passwords is compromised, it would compromise all other passwords
generated using this algorithm.
Suffice it to say that most of us enjoy music and/or literature. This will
be the root of our password generation algorithm. The idea is to take a phrase,
poem, or lyric that you already have memorized and leverage that knowledge to
generate a long, pseudo-random string that will be easy enough to remember.
Let's say that in your idle and misguided youth, you actually memorized the
lyrics to "Ice Ice Baby" (remember that this is only being used as an example,
I admit to nothing!). The lyrics go, as the Internet remembers them, as
"Alright stop, collaborate and listen, Ice is back with my brand new
Step 1: Take the first letter of each word and write it out as a single
Now we have a 13 character non-English word. Not too bad, but it still
wouldn't take a bruteforcer too long to crack, as we're only using the 26
characters of the English alphabet. We need to up the password complexity,
Step 2 : Add some special characters and numbers. As far as this goes, I
normally perform a character substitution to the string to get something like
As you can see, I've added a bit of complexity to the password as well as
adding a punctuation mark to the end.
Vectors of Attack
Naturally, this method generates a password that is highly resistant to
brute-forcing (at least without considerable resources). As always, this will
not prevent you from having your passwords stolen, either from the website you
deal with, or because you practice unsafe logon by sending unencrypted
passwords across the Internet.
One of the benefits of this method is that your passwords are as easy to
remember as that song that won't leave your head or that Dear Penthouse letter
you memorized as a teen. Additionally, it is an extensible algorithm in that
you can add password length by using more of the lyric/poem.
The major drawback I see in this is that there is no direct link between
the password and the website or resource you are requesting. If anyone can
suggest a suitable method, please let me know.
I've been using this mnemonic for the last five years and found that it
has worked well to date. I have noticed a few sites that don't want me to use
special characters in my passwords, so I've had to work it around a little bit
by lengthening the source string and limiting myself to alphanumeric passwords.
I have noticed that this is changing over time and that most sites I access now
permit the use of special characters in my passwords.
Many thanks to The_rick and Typoninja for reviewing the article. Shouts to the
old Dievo crew!