From magician, Teller, of Penn & Teller, in The Wall Street Journal:
Imagine we’re at a cafe. I hand you a pencil and a pad of paper. I ask you to write your laptop’s password on the pad, rip off the sheet, fold it up and keep it safe in your pocket while I go place our orders for caffeine-laced milkshakes.
Later, I ask you to hand me your laptop. I turn it on, look dreamily into the distance, slowly type in your password and comment admiringly on your late-night browsing choices.
“That,” I say with a smile, “is why security experts tell you never to write down your password.”
When the client wrote on the first sheet, the pressure left an invisible copy in wax (today, we use soap) on the second sheet. The medium took back the pad, left the room to “get a glass of water” (or, in my case, to fetch the frosty frappés) and secretly dusted the wax impression with powdered lead (I use something less lethal). The dusty particles stuck to the residue and revealed the writing.
. . . .
The overarching principle of magic is that magicians are willing to go to more trouble to pull off a trick than any spectator would think the trick is worth. We cripple our hands with years of practice just to make a dime disappear.
I could apply this too-much-trouble principle to my passwords by simply memorizing them all. That’s not as impossible as it sounds. Memory training is one of magic’s strongest methods. If I can glance at a hand of cards or the serial number of a dollar bill and commit that info to memory in the blink of an eye, I have quite a potent tool.
. . . .
Memory is sometimes even presented as a trick on its own. The legendary New York magician Harry Lorayne greets his audience members—often numbering in the hundreds—as they arrive, then finishes his show by calling every single person in the theater by name. He’s written half a dozen books on mnemonics (e.g., “The Memory Book,” “Ageless Memory”), and I recommend them.
The general principle of this kind of rapid memorization is to translate neutral information into vivid images, then to recall the images and translate those images back into the information. To accomplish this with numbers, for example, we generally employ a system of letter substitution. The one I use begins:
1=l (a letter with one stroke)
2=n (a letter with two strokes)
3=m (a letter with three strokes)
The reasoning changes from 4 onward:
4=r (because R is the final sound of the word “four”)
5=f or v (“five”)
And so forth.
When presented with a string of numerals, I translate them to consonants, then add vowels to create a juicy image. For example, the number 1342 (lmrn) becomes “lamb rain,” and I picture a downpour of plump little sheep. Later, I recall the image and the two words, discard the vowels, and translate the consonants “lmrn” back to “1342.” I use this system all the time for credit-card security codes.
. . . .
But, you know, I frequent lots of websites, and if I get enough of these nutty images in my head, I start to get confused. Let’s say I need to fill in my American Express card number. In the middle of my card is the famous emblem of a helmeted Roman gladiator. If I picture that head covered with buzzing insects swimming in fruit topping, will I remember whether they are “lanky bumblebees in orange sauce” (129636160242800) or “dazed mosquitoes in cherry reduction” (707309702844782)?
Link to the rest at The Wall Street Journal (Link may expire)
One lovely idea in the OP is to create a false password to mislead anyone who has physical access to your computer. You write a huge long password on a brightly-colored Post-it note and stick the note to your computer, monitor, etc. This is a phony password that opens nothing.
Anyone who wants to get access your computer or any parts of your computer that are password-protected will almost certainly spend a long time attempting to use the phony Post-it note password.
As the OP ultimately recommends, a password manager like LastPass or 1Password is ultimately a better solution to creating and using complex passwords for a significant number of websites. Then you can remember one humongous password to open the password manager and not worry about the rest.
The password managers can also generate random passwords that are as long as you like (or as long as your online bank access likes). If you’re required to change a password on a regular basis, a password manager can create a new complex password, replace the old one and permit you to go on your merry way.
Phrases work pretty well for long passwords.
All you need is a system for substituting number and symbols to have plenty of passwords that are easy to remember, in varying levels of security.
No need to use hackable software.
“As the OP ultimately recommends, a password manager like LastPass or 1Password is ultimately a better solution”
Long as they don’t get hacked.
You play the odds. Hackers are improving at cracking passwords because they are building more powerful machines to crack them with. Five years ago, they were stroking in at over 300 billion guesses per second. Lord only knows how fast they are now. Couple that with AI driven guess optimization algorithms, the chances that a human can contrive a password that isn’t on the list of 50 billion best guesses that can be practically cracked are pretty low. My guess is that the xkcd method is now risky unless the password is very long, but I don’t know how long “very long” is this year.
I use a password manager because it has a better chance than I do of coming up with something that is not among the first 50 billion easy ones.
As I understand it, the famous hack into LastPass in 2015 did not release any user passwords. It made LastPass vaults temporarily more vulnerable which the LastPass people quickly patched up and then warned their subscribers to change their master password just in case. Stuff like that will always happen.
You choose between the password manager’s bungling and your own bungling. I know myself, I reviewed the password manager I chose for myself, and decided the manager was more likely to keep my passwords safe. YMMV 🙂
In any case, I favor multi-factor authentication (MFA, 2FA) over a single password. MFA is becoming widely available. As an aside, I am still waiting on physical measurement devices like finger-print readers, retina scanners, facial recognition, etc. They still seem to be easy hacks, although they are probably useful in MFA schemes.
I learned a slightly different numbers-to-consonants system (my 5 is an “L”) in high school and used that, combined with another system, to memorize a 40-digit number for a year to win a bet. (Ironically, I’ve completely forgotten what, if anything, the bet was for.)
More than 30 years later, I use it every morning to recall the combination for the lock on the storage room where I keep my bike.
Useful stuff.
I’ve found using non-English languages also works. Pick a phrase, then scramble away. But 1. I have a very good memory for things like that and 2. I have a little book of passwords that I keep at a third location (not my office or my classroom) that I use to jog my memory.
“The general principle of this kind of rapid memorization is to translate neutral information into vivid images, then to recall the images and translate those images back into the information.” This was the idea at the heart of the famous XKCD https://www.xkcd.com/936/ comic on password generation.
You can reverse Lorayne’s numeric conversion method to generate passwords that are easy to remember but will still satisfy the “mixture of letters, numbers , and punctuation” rules on many sites. Start with a memorable phrase that you associate with the website. Reverse Lorayne’s method to generate numbers from some of the letters in the phrase, and hold the shift key down on some of those numbers to get punctuation characters.
I use this approach with sites that I visit too often to be bothered firing up a password manager.