Nothing is private. With that said, let's try to make things just a little less obvious. In this article, we will discuss some suggestions on how to develop your own mental password generator. Let's create stronger passwords on the fly. Most importantly these passwords will be easily recalled with nothing more than your own gray matter. We will conduct a case study and step through the process of creating and remembering strong passwords. The examples are presented only as food for thought and can be used to help you create your own algorithm variant. In short, the goal of this article is to help produce unique and strong passwords in you head which can later be recalled without external help.
The EJOTY Sequence
In order to get started, we will have to remember and memorize the following word "EJOTY". Here's a mnemonic device to help you remember this sequence:
Elton John Owns Two Yachts
In application, this sequence will be used to split the English alphabet into groups of five characters. For example:
|a b c d||E||f g h i||J||k l m n||O||p q r s||T||u v w x||Y||z|
In other words, this sequence will function as a search index to help you remember the numerical position of each letter of the alphabet. In this way, we can convert letters into numbers and numbers into letters.
To illustrate this, let's convert the word "secret" into a number sequence. Mentally, we can calculate this in the following way:
- The letter "s" comes right before the letter "t". Using the "EJOTY" sequence, We know that the letter "t" is the 20th letter in the alphabet. The letter "s" comes right before the letter "t". Therefore the first number is 19.
- The letter "e" is easy, it is the first letter of the "EJOTY" sequence and therefore equals 5
- The letter "c" is also simple. It is at the beginning of the alphabet. Without much thought we can position it as the third letter and therefore equal 3.
- The letter "r" comes before the letter "t". Using the "EJOTY" sequence, we know that the letter "t" is the 20th letter in the alphabet. Therefore the "r" is equal 19.
- We already had the letter "e"... e equals 5
- "t" is simple, it is directly part of the "EJOTY" sequence. Therefore "t" equals 20
We now have the following numbers:
19, 5, 3, 18, 5, 20
Let's put all these numbers together into one string:
Eventually and with enough practice, you will be able to discard the "EJOTY" sequence all together and be able to automatically remember the number which corresponds to the letter you wish to transform
Character Prefixes and Suffixes
In order to differentiate single digit from double digit numbers, let's pad each single digit with a "0". For example:
secret = 190503180520
This padding digit separates single digits from their neighboring numbers. Additionally, this "padding" digit doesn't have to be "0". Let's use something else... how about "$"?
secret = 19$5$318$520
Our seed string "secret" is boring. Let's spice things up and add uppercase letters. For example "seCreT". We can translate this string by adding an additional prefix to our cipher text:
seCreT = 19050031805020
In the previous example, we added an additional "0" to any letter that is uppercase. Who says this prefix has to be a zero? ... Wait, who said this has to be a prefix? Let's change things up and make this prefix a suffix and change it to "&".
seCreT = 190503&180502&
Let's mix it up and use the following characters and positions with the same string "seCreT":
1. Single digit padding character: # 2. Single digit position: suffix 3. Uppercase character: ~ 4. Uppercase position: prefix
seCreT = 195#~3#185#~20
Letters should likewise be translatable into their numeric counterparts. Let's examine the following number:
In order to translate this number into alpha characters, we will split each number into smaller groups of two. The first two numbers are "93". For this number, we need to check if the number is greater than 26, because there are 26 letters in the English alphabet. That means, any number greater than 26 won't have any letters to assign it. Since 93 this greater than 26, we need to split it once more into 9 and 3. The nine equates to the letter "i" and the three's alpha equivalent is "c". Following this pattern we compute the following cipher text: "icdFem". You'll notice that the f is capitalized. This points to the fact that a zero precedes the six in the number. A zero will serve as a place marker for upper case.
What if we have a combination of zeros "00"? A double zero will cancel out the capitalization. For example the number 1200308 will become "lcH". Trailing zeros are ignored e.g. 520400 = "ebD".
Putting it Together
Now that we have a basic algorithm to obfuscate a simple text string. Let's practice:
Let's use the following characters and positions with the same string "seCreT":
1. Single digit padding character: 0 2. Single digit position: prefix 3. Uppercase character: 0 4. Uppercase position: prefix
PasswRd0123 = 016011919230184Aw 012PASS020a = Ab016001019019B01
Let's try a different rule set:
1. Single digit padding character: ? 2. Single digit position: prefix 3. Uppercase character: ( 4. Uppercase position: suffix
cRaZy_PaSs = ?318(?126(27_16(?119(19
As show above, you can define your own rule set and salt your passwords as you like. So now we can change plain text to cipher text in our heads. Let's discuss a strategies on how we can create passwords in the real world.
Precompiling your Password
In this section I will explain strategies on how to generate passwords using domain specific data. Let's apply our new password generating skills to something practical.
Domain Based Salt
For this example, we will create a fictitious email address and generate our password using our algorithm at the following domain:
Domain: example.com Username: nuxnik
Let's first examine the domain name of our desired carrier "example.com". In creating our password, we'll take the first and last letters of the domain name and capitalize them: "EE". We can now combine them with our user name:
The combinations and the position of each letter is only presented here as food for thought. The possibilities here are endless as far as choosing combinations. Think about it and create your own combinations.
"EnuxnikE" as our precompiled password. The lower case letters represent my user name and the upper case letters represent the two characters from the domain name. Now we put our finger tips to our forehead and calculate a new password.
1. Single digit padding character: % 2. Single digit position: suffix 3. Uppercase character: * 4. Uppercase position: prefix
EnuxnikE = *5%142124149%11*5%
Time Based Salt
What if we want to change our password weekly, monthly or yearly? Well, there are plenty of ways to salt our password and spice it up. We can use the current week, month or year and add that to our precompiled password.
For example, let's say I want to change my password every month. Let's say the current month is April (fourth month). Let's add the month number it to our precompiled password and update our rule set:
1. Single digit padding character: % 2. Single digit position: suffix 3. Uppercase character: * 4. Uppercase position: prefix 5. Current month number padded with zero for single digits 6. Current month is placed in string depending on the actualy number of the month
Enux04nikE = *5%142124D149%11*5%
Here some other ideas for spicing things up.
- User your birthday in combination with certain letters of the domain name.
- Try compiling the password twice. This one doesn't work well for head calculations... Although it's not impossible - see book recommendations. For example:
foo06bar = 006015015F002001018 = fAeAe106baAH
- Keep a static "precompiled" string you use with all your accounts and salt it with any variables you like.
- Use hexadecimal, octal or binary characters in place of decimal numbers
hex: seCreTz = 013 005 103 012 005 114 01A octal: seCreTz = 023 005 103 012 005 124 032 binary: seCreTz = 010011 000101 100011 010010 000101 110100 011010
NOTE: for the binary example, the starting 0 and 1 character denotes letter case... now that's long!
- Add the number of characters in the phrase to the translated results:
seCreT = (019+6)+(005+6)+(003+6)+(118+6)+(005+6)+(120+6) = 025011009124011126
I assume that it is common to select the same user name when creating accounts. This should be avoided, as this practice reduces the work of a would-be attacker. Your user name can be easily obtained by knowing something about you i.e. another account, your email address, or a name you have used with a social networking site. Unless you are very particular about your standard user name, try using using a unique username for each account. This, in combination with your password algorithm can create more unique passwords.
This article is more or less a brain dump of an idea I have had for many years and I wanted to put it into writing. As I stated, I am not a cryptologist and am making no claims of strong password security. This is only presented as is. Decide for yourself if you want to use it. Trusting all your accounts with one extrememly simple algorithm such as this one, is probably a bad idea. In fact, it is probably better that you don't even know your passwords! Generate them in a password manager... All the same you'll need a master password to open it. One thing is for sure, implementing any of these methods is better than using the same password for every account you have.
Here are two simple algorithms which can be done in your head:
- Caesar cipher - If you already have mastered the the EJOTY sequence or have memorized the number positions of each letter of the alphabet, the Caesar Cipher is a simple algorithm to implement.
- Vigenère cipher - This is an extension of the Caesar cipher which can yield more secure results than the Caesar cipher.
Here is a list of excellent books that outline techniques for improving your memory and cognitive ability. From personal experience, after reading these books and implementing the techniques, I noticed marked improvements. Check them out: