Authentication is the process of proving to someone else that I am who I say I am. On the internet, the most common authentication mechanism is a password -- a shared secret between the user and the service. A user who needs to prove his identity to a service, e.g. to an email provider to access his email, is challenged to enter this shared secret first. If the entered password matches the stored password, the user is successfully authenticated to the service and is allowed appropriate access by the service. This is the basic mechanism underlying almost all services on the internet to authenticate their users. Email, social networking, banks, and a myriad other services use passwords.
But, for users, remembering long alphanumeric secrets is hard, and passwords are no exception. So, we take shortcuts - we choose passwords that are easy to remember. Unfortunately, these easy passwords are also easy for adversaries to guess or crack. Once cracked, it is no longer just a shared secret between the user and the service. The hacker is also in on the secret!
 |
| Fig. 1: An example of the password process for authentication |
But, short of writing down bizarre and long sequences of numbers on pieces of paper (which itself has the risk of being lost), is there a way for users to choose strong passwords that they can remember without writing them down? I think there is. Here are some ideas:
- Use phrases instead of single words. A single word is easy for a hacker to look up in a dictionary, and on a computer such a look-up is fast! Phrases with multiple words are harder to look up. In general, longer passwords are more difficult to crack. Using phrases helps to build memorable long passwords
- Try not to use common phrases though. The more likely that the phrase is unique to you, the less likely someone else will guess it
- One continuous source of unique phrases is babies as they grow and learn to talk. Each baby comes up with unique turns of phrases or word mix-ups, which are not just cute. They are unique and not likely for a hacker to guess. Use some of them
- Another source of somewhat unique phrases is literature from world languages. Many of us are multi-lingual and know poetry and prose written in other languages. A particular phrase or couplet from a piece very memorable to you (may be from some special moment in your life) can be fairly unique to you
- I am sure you will find other sources of unique phrase in your life, that are likely only to be known to you and may be to a few others close to you, and very unlikely for a hacker to know or guess
- Once you have figured out such a phrase, you can make life a little more challenging for the attacker. Instead of using the phrase as-is, substitute some letters of words in the phrase with similar looking digits or special characters. Here's the substitution idea with a particularly well-known phrase (so, please do not use it!): instead of "A quick brown fox jumps" as the password, why not choose "4 qu!ck br0wn f0x jump5" as the password. It is not hard to remember to replace 'A' with '4'. Similarly "i" with "!". You get the idea
So, these are some ideas to make a password strong while keeping it memorable only to you. Keeping your passwords strong will not guarantee your safety on the internet. There are other ways that hackers breach services to get unauthorized access to data. But, most of the defense mechanisms for those attacks have to be implemented by the service providers, not by end users. Keeping our passwords strong is one thing we can do ourselves. So, let's do that to keep ourselves secure!