[remark] Memorable password schemes and patterns?

Also on Lobste.rs

This is a transcript of the question with the same title I've posted on Lobste.rs.

I republish it here mainly for archival (and discovery) purposes, but also to highlight any interesting ideas that emerged from that discussion thread.

If you have a different take than what was discussed (especially a non-mainstream one) email me as described in the contact section below.

This topic is also in relation with my latest open-source tool: z-tokens.

Question

Yesterday I've asked how many bits of entropy is "safe enough" for offline-storage, and I've mentioned "memorable passwords". Although I've said I would like to focus the discussion away from that, replies have started touching that subject.

So here, in this question, I would like to focus on this subject: what password patterns, passphrase generation schemes, word lists, memorization techniques, etc. does the one find easy to memorize.

I would like to hear what others are actually using and what works for them.

Links

• Diceware word list -- using ordinary dice instead of a good random number generator;
• EFF's word list -- an alternative word list to the original DiceWare method;
• mnemonicode wordlist -- another alternative word list; (the original was lost to the internet bit rot;)
• BIP0039 wordlist -- mainly for long-term storage of seeds, thus perhaps not tailored for memorization;
• S/KEY word list -- used for one-time-passwords, but it does have a standard word list;
• PGP (PGPphone) word list -- used for verbally checking fingerprints; again perhaps not very memorable;
• Proquint -- mainly used for binary encoding, although if you encode random bits you get passwords; it looks quite pronounceable;
• Koremutake -- focused on pronounceable passwords;

Answers

There have been more answers, but the following are the ones I considered the most interesting or insightful ones.

[See this Lobste.rs comment thread started by Irene.]

I just use high-entropy passwords (random characters). It works fine for me. The procedure I use to memorize it, and to be sure that I have actually memorized it and will be able to recall it under a variety of conditions, has far more effect than what kind of password it is.

My own memorization techniques would be unlikely to work for others because they're based on my observations about how my brain stores things.

The question does ask what works for me, so I'll give some detail anyway. In particular, for me the phonetic representation and the written representation go together and I need to make sure both are correct in my mental recitals, and that both have all the information about the other. So for example I silently say "capital Z" to myself while reading a password I intend to memorize, not just "z" with a sense of emphasis, because the latter risks being unable to remember whether the emphasis meant it was capitalized, or where it went in the string... that sense-of-emphasis isn't itself phonetic so it gets misplaced in my memory.

Passwords based on word lists would be dramatically harder for me because there's too much risk I'd apply thought-tools meant for other contexts, contexts where precision isn't as important.

I have a bunch of other little observations about my memory, but I've looked into the research and have every reason to expect they're mostly specific to me, so I'll stop there. My advice to others would be to study how YOUR memory works, and keep track of what helps and what doesn't. When you find yourself making an error, ask what caused it and what could have prevented it.

[See this Lobste.rs comment thread started by github.com/nishanths.]

[I would definitively not suggest following this approach. See my reply in the comment thread about the reasons.]

For a short, memorizable password to be typed frequently: possibly the correct-horse-battery-staple scheme in https://xkcd.com/936. Personally, however, I don't recommend or use this scheme for memorization. My passwords are in a password manager; the master password for the password manager is the only one I memorize --- and even it can be salvaged using other methods besides solely memory.

For a longer, not-often-typed passphrase that does not have to be wholly memorized: a sentence from a book. You would then only have to remember the book's name and a keyword/chapter number [*], using which you can later retrieve the sentence from a copy of the book (you will know when you come across the exact sentence as you browse the chapter). If the passphrase is particularly important, you may want to write the book's name and chapter number in a notebook, or make a habit of recalling the detail every morning when you wake up.

It's also worth differentiating between memorizable and memorable, as I see it: the first scheme in my comment makes a memorizable password; the second scheme makes a memorable password. I think memorizing is an ultimately unreliable exercise. Having something be memorable isn't.

[*] ideally the book is a non-translated work, otherwise you may have to remember the translator;