How Safe is Memorable Password?

by Rian

Number one rule of any password is: the weakest link is human. xkcd often puts out great educational comic strips on the subject. One I am thinking of, as no doubt you could have seen in the generator post, is the legendary “correct horse battery staple”, only that he did rigged the game to prove his point. Tr0ub4dor&3 is a bad password, because it is essentially troubadour in Leet. But it’s only 11 characters long, fit for most sadistic password policies out there. correcthorsebatterystaple is one long password with 25 characters. You cannot use this in any of the websites that have the weird policy in the first place. Traditionalist websites only support up to 16, 20, if the IT decided to go out on a limb for public safety.

Herein lies the bane of the password policies that are plaguing us all. If too long, it’s impossible to type manually. If too short, it doesn’t provide any meaning security. Same goes with numbers and special characters. If too broad, it’s impossible to manage (for both the user and the service provider), if too limited, it doesn’t provide enough possibilities for security. Hence why we frequently see the results of the compromise: 16 characters long (some go even lower), uppercase, lowercase, numbers, and some limited choice of special characters. If only a human mind and hands had the capacity of remembering and typing 16 characters long completely random string without mistakes.

What’s odd is the new guideline for password policies has seen a massive change in 2010s. Not only it’s counterintuitive to be against a password manager (i.e. truly random password), current character sets and maximum length of a password is too restrictive. Longer password is always better, in terms of security. By design or not, I’ve had 1Password-generated passwords getting refused multiple times in South Korean apps and websites, due to incompatible “special characters”.

I must admit, however, that word-based generator does have fundamental flaws. It is inherently weaker, entropy to length, than truly random generator. Doing some research on the subject, most guides I could find said stick with 4 or more words. After mandatory number and special character tax, we would be given 14 characters (for 16 system) for 4 words. Strictly speaking, between memorable password generator and type-friendly password generator pt. 3, if you are comfortable memorizing the random characters in an instant from password manager, choose the type-friendly one. Otherwise, it’s time for these “new” websites to update their password policies from a decade ago.