Nerdy passwords, secure and memorable

WARNING: Do not simply use the formula of a common chemical without obfuscating it in some way. It could be dictionary cracked very easily if you do. A serious recommendation is to use a strong password generator rather than this technique and to store passwords in a digital safe itself locked with a strong password.

Coming up with a secure password that cannot be bruteforce or dictionary attacked but that is easy to remember is quite troubling. So, here’s the nerdiest approach yet.

Think of a compound, any compound, but preferably one with which you are familiar. If you’re in science, then you could pick a compound associated with your research thesis or perhaps the medication you needed to get through the viva.

Now, work out, or look up, its chemical formula. BUT DO NOT STOP THERE…Next, think of a simple algorithm to obfuscate the formula (reverse it and chop off each end perhaps, or if it is a long formula extract all the numbers and put them at one end instead of after each element symbol, you get the idea). Of course, if you pick a compound that happens to share the first couple of letters with the name of the site to which you are logging in, then that should make it easier to remember too.

If you suffer from hayfever you might be using flixonase, when you login to flickr, for example. Formula: C25H31F3O5S, password could be CHFOS253135 or 5O3F13H52. No bruteforce hack attack is going to figure those out in a hurry. Specialists in secondary messenger chemistry with a MySpace account could choose myo-inositol (C6H12O6 –> CHO6126), while nutritional chemists could hide their Facebook behind Factor II (vitamin B12) C63H89CoN14O14P –> CHCONOP63891414.

Of course, you will have to think of your own examples, but with CAS and ChemSpider registering tens of millions of structures, that should not be too hard to do.

Of course, being a chemist you also know about InChi and Smiles string, which could provide you with an even more sophisticated password. The InChi string for aspirin, for instance, is <span class=”chem:inchi”>InChI=1/C9H8O4/c1-6(10)13-8-5-3-2-4-7(8)9(11)12/h2-5H,1H3,(H,11,12)/f/h11H</span>. You could make your obfuscating algorithm to remove all the zeros and reverse the string. The Smiles string is not quite so long O=C(Oc1ccccc1C(=O)O)C, but what about choosing that and adding the same string reversed to the end of the original?

It could all get very convoluted and seemingly random very quickly. But, isn’t that the aim of a good password? According to the password strength tester, the untouched Smiles string for aspirin is “best”, but apply an algo and it will be even better.

The neat part is that you pick a compound you will remember, you can look up its formula any time and you know the obfuscating algorithm. So you thus have a memorable password that is essentially a pseudo-random alphanumeric.

Originally posted Jun 18, 2007 @14:00