How to create drunk proof passwords

by Brijesh Chauhan on September 23, 2009 · 50 comments

We all know how to create a good password. There are zillions of article on tips of creating strong password. We know it is necessary to choose long password which includes numbers and special characters and its better not to choose a word from dictionary as password. Also, if you are like me, you have hundreds of online account on different websites and its best practice to choose a different password for each account. This will ensure you if someone got (read: hacked) your password for one account, your other accounts will still be safe.

But there is a case when someone can trick you to ‘social-hack’ your password. It is very easy to spit out your password when you are drunk. Someone can just ask you for your password and you can just say it to them. How do you prevent such a situation?

Here I will discuss a method to make your password drunk-proof. This method will not only ensure that no one can take password from you when you are drunk, but it will also obey all the advanced rules of creating a strong, brute-force-proof password. This simple method will also create a different password for each of your accounts. And the biggest advantage of all – you don’t have to remember a single password nor you have to use any other tools like password manager. Yes, that’s right, you don’t have to remember a single password nor you have to use any other tools. And that is the main funda here, no one on the earth knows your password, not even you.

So here is how to create one. We will take example of creating a password for www.yahoo.com

1) Get the string: So we are creating a password for the site www.yahoo.com. We will truncate ‘www’ and ‘com’. So our string will be ‘yahoo’.

2) Get the formula: Now all you need to do is create a formula for your password. A simple formula for example would be the “+1″ formula. So for ‘yahoo’ it will be,

y + 1 = z

a + 1 = b

h + 1 = i

o + 1 = p

o + 1 = p

So your password for ‘yahoo’ using the formula ‘+1′ is ‘zbipp’.

But ‘+1′ formula is not enough, you need more complex formula. An example of more complex formula would be “Reverse – 1 interleaved with Date of Birth”.

yahoo reverse = oohay

oohay - 1 = nngzx

nngzx interleaved by Date of Birth = n19n84g15z06x

So it will give you “n19n84g15z06x”. You can make it more complex by replacing numbers with their respective special character, which will result in “n!(n*$g!%z)^x”. You can modify your formula anyway you like. Instead of +1 you can have incrementing pattern or any other pattern. Instead of Date of Birth, you can have your car VIN number or your driver’s license number or anything.

Now you can use the same formula for all other accounts. For www.gmail.com, simply replace the string from ‘yahoo’ to ‘gmail’ and you have completely random password for gmail without remembering it.

The randomness and complexity of your password is only limited by your imagination of creating the formula. Once you create your formula, you will have totally random password for all of your accounts.

That’s it. Just remember your formula and it will create a random password for every account that you have. And no one in the universe knows your password, not even you. And that is why the password is drunk proof. Try to speak “n!(n*$g!%z)^x” after you are drunk and see it for yourself.

It will be time consuming to enter password by this method initially for a week, but once you master the trick, you are invincible.

Tagged as: brute force, drunk proof, hack proof, hacking, How to create drunk proof passwords, password, password manager, secure, security

Amit

Very useful post. I will change all my passwords this way now.
Pingback: Tweets that mention How to create drunk proof passwords | Brijux.com -- Topsy.com
Waaco

In the second example. In stead of Yahoo you used Yayoo. So that fucks up everything. This would not work.

Brijesh

My bad Waaco, it was a typo, it is corrected now. Thanks for pointing that out.

http://didyoucheckmyblog.wordpress.com/ Jimy

Enjoyed reading this post. However this trick is not my cup of tea as I never enjoy LOGICAL password. The last time I tried something like this I had to change my password the very next day as I could not recall the MATH;)

Good job… keep it up !
Brijesh

Yea Jimy, initially this can be hard to remember, but once you master the trick, you are invincible. And you should be good at MATH or you are not doing fair to your company name – Mathworks
http://blogs.ibibo.com/phentermine/buy-phentermine Roberto

cool blog
cryptoguy

this may be an easy way to remember your password for amny different sites, but it it is very insecure. the cipher described could be very easy to guess.
GMNightmare

Cryptoguy, you are not a security expert. In fact, your words, complete inane and incompetent.

The cipher described is practically the best password you can make, especially with the special character additions. It is not very easy to guess, you are such a liar, especially when somebody else makes their own. No, back up your statement. Why do you think it’s so easy to guess?

Here, I have a password for, let’s say yahoo just like the example. Quick, guess my formula.
DEAk0n

I’m going to have to back GMNightmare on this one. Although, on paper this method seems insecure. In reality it is not. The interleaving of data, and conversion into non-alphanumeric characters raises the password security exponentially. A quick test on my own computer, using the latest John the Ripper, failed every time to crack a password generated in this manor.

Brijesh

Thanks @GMNightmare and @DEAkOn, is you guys said, it seems insecure on paper, but its not. It is possibly one of the best secure password that you can remember.

john

Yes, but it would be so much more appealing to talk about your algorithm at the bar than your actual password…

Brijesh

@john
Well, thats a good point. Its so much appealing that people write blogs on that

http://www.temlynwriting.com Mike P

Very cool method for creating complex passwords that are easy to recall. I’ve been working on my formula and you’re right… It’s a pain to get my brain to work this way, but it’s getting easier. Now I need to find an account that doesn’t matter if I mess up the password.
Fill

Nice. Better than using the same password for all sites, but not an obvious formula either.

Heh, I had to help a friend out with his website and he gave me his password, and it was something like hosting.com4bob (with hosting.com being the domain of the site, and Bob being his name). He essentially gave me the passwords for all his accounts, doh!
http://www.nurta.net nurta

For those that don’t know the basics of password analysing:

There are two types of passwords, those that are easy to remember such as “john29″ and those that rely on obscurity such as “52jEn$” the first is less secure as it falls for a dictionary attack (trying words from the dictionary with numbers randomly around it). The rest relies on a bruteforce attack (randomly trying every possible password) as one can best guess it through random chance. A brute force attack can get any password even one generated in this way in the same amount of time as an equally strong (strong being a function of length and the size of the character pool). Technically using this would be weaker if and only if someone knows you use this algorithm or a closely related one. Because if they knew that they can generate (for a n length domain) n characters of your password in 26 tries, rather than (assuming case sensitive alphanumeric) 62^n tries. And if you just your birthday they know there’s at least 4 digits and if they know your birthday it lowers it significantly. Then it’s a matter of putting random characters in random spots. While it still is very large, it’s smaller than if it’s fully random.

But really the benefit is it’s easier to remember than a fully unique password for every website and since a strong majority of pw attacks will be focused on 1 or 2 sites which means making a program just to crack this algorithm isn’t worth it, meaning they’d jsut use brute force which makes it just as secure. Then you also have the benefits mentioned above.

Basically it is less secure if you make a cracker based on this algorithm and you know they follow this algorithm, but obscurity means it’s just as secure in terms of cracking. AKA less on paper, just as in practice
SayBlade

Or, the perfect solution? Don’t get drunk!
Pingback: uberVU - social comments
http://devongarde.com/ devongarde

An interesting scheme, beyond doubt worth exploring. The one weakness I see, a minor one, is sites that change their name. It was MSN, then hotmail, now it’s live. Ok, so we’d all probably remember that example, but more obscure sites, visited occasionally?

Nope, I still think the best and most secure solution is to have one password for everything, and to have it tattooed on your forehead. No one would ever believe you’d be so stupid as to tattoo your one password on your forehead for everyone to see, so you’d get away with it.
Brijesh

@ Mike P
Let me know if you found such account.

@ nurta
I didnt quite get how they can crack this in 26 tries? Wouldn’t it be (password-length)^(26letters+10numbers+NumOfSpecialCharacters)

@ SayBlade
Thats the best solution possible.

@ devongarde
I like your forehead-tattooed-password method. I should give it a try
http://www.temlynwriting.com Mike P

I ended up using my formula on a forum that I frequent. I did make sure my email address was up to date before I set it though.
http://www.temlynwriting.com Mike P

Well I found the biggest distractor to using this method. I went to login to the site that I’m using this method with my smart phone and found I was going to have major issues since the keyboard layout is different and I couldn’t remember what character goes with each number.
anonymous

Mmmm really nice tip actually, I discovered your post via StumbleUpon.
I’m thinking of taking it to the next geek level and create a C program with my algorithm. That way all i have to do is encode and decode the site string using the program, and I can make the algorithm as complicated as I want.

Thanks for the tip
http://www.nurta.net nurta

@Brijesh
The 26 is only for part of it, the site name part, since it is done through a “letter shift” there’s only 26 (counting no shift) different shifts possible as there’s only 26 letters. That would then be multiplied by the other parts (the birthdate, and random characters) and raised to a power corresponding to the rearrangements possible (y24a02ho43o vs y2a4h0o02o43)

@anonymous
If you do that you’d have to password protect your program and encrypt or delete your source code or anyone could find out your password with it
http://www.dandart.co.uk Dan Dart

What if the website’s name is ridiculousbooksinanutshellforever.com hahaa
http://www.moneyinblog.com linus

sometimes i put the whole sentence togerther, its easy to remeber but hard to break!
http://www.oohahhmusic.com Mike J

Great, so now instead of me accidently telling someone my password or having them guess it, they can just stand behind me and watch me type it slowly because I have to figure out the complicated string as I go EVERY TIME.

Here’s a solution, don’t get drunk when there are a bunch of dicks who want to steal your password around. Problem solved.
Alex

Very cool. I’ll definitely play with it, but I like how important everyone makes themselves sound. If I was trying to access some secure information/database, or trying to steal someone’s identity/CC info/ etc. I would logically assume that it would be smarter to use a dictionary cipher on someone with a John69 password, as the type of person who spends the time to come up with algorithms for their PW, probably keeps their Credit card information/SSN/etc, fairy secure. I think I’ll stick with John69. One last note, from experience, more than 80% of the time, I don’t need someone’s password to get into their account. So just because you have a super l337 algorithm password, it doesn’t mean that the site you are using it on is entirely secure.
Willard Benway

Geez, simple character rotation. How easy to hack.
Mick

Don’t understand some of the jargon your using but found it informitive anyway. I’m going to give it a try. Thanks

Brijesh

@Mick,

What jargon in particular ?

Mick

I understand the article fine and can follow exactly what your saying its the comments afterwads some of which just go over my head but ive started trying out your system using random words to practice with and im impressed how easy it is. I’m working up to more complex versions like you sugested and hopefuly i’ll try it on some of my passwords soon.
Cheers
Brijesh

@Mick,

Glade that you liked it.
Brijesh

@Dan Dart,

if your website’s name is too long, you can have some rule, lets say taking first 6 letters of that website, simple.
http://www.thebornloser.net J.M. Bagadonuts

After reading your post and giving it some thought, it sounds like a pretty good system. The only drawback that came to mind is that if the bad guys were intent on breaching your system, once they’ve figured out one of your passwords, they would have the answer to ALL of your passwords. That aside, I still like your idea and doubt that anything I have hidden behind a password is important enough for anyone to pursue.

Thanks for sharing a good post. Merry Christmas, Happy New Year and best wishes to you!

http://www.thebornloser.net
HomelessJoe123

this is a great idea. another easy way would be to move over a key or two on the keyboard instead of having to think of the next letter. Using my formula for TestSite.com i get D01yd2#rY8& and it took me 10-15 seconds to make it.
Brijesh

@J.M. Bagadonuts
I think even if someone gets to know your password generated by this method, they wont be able to figure out your formula. So your other sites will still be safe.

And also, its really hard to remember random characters and symbols anyway.
Brijesh

@HomelessJoe123
Your idea is great too. In fact very easy to implement. Have to try it out.
h8r

There is nothing random about a password generated this way. It may appear random to someone without knowledge of the algorithm used to obfuscate a very simple mnemonic. But there as absolutely nothing “random” about this method of password generation. Other than that, good article. I use similar concepts to make my password easy for me to remember yet complicated enough that they are not easy for the average idiot to guess at.
Brijesh

@h8r
Thanks for you view.
Tony Cheetham

I use a random phronetic abbreviation method, that generates totally random passwords of large complexity, that can be easily remembered without maths. Can’t remember where I learnt it, but it wasn’t my initial idea..

Take a random phrase, the number of words roughly being the number of characters you want, being sure to include some numerical references, and words such as “plus” or “at”. Then convert the first character into your password. It takes a bit of practice to get something complex enough, but now I use a minimum of a 12 character random password. Example;

Microsoft has 51 monkeys working at Richmond = Mh51w@R
Bob plus his two friend didn’t see a single star at night = B+h2fdsa1s@n

If you’re into books you can pick up some awesome passwords from your favourite passages, and there super easy to remember.
Tony Cheetham

Actually, Bob plus his two friend didn’t see a single star at night = B+h2fdsa1*@n
Brijesh

@Tony
Now I know your passwords, whats your bank account number?

Thanks for sharing your method, its easy to remember compared to what I wrote.
http://albug.com Toronto Photographer

good to know
thanks
http://www.weblabs.be spedax

Nice post, very usefull
http://www.studentbrands.co.za Student Brands

Good to know, Thanks I hope to be back soon. Thanks again
Ajay

This is not useful method on financial sites where you have to change password periodically.

Brijesh

You are wrong. You can use this method on financial sites as well. Use the same formula on your new password and it will give you totally random alpha-numerical using the same formula.