passwords

[watervole]

 My business bank have asked me to set up a new password.  It must be all numbers and ten digits long and I quote "it must be memorable"

Right...

Apart from pi, and your mobile number, both of which are bloody obvious to any hacker, how many 'memorable' ten digit numbers do you know?

I can do memorable letter sequences, but my brain isn't oriented to remember numbers.

Comments

[lexin]

I suppose the numbers in your National Insurance number would be too easy to find out? There are 6 of them, but you could use all six then repeat four.

[kalypso]

Could you edit down your parents' birthdates and run one after the other? Of course this depends on having two double-digits and two single-digits among the dates and months, but it would work with my parents!

[damerell]

Two BR locomotive numbers back to back. :-)

[kerravonsen]

It must be all numbers and ten digits long and I quote "it must be memorable"

Oh good heavens, how ridiculous and stupid!

I can do memorable letter sequences, but my brain isn't oriented to remember numbers.

Me, I would fall back on l33tsp33k, and substitute numbers for the letters that they look the most similar to.

1 = i or l
2 = R or "to"
3 = E
4 = A or "for"
5 = S
6 = b
7 - I can't remember what this stands for, maybe Z
8 = "ate"
9 = g
0 = o

How many words can you make with that combination of letters?

[watervole]

Of course, it doesn't have to be a one to one mapping. I may have finally found a use for the phrase non-isomorphic...

Consider
0 - OUC
1 - IJL
2 - ZR
3 - EM
4 - AH
5 - S
6 - d
7 - FKT (I cross my sevens)
8 - B
9 - Pg

[feng_shui_house]

I'd do as kerravonsen says, use numbers to make words. In addition to her suggestions, you could use 7 as an L and 8 as a capital B.

I'm sure you can come up with a ten letter phrase out of the available letters.

[altariel.livejournal.com]

My childhood home phone number would work. But that's really tricky.

[watervole.livejournal.com]

But a risk in that there are some people who would know the number (though not random hackers).

[altariel.livejournal.com]

That's going to be a risk with any series of numbers that you choose for having some significance, so I guess you have to decide what you want to trade off. Putting the STD to the end might help. Other options include a series of random numbers that you either write down (obviously risky) or attempt to memorize (beyond my humble capabilities). Or else make use of the "forgot your password?" function each time you log in, and get them to send you something new each time.

[artw.livejournal.com]

Your mother's date of birth, followed by the number of aunts and uncles you have.
Or a memorable word coded A=1, B=2 etc.

[sam-t.livejournal.com]

Preferably not a dictionary word, but that would work.

Baffles me why they'd ask for a number. Why would you choose a 10-choices-per-character unmemorable password over a 36-or-more-choices-per-character memorable one?

[izhilzha.livejournal.com]

Or a memorable word with numbers substituted for letters in your own cipher (offset or backwards or whatever you can remember). Less easy to discover, but easy to recall.

[watervole.livejournal.com]

The problem with that one is that you need to write the mnemonic down somewhere (in order to remember which bank account you've used it for out of all the 20 odd passwords you have memorised already). If anyone finds the mnemonic, then they could work out the password. (Though I have to say that the mnemonic for the password I ended up with is no better - I regard it as one of my least secure passwords)

[sam-t.livejournal.com]

Maybe consider a password safe?

[luckykaa.livejournal.com]

10 digits isn't hugely secure. 6 randomly chosen digits and mixed case letters would be more secure.

[watervole.livejournal.com]

But that also hits the 'write it down' problem. Though it is a bit better as long as I can have mostly letters.

When allowed a mixture of my own choosing, I can do better. I can find mnemonics - did that recently for funding circle - I have a password that is a mixture, but I think would be very difficult for anyone else to guess, but is still memorable for me.

[luckykaa.livejournal.com]

Sorry. I need to explain my meaining a bit more clearly. It was a comment on password strength.

6 characters will be rejected by most password systems as insecure. This will take 6 times as many guesses for a computer as a 10 digit number. At 1000 guesses a second, this will be guessed in a few months. Of course the banks systems will detect this sort of attack, and block it, but they shouldn't really rely on this.

This xkcd strip illustrates the problem: http://xkcd.com/936/ (http://xkcd.com/936/)

[inamac.livejournal.com]

There is nothing secure about a ten digit number - because everyone is going to write it down somewhere, or it'll be a birthdate + something obvious. Both basic tests for hackers.

This is especially true about older customers, who would be particularly vulnerable to fraudsters getting access to their bank details (and we all know how sympathetic banks are to victims of those crimes).

Have you pointed this out to the bank?

(And I can't remember most of my four-digit PIN numbers, let alone my mobile number. One of the many reasons I don't do online banking.)

[makyo.livejournal.com]

One approach is to choose a memorable ten-word phrase (or the first ten words of a longer passage) and turn it into a ten-digit number by counting the letters in each word. So, for example, "the first thing we do, let's kill all the lawyers" (from Henry VI part II) becomes 3552244337. I think this should be reasonably secure (certainly more so than using a phone number or pi) unless I've missed something obvious.

[watervole.livejournal.com]

I've actually adopted this trick for the 5 numeral password they want in addition to the 10 digit one, but the problem with doing this for a long number is the risk of a counting error while doing the conversion. Especially for 2 digit letters.

[murphys-lawyer.livejournal.com]

All numbers?

ALL NUMBERS?!!1 ELEVENTY!1!

I wouldn't waste a bullet on the moron who thought in this day and age that a ten digit number was an acceptable password for a financial system. I have a five-foot stick I keep next to my desk with "Mr. Clue" written on it, and it's long overdue for an outing.

At the very least, I would drop heavy hints that they set the system up to fail and blame the customers when their accounts were emptied, on the grounds that "you obviously shared your PIN" or "you chose something too obvious".

In all seriousness, look at other business banks, and hope to Great Turing's Ghost their security is put together by someone with half a clue.

[rockwell-666.livejournal.com]

What pillock came up with *that* brilliant idea?!

Making it all numbers reduces the complexity massively, requiring it to be exactly ten digits is even more stupid because it lets hackers know precisely how many characters are in it so they don't even have to try 8, 9 or 11 digit versions!

You should send the bank a copy of this XKCD strip: http://xkcd.com/936/

[dumain.com (from livejournal.com)]

Memorise a trivial hashing algorithm and apply it to the bank account number plus a memorable secret to derive the PIN. Thats what I do with my bank/credit card PINs. The hashing algorithm is obviously not strong but by the time anyone has enough samples to figure out what it is they will already have all my pins. Might seem a little over the top but I find memorising an algorithm easier than an arbitrary digit string.

[inamac.livejournal.com]

Memorable 10 digit number:

0123456789

(I'd be willing to bet a lot of people use that.)

[espresso-addict.livejournal.com]

I can't remember numbers at all. Suggest writing it down and putting the note into something locked at home. We also store passwords in a spreadsheet protected with a decent encryption program on a hard-drive that's also encrypted, but that's harder to organise.

[eledonecirrhosa.livejournal.com]

Could you have a string of shorter memorable numbers, and leave yourself a clue in words somewhere?

Like this: year we bought the cat - my height in cm - favourite BBC channel - number of cherry trees in garden.

[watervole.livejournal.com]

I quite like that suggestion.

[linda-joyce.livejournal.com]

Do you know your grand parents birthdays a combination of these numbers might work, eg month and day from one set, year in full from the the other. eg year from granny A, month and day from grandpa X . Though even that only gives you 8 digits add the day from grandpa A. It could be done with parents birthdays but that would be a bit obvious too.