... seeking simple answers to complex problems, and in the process, disrupting the status quo in technology, art and neuroscience.

Friday, December 30, 2011

Forget Passwords! Seed-Map Them Instead

Passwords are a pain.  A pain to create.  A pain to remember.  A pain to use.

Skip the pain.  Focus on the visual.  Instead of creating, remembering and applying passwords, simply seed-map them - let the site define the seed, then use a visual pattern over the keyboard to define your unique algorithm.  This is FAR easier to manage than even a password manager.  Yes, it's a little strange at first, but the payoff is dramatic.  

There's nothing to buy, and the only trick is visual. Here are the details:

Security requirements are becoming more complex just as we need more passwords for new sites, apps and accounts.  Remembering all your passwords is almost impossible.  Here are the requirements for a reasonably secure password:

1. Contain at the very LEAST 8 characters.
2. Contain upper case letters.
3. Contain lower case letters.
4. Contain numbers.
5. Contain special characters.
6. Approach random distribution.
7. Be unique for each application.


8. Be easy to remember.

Unfortunately the first seven requirements make the last almost impossible. Many give up and use pet names, personal information or common words which are easily cracked.

The Visual Trick

Fortunately there's a simple trick I've been using for years, and it's good enough to stop the average hacker. Plus, it costs nothing at all to use. The trick is, don't REMEMBER your passwords - DERIVE them visually. Here's a simple example using a two phase algorithm - seed selection, and keyboard mapping. It will pseudo-randomize any password.

Start with a seed that's in front of you as you log on to the site, for instance "Microsoft". A simple seed would be the first four letters "micr". There. You're halfway done.

Now simply expand this seed onto the keyboard in a visually consistent way. Let's use the two keys above each seed key from this example. "m" becomes "Ju", "i" becomes "8*", "c" becomes "de" and "r" becomes "4$" yielding the password - "Ju8*de4$". No, don't try to memorize this mess, just watch your fingers as they strike the keys.  See the visual pattern?  

That visual pattern is the trick.  That pattern is YOUR secret. This password method meets the all the standard criteria above, yet you don't have to memorize anything except that pattern - just look at the name, and then map it visually using your personal method.

Notice I capitalized the first character and had to shift to get the "*" and "$" because I ran out of room moving up the keyboard.  That's just one method.  It's also one way of including special characters and caps. If you don't want special characters, wrap to the bottom of the keyboard instead.

The beauty is, you don't have to remember characters. All you have to remember is one simple visual pattern. It's best to not even think about what keys you're hitting - just hit the two above your seed character. I honestly have no idea what my passwords are, I just know the pattern that produces them.  It's easy once you define a method. And your method will always yield a visual pattern.  For the above approach:

Gmail would produce "T5juq18*"
Yahoo would produce "6^q1y69("
FaceBook would produce "R4q1de3#"

Again, no memorizing. OK, go ahead and use my example method if you like. It's better than using your dog's name. And you won't need to read any further. But remember you'll have the same passwords as every other person who happens to read this blog post and goes to the same sites you do.

Or... create your OWN visual pattern.  The world is your oyster!

Or even more security, invent your own visual method (algorithm).  Your method, your secret. There are literally millions of ways of doing it. Here are a few hints:


First, the seed - it should be at least four characters which will produce nearly a half a million unique passwords. Two characters will only create 676 unique passwords - not enough. A three character seed is marginal. And I don't suggest using more than a seven character seed because you'll either be creating very long passwords, or have poor distribution in the mapping phase as described below.  

Since the objective here is to leave the mob behind, it might be best if you mix up your seed a bit. How about a backward flip - "iamg" for Gmail. Or better yet, replace the "g" with your dog's middle initial. Or yours. It doesn't matter much as long as it's an easy method to remember. Personalizing with an initial or two will also make your passwords different from most others who visit your sites after reading this blog post. After all, Microsoft or Hotmail will be a common starting point for many. 

How about taking every other letter then step back? Gmail could become "gami". Or ignore the first letter and get "mial". You get the idea, there are a lot of ways of doing this - make yours unique. I've only discussed a couple of aspects of seed generation as examples. It's best to come up with something I haven't even talked about. Just be consistent so your method is easy to use.  And remember.


Now for the keyboard mapping phase. Our first example was OK, but did you notice how "q1" occurred three times in the last three examples? That's because each seed contained the letter "a", which is a common letter (less random). Also these simple examples only have a fair distribution over the key-map. To produce a good pseudo-random number you need a good distribution across the random field. 

The keyboard itself makes for a decent random field, as long as you span it well. For instance, "mmiiccrr" for Microsoft stays close to (and IS) your seed. That's a poor distribution.  In contrast, an expansion of three or four going up will always capture a number, and often a special character. Or if you go down instead, then wrap back up, it's almost as good (but no special characters). Three up will get a number two thirds of the time, and a special character one third of the time. See how you can control how many and what types of characters are likely to end up in your password?  There are obviously lots of ways of getting similarly distributed results. 

Go up for the first seed character, down for the second, capitalize the third and shift the forth to possibly add a special character.  Or expand the first seed character once, the second twice, the third three times, etc. You choose - that's the beauty. No one but you knows your method.

Or ignore the first character, right one and three up. Or one up, two left. Or skip a couple. The objective of distribution is to break up patterns of common letters (a, i, e) by applying different directions to different seed letters. This key-map phase is where you can really express your unique nature. Try diagonals. Or leaps. There is no right or wrong method, just some are better than others. Scramble your seed. Scramble your map. But in a way that's always visual to you.  


One challenge you'll face are sites that require you to change passwords every few months. An easy (if less secure) solution is simply to add a number starting with 1 to the end (or beginning). Increment the number each time you have to change passwords. In a few tries you'll get it, and have plenty of time before you have to use 1 again. Or add the last digit of the year to your seed and shift it after June 30th. Do what works for you.

It's also a good idea to have a backup method for when you encounter other conflicts, such as some sites not allowing special characters, or numbers.  The easy exception is simply wrap before you encounter them visually.  That way if your password doesn't work, try your simpler method B.  

Also, don't use your method for any password you have to share with anyone else.  That would be a powerful hint.  They might guess your trick and put all your other passwords at risk. This is another good reason for a more simple method B or C for shared passwords.  

Finally, don't make your method TOO complex. There's a point of diminishing return. Other capture or social cracking will make a "perfect" method irrelevant anyway. Video cameras are common and getting smaller, so even a perfect password can be stolen. If you're still concerned, add Iris Scan and go multi-factor. But for most, pseudo-random is good enough. And FAR better than your dog's name.

By the way, Seed Mapping is just one approach that happens to give a fairly good result. There are many other methods. Be creative.

Now go change all your passwords so you can burn that cheat-sheet in your desk drawer.

And let me know how Seed Mapping works for you.

Rod Coleman
General Manager
Sierra Computer Group

Whatever you do, don't use any of these:

123456 Named Worst Password


  1. Hi Rod. I've believed the same thing about secure passwords for many years, this comic turned me around :)
    (the math is tested and solid)
    Interesting huh? There's even an easy generator for it now:

  2. Though it has value, Randall's method has substantially over-stated his "entropy". If his xkcd approach becomes popular, numbers and special characters will become less probable, and cracking IS a probability game.

    Using common words also dramatically limits valid combinations making the result far less random and therefore having less "entropy". It's easy to understand that four random words is easier to guess than 25 truly random characters, any of which may have 256 different values.

    But it IS a funny cartoon, and useful idea. Find what works for you. Anything is better than your dog's name.