Strong Passwords: Motor Memory Passphrase

June 3, 2014
Motor Memory is in the palm of your hand

From your various wallet passphrases to online login accounts, the need for strong passphrases, today, is imperative and this article will show you how to easily create passwords of above-average strength. Not only will you be able to generate stronger passwords on the fly, but the unprecedented techniques, such as the Motor Memory Passphrase, proposed in this article will simplify your task of creating memorable passphrases that are suitably unique, yet simple. As simple as tapping your fingers on a desk.

If you’ve read Part One: Strong Passwords – a New Approach, just jump ahead to the diagram “Academically Endorsed Passphrase Schemes That Fail” below. Re-acquaint yourself with the schemes and then proceed to the major section “Motor Memory.”


[dropcap size=small]P[/dropcap]art One of this series looked at the characteristics of both strong and weak passwords, as well as considering various passphrase creations schemes. The conclusion reached in Part One was that strong passphrases are typically longer than 8 characters in length and are comprised of combinations of upper- and lowercase characters, numbers and symbols.

According to the variation of characters being used in a passphrase, the following diagram represents the theoretical time it will take a well-armed attacker to remotely crack passphrases of increasing length and complexity.

Time to Crack pseudo-science

Passphrase strength starts improving significantly where an eight character length passphrase includes numbers and symbols. Add one extra symbol character and the 9 character passphrase will, with current technology, take 44,000 years to crack! Arguably and theoretically, of course, but let’s proceed on that assumption.

Passphrase Schemes

Whether consciously or unintentionally, we all utilize some type of formula for creating passphrases. We are creatures of habit. Most people’s formula, or scheme, is a word + a number + a symbol. Additionally, most of us tend to include the name of the service we’re logging into in the word component and some constant number in the numeric component of our password. Hence, once an attacker has seen one password generated by our cunning scheme, they can easily deduce the rest. They can guess, but why do that when they can hand the task to a dedicated botnet of hundreds or thousands of computers whose only aim is to deduce passwords at a million attempts per second! That is, after all, a similar functionality to the Bitcoin mining network – to repeatedly attempt to solve a difficult random character sequence (hash). Amazingly, a block hash is solved every 10 minutes…

Two ideas have now been introduced, but they’re actually just flip sides of the same concept. A password scheme is an easy method for creating a multitude of non-similar passwords, yet a single password contains the formula of the scheme and is, therefore, a template of every other password created by that scheme. A weak password scheme is, therefore, not much more secure than simply reusing the same password for every login.

Research conducted by the School of Computer Science at Carnegie Mellon University compared 15 popular password creation schemes and rated each according to its security and ease-of-use. The three most secure schemes are summarized in the following table. Security and Usability ratings are the writer’s own and are much lower than the rating given by Carnegie Mellon’s researchers:

Looking at these ‘secure’ passphrase creation schemes, the most user-friendly schemes (Person-Action-Object and Base Picture) require that users create a series of words associated with a picture or scenario and then use these as their passphrase. The phrase “Gollum finds his Precious” – though simple – is 25 characters long and, according to our “time-to-crack” infographic above, should take several centuries to crack. However, the fact that the passphrase is composed of dictionary words is a critical flaw.

These methods are considered ‘secure’ by the School of Computer Science at Carnegie Mellon University, yet they fail to provide rules for including numbers and symbols. The ‘most secure’ scheme, namely Random Characters, requires users to create passwords consisting of 8 or more random alphanumerics and symbols per login, and to (somehow) commit these to memory. Memorizing a new phrase of 8 random characters for each of our scores of logins is clearly not feasible.

The dilemma we face is multi-layered and circular. Using longer passphrases means they’re harder to crack. Yet, with increased length comes increased difficulty to memorize. So, we use familiar constructs such as language units (words and phrases) to ease memorization and recall. Frustrating this achievement is the caveat that passphrases consisting of dictionary words only, will (eventually) be discovered by a determined adversary. The other “horn of the bull” is that, although a long series of random characters makes for a stronger passphrase, it is too difficult to commit to memory to be useful. Damned if you do and damned if you don’t…

This kind of discussion and thinking about ill-intentioned counter-measures to our preemptive measures can easily lead to a strong and non-userfriendly headache. We don’t want that, so stop reading for a moment – get some coffee – and come back to learn about a simple, elegant solution.

Motor Generated Strings and Motor Memory

A new passphrase generation method is hereby proposed, namely the “Motor Generated String”. A motor generated string is a series of characters generated solely by repetition of a finger pattern. For example, the action of tapping one’s fingers (from little finger through index finger) on a desk: performing this action on a keyboard has the effect of rapidly typing a string of characters. We often use this technique when hastily entering arbitrary text into a textbox, such as “asdfasdfasdf” or “123123”. This repetitive technique has vast untapped potential for passphrase creation.

For example, holding down the right Shift key and rolling three fingers across keys 1, 2 and 3 a few times yields “!@#!@#!@#“. Quickly and easily, but this is just to illustrate the technique – we want more variation than that.

Combine the previous step with a different finger placement on the right hand side of the keyboard: !@# !@# !@# \][; \][; \][;

Hold the left Shift key and shift the right hand pattern across the top of the keyboard: +_)O(*&Y^%$E#@!~

Hit CapsLock, angle both hands and shift outwards after each action (alternate hands if you wish and end with Space): JNFVKMDCL,SX;.AZ’/ = 19 characters – simple and repeatable.

Such motor generated strings are easy to remember and cheaply generate a lot of characters that meet our fundamental criterion of including uppercase letters, numbers and symbols. Motor series are also easy to repeat anywhere on the keyboard. If we choose key patterns that fall easily under our fingers, producing multi-character strings is almost effortless and eventually, with practice, becomes automatic. There is no need to remember a series of awkward symbols since the string can be reproduced with a simple motor action.

A skill we take for granted, namely Motor Memory, comes into effect and allows us to reproduce the same character strings without any mental effort. We don’t have to remember the characters, we only need to recall the underlying pattern and our motor memory does the rest.

After experimenting with this technique for some time, it became apparent to the author that there is an inherent weakness. The weakness does not invalidate the method but does preclude it from being a standalone passphrase generation scheme. It has yet to be confirmed via popular use and controlled testing whether or not the combination of human hand anatomy and keyboard layout will produce sufficient pattern variation to make the MotoMem a secure scheme in its own right. The author doesn’t know and believes that until this has been established or refuted a secure middle way must be pursued. The “middle way” is by means of combining MotoMem with at least one other secure scheme.

Simple Combination Passphrase Scheme

Let’s increase your current scheme’s strength, by combining an existing password with a MotoMem series.

We use two components and a rule-set to create a simple scheme:

a) a rudimentary MotoMem series: !@#!@#!@#
b) an existing insecure password: pass7

1) start with the MotoMem
2) type the password
3) finish with two repetitions of the MotoMem

Passphrase = !@#!@#!@#pass7!@#!@#!@#!@#!@#!@#
Length: 32 chars
Unique chars: 7
Theoretical Time-to-Crack: at least 44,000 years

With little effort and simple components, we’ve constructed a much stronger passphrase. The fact that it seems too good to be true is probably because it is: the repetition of a single symbol string provides bulk but lacks variation. This brings us to an important consideration, touched upon earlier, namely the eventuality where a passphrase is intercepted and we’ll look at steps to mitigate this calamity next week.

Last modified (UTC): June 5, 2014 06:07

Venzen Khaosan @venzen

Market analyst and Open source developer with a keen interest in blockchain technology, consensus mechanisms and the decentralizing effect. He has found a solution to the PKI mechanism. Email me to discuss.