Selecting a strong password that’s easy to remember and hard to break

I use Clipperz as my online password manager, and it comes with an easy option to generate strong, secure passwords. I generate one for each site and forget about memorizing it, since that’s what a password manager’s job is. But there are some passwords I don’t put there, such as my bank’s and my laptop’s. I’ve come up with a simple and effective way to come up with a password that is both strong and easy to remember.

Here’s how it works: pick a song that’s currently ear-wormed its way into your head. For this example, I’m picking Queen’s Bohemian Rhapsody. Pick a few lines from the song, such as these:

Is this the real life?
Is this just fantasy?

Now take the first letter of each word in those lines: 


Since most websites insist on a mix of special characters and numbers, let’s add a comma after the first line, and a question mark at the end, just like in the song:


Now to get numbers, convert a few characters to l33t speak. I usually map A to 4, E to 3, I to 1, and O to 0.  Let’s also capitalize the ‘F’ in ‘fantasy‘ to add some strength to the password. That gives us:


And we’re done! You can make the password as long as you need it to be by adding subsequent lines, and strengthen it further with different combinations of easy-to-remember special characters in the right places. But the general principle remains the same. I tested that password out on and it said this:

It would take a desktop PC about 7 thousand years to crack your password

I usually hum the song along as I type the password, so it ties into muscle memory pretty soon. I don’t usually run out of good songs, so for the 2-3 passwords that I have to remember, this method works pretty well.

Clipperz Password manager

A few weeks back I posted a list of services I used heavily, and my password manager, LastPass was the most worrying in the list.. both because of how accustomed to it I was, and due to it’s proprietary nature. It is with some relief that I can now remove that from my list of concerns. Say hello to Clipperz.

Clipperz may be like LastPass superficially: both are zero-knowledge online password managers where the encryption happens on the client side and only encrypted data is stored and sync’d on the server. The similarities end there.

Clipperz is committed to Free software, and their code is open source and available to any one who wants to self host. Passwords are stored in ‘cards’, and auto login is provided by setting up ‘Direct Logins’ for each card. Since the scrambled password is easy to copy and paste from the card itself, I don’t use the Direct Logins feature much.

An offline version allows you to download the entire database in a self contained html file, which is useful for backups and rare offline moments.

Clipperz is now accepting registrations through Bitcoin only, in an effort to further anonymize the service. I signed up when they were still a free service, and have still not started experimenting with Bitcoin. The developers — a couple of friendly guys in Italy — were nice enough to help me with it.

All in all, it is a pleasure to see such a useful, well built tool from such nice, principled folks.

Finally went ahead with installing TrueCrypt..

..and it was embarrassingly easy. I was worried that it wouldn’t support my /home, which is a ReiserFS filesystem. I needn’t have worried: you can create Truecrypt volumes even on individual files, not just on separate partitions. Here’s how I went around doing it (on a stock Slackware 12 box, as usual):

Download and install DeviceMapper and TrueCrypt, in that order.

Touch a file called tc.txt anywhere. Mine is in /mnt. And then:
truecrypt -c /mnt/tc.txt
Follow the simple steps that appear, the defaults are pretty okay.
Then jump to the Gentoo wiki’s nice page on TrueCrypt to make an ext2 filesystem of your newly created volume.

Mount the volume to a folder using truecrypt /mnt/tc.txt /mnt/encAnd unmount using truecrypt -d

Add aliases for convenience (again, see the Gentoo wiki) to the normal user, and add that user to the sudoers list, so that a root login isn’t needed each time the TrueCrypt volume needs to e mounted.

And in less than an hour of fiddling around, I have this neat 500 MB volume, alas with nothing really secretive that I can store in it. Fun, atleast.