Conlangs as passwords

Keeping our information secure is a high priority these days. We hear a lot about “two-factor authentication”, which usually boils down to “give us your mobile number so we can sell it”, but the first line of defense for most accounts remains the humble password.

The problem, as eloquently stated by XKCD #936, is that we’ve trained ourselves to create passwords that are all but impossible to remember. And the arcane rules required by some services—banks are the worst offenders—can actually serve to make passwords less secure than they otherwise could be. There are two reasons for that. One, the rules of what’s an “acceptable” password restrict the options available to us. An eight-character password where one of those characters must be a capital letter, one must be a number, and a third must be a “special” character (but not those that might interfere with the site’s code, like the semicolon) really only gives you five characters of leeway.

The obvious solution is to make passwords even longer, but that brings into play the second problem. A password like eX24!mpR is hard to remember, and that’s only eight characters. Extend that to twelve (Ty93M@tsD14k) or sixteen (AsN3P45.tVK23hU!) and you’ve created a monster. Yes, muscle memory can help here, but the easiest way to “remember” a password like that is to write it down, which defeats the whole purpose.

The XKCD comic linked above outlines a way to solve this mess. By taking a few common English words and smashing them together, we can create passwords that are easy to remember yet hard to crack by brute force. It’s ingenious, and a few sites already claim to be “XKCD-936 compliant”.

But I had a different idea. I’ve made my own languages, and I’m still making them. What if, I thought, I could use those for passwords? So I tried it, and it works. In the last year or so, I’ve created a few of these “conlang passwords”. And here’s how I did it, and how you can use the same method.

Rather than a few unrelated words, a conlang password is a translation of a simple phrase. Usually, I try to use something closely related to the function of the site. For example, my account on GOG.com is the phrase “good old games”—the site’s original name—translated into one of my older (and unpublished) conlangs. Similarly, my start page/feed reader has a passphrase that means “first page”. My password on Voat translates as “free speech”. All very easy to guess, except for the fact that you don’t know the language. Only I do, so only I can do the necessary translation.

Going this way gives you a couple of extra benefits. Case is up to you, so you could use a phrase in title case for those sites which require a capital letter. Or you can use a language like Klingon, with capital letters already in the orthography. Special characters work about the same way; add them if you need to, but in a more natural way than the line-noise style we’re used to. And since our password is a full phrase, it’s likely going to be near the upper end of the length range, making brute-forcing an impossible task. If it’s allowed, you can even add proper spacing between words, further lengthening the password and frustrating hackers. Also, if the site requires a “security question” (a misnomer if I’ve ever heard one), and it lets you use a custom one, then you never have to worry about forgetting the password, as long as you remember the language.

There are, of course, downsides to this method. Numbers are…difficult; the best option I’ve found for places that make you put one in is a kind of checksum. At the end of the password, simply put the number of letters you used. As an example, let’s say we want to use our example conlang Isian to make a password at Amazon.com. (By the way, that’s a bad idea, as information on Isian is open to all, even if no one’s really looking.) In my opinion, a good phrase to describe Amazon is “they sell everything”. In Isian, that translates to is dule lichacal. Thus, our password could be something like IsDuleLichacal. Fourteen characters, three of them capital letters. And we can take on a 14 at the end to up the strength a little more, or satisfy overly strict systems. As long as you’re consistent, memorization is less of a problem. And you don’t need to write down the password itself; just the key phrase is enough.

Now, not every language works for this. For very good reasons, passwords using Unicode characters are not recommended, even in those rare cases where they’re supported. The ideal conlang for password use is something more like Isian: no diacritics, no funky letters like ə, just basic ASCII. Letters, numbers, and a few symbols—in other words, the same set of characters that passwords can use.

The best conlangs are probably the most English-like in style. Somewhat isolating, but not too much. Relatively short words. A reasonably uncomplicated grammar, so you don’t have to sort through all the rules. Oh, and you’ll definitely need a sizable vocabulary to cover all the concepts you might want to use in your passwords. Just a grammar sketch and the Swadesh List won’t cut it.

Not everybody will want to go through the effort needed for this scheme. But, if you’ve got an extra little conlang around, one you’re not using for anything else, you might want to give it a shot. It can hardly be less secure than the sticky note on your monitor, right?

Leave a Reply

Your email address will not be published. Required fields are marked *