Keyboard Vector Passwords
It's commonly accepted that the use of random strings including special characters makes for a pretty strong computer password. There is a nearly-infinite variety of algorithms you can use to generate these passwords, most involving a step of obfuscation like 1337 speak or remembering a mnemonic. One weakness inherent in these passwords is that the obfuscation technique or mnemonic can be difficult to remember, and so the resulting password is often written down (ironically, because it appears to be gibberish, it calls more attention to itself as a potential password). On systems requiring frequent password changes, even the best password creation techniques can come up dry after six or seven cycles. Below, I present a method for the easy creation of passwords that can be remembered as vectors. For those users of secure systems who have good spatial skills but poor language skills, this technique can be a lifesaver.
Take a look at your keyboard. Unless you've got a really bizarre one, the keys are in five or six major rows, and because of their slight horizontal offsets, the columns are slanted. For example, after those dark gray keys on the left, you could call the keys 1, Q, A, and Z a column. You could also call 7, Y, G, and V a column. On their own, these columns each look like gibberish, and when you combine them, you get 1qaz7ygv, a pretty nice password. Need it to be stronger? Hold down SHIFT while you type the first column. Now you've got !QAZ7ygv, which almost certainly doesn't appear in any dictionaries.
There are two strengths to this system that set it apart from other password generation methods. First, if the user is not in front of a keyboard, the user will be hard-pressed to write down the password. Because the user will never see it written in plaintext, the user may not even recognize his password if asked to choose it from a list! This is a minor strength, mostly for systems where a user might be placed under duress. The other benefit of this system is that it allows for a password to be "rotated" when it expires. After ninety days, the user simply holds down SHIFT for the other half of the password, and the above password becomes 1qaz&YGV. Ninety days later, switch the first and last columns, and get &YGV1qaz. Ninety days later, travel up the keyboard, and get ZAQ!vgy7. Ninety days later, shift every character to the right: @WSX8uhb. The user has only to remember which two characters are the basis of the password, whether by name ("one-shift-seven") or by visual position.
This method comes with one large weakness. If the limited version I propose above becomes widespread, it could conceivably be cracked by adding the 38 four-character "vectors" from a standard QWERTY keyboard to a dictionary file as "words". If one assumes that a user is using only this method to create passwords, and holding down SHIFT in only whole-vector increments, then the search space is trivially small (5776 possible passwords) and can be cracked easily.
Luckily, key vectors don't need to be straight lines of four characters. Variations that reduce the weakness of my four-character vectors include chess moves (particularly the knight's tour) or other non-random walks around the keyboard. A chess buff like gitm might decide to encode the first four moves of The Immortal Game, The Ruy Lopez, or The French Defense into this method, placing his rook (a1) at "Z" and his opponent's (a8) at "1". Further, to add special characters and mixed caps, he might hold down SHIFT to signify picking up a piece. An opening pawn move (e4 ... e6) would then be "F4" (white's fourth pawn moves forward two squares) followed by "Rv" (black's pawn in the same file moves forward one). To rotate such a password, the player could simply play the next sequence of moves every ninety days. Because good chess players have excellent spatial memories, it is not impossible that some of them already use a similar technique.
Using the vector method above creates memorable passwords that appear random and are unconnected to the language. By adding vectors other than the trivially simple ones, pseudo-random passwords can be created that defy dictionary attacks and forestall brute force attacks. Further, the ease with which vector passwords can be rotated can help increase user compliance for password policies requiring frequent changes.