Creating Secure Passwords with Two Pieces of Paper

November 9, 2016 | Views: 3242

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This is a simple method to produce a completely secure password without having to memorize it:

  1. Open Excel.
  2. Copy this formula into cell A1 – T20: “=IF(ROUND(RAND(),0)=0,CHAR(RANDBETWEEN(65, 90)),CHAR(RANDBETWEEN(97, 122)))” (Without the quotes) *This puts either a lower case or upper case letter in the cell, allowing for 26 * 2 = 52 different possible letters per Cell, for all 400 cells.
  3. Print this out and place it in easy to reach locations. This is your public key. Feel free to post it online, or stick it on your laptop.
  4. Open another Tab on this worksheet.
  5. Copy this formula into A1-A20: “=CHAR(RANDBETWEEN(65,84)) & RANDBETWEEN(1, 20)”
  6. Overlay a blank piece of paper on top of your public key.
  7. For each Row/Column combination as per step 5, outline the box with a pencil on your new sheet of paper.
  8. Cut out each of these boxes with scissors.
  9.  Overlay the Paper. You should only see the 20 (or less, if two of the values in the second workbook were the same) values. This will be your password. The second piece of paper is your private key. Keep it secret.
  10. Repeat this for all the keys you need.
  11. For good security, replace private keys every 60 days (or every 30 if you want airtight security)


For my example, I will use a 5 x 5 public key and a 5 length private key

Public Key

X D s D p
z e N G l
m k p T P
z j e u F
W x v I I

Column/Row combination chosen:


Resulting Password: Ispvm

Three great things about this password

1) Once you use the password a couple of times, you’ll memorize the locations on the public key, and the physical private key will become unnecessary. Furthermore replacing your public key will not interfere with this memorization.

2) Absolutely no memorization is needed. With sentence passwords, remembering the phrasing of the sentence can prove difficult, e.g. “Colonel Mustard in the Library with the Candlestick” (CMitLwtC) vs “Colonel Mustard with the Knife in the Observatory” (CMwtKitO)

3) Multiple private keys (passwords) can be created using the same private key, and when the public key changes, it forces you to update all of your private keys, something most people neglect to do


Hope this helps.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Creating great passwords is a balancing act of the CIA Triad (Confidentiality, Integrity, Availability) The CIA Triad is the foundation to great security. A good foundation of security is to examine the logical implications of whatever security method you are thinking of implementing. For more, please see my previous article.

    Have a great day



  2. My suggestion is to just create and use the passphrase. Easier to memorize “Colonel Mustard in the Library”, it’s 26 characters long (plus the spaces if you can use them), and it has upper and lowercase. Good luck brute-forcing that or even using a dictionary on it.
    Only exception is when you are forced to the maximum password length of 8 bits. (Which is kinda rare these days imho)
    The semi-random generation is quite useful! Thanks for the script.

    • While “Colonel Mustard in the Library” is a safe password in and of itself, I find there are three problems with this approach. I’m just as guilty of them as anyone.

      1) Password reuse: (if I compremise your password on one site, I should not be able to compremise your password on other sites.) Even if you changed the person and/or the room on different sites, someone with access to one of your passwords and dictionary attack subsequent websites with simular passwords

      2) Password Expiry: in a corperate environment, you need to change your login password every 30 days. However, when it comes to facebook, twitter, linkedin, personal computer login, we tend to not change these until they get hacked.

      3) Password Combination Problem: remembering ten different sentences is hard enough. Remembering which sentence goes with which password is even harder. Who hasnt accedentaly locked themselves out of thier accout because they kept entering thier gmail password into outlook? Just me?

      That being said, thanks for your comment. I appreciate any compliment or constructive criticism. Have a great day! Regards, ProgrammerE

      • Good thinking and great explanation!
        I just want to add one little morsel to your list: UE (user experience).
        For example, remembering ten sentences is hard, but us, humans use simple psychological patterns. Your favorite song is easier to remember, it probably has ten sentences at least (unless it is a non-vocal one like Giaa).
        Can you remember 6 sentences from the lyrics? Good, then you can use them as a buffer to rotate on your corp account. The refrain part from the song “Horse with no name” is an example of that.
        Can you remember more than one song’s lyrics? Sure you can. Better than V9hr3TgX or 98JKGr3X. Or was that last x a lowercase? 🙂
        So, maybe using one song in your production environment and another one on your social accounts is a good way to get around this problem?

        I would love to hear your thoughts on this. Maybe we should start a forum thread if one doesn’t exists already.
        Have a nice and productive day!

  3. Great tip. I just suggest to set excel to not make automatic calculations to preserve the public key after generating the private key, and only print after done the job, avoiding print old values during your tests. We can include numbers into the ranges to get more characters, or even other symbols.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?