Entropy: the randomness and unpredictability of data
The consensus among security experts today is that strong passwords rely on high entropy and length, the more random and longer a password is, the harder it will be to crack. I’ve just been reading about a lass who has setup her own website (dicewarepasswords.com) selling strong passwords for $2.00 a pop. Mira Modi, an 11-year old sixth grader from New York, creates her passwords using the ‘Diceware’ method which she then sends to customers on a piece of paper in a sealed envelope via snail mail. Ms. Modi is obviously a very bright young lady as well as a budding entrepreneur.
Diceware is a well known established system for creating strong passwords utilizing common 6-sided dice and a special Diceware word list. To create a password you simply roll the dice until you have a five number sequence, then match that sequence to the corresponding word in the Diceware word list. Repeat this process according to the number of words required – 6 words is the recommended minimum.
The rolling of the dice ensures both randomness and unpredictability resulting in a high degree of entropy, while an adjustable word count takes care of length requirements. According to Micah Lee, technologist for The Intercept, who has written extensively about the Diceware method, a 6-word passphrase created this way would take 3,505 years to crack at a trillion guesses per second.
While I concede that 6-word passphrases created via the Diceware method are certainly very strong, I remain unconvinced they would be all that easy to remember, especially for an old geezer like me where anything past 18 seconds ago is a fading memory. Here are several examples; cap liz donna demon self bang, vivo thread duct knob train orb, and brig alert rope welsh foss rang, none of which appear to be all that memorable to me. Although, I guess they would certainly be easier to remember than something like As#$thJ&*9(lM?Oq.
In fairness, Mr. Lee does not actually say the passphrases are easy to remember, rather that they are “very possible to memorize”:
Diceware a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize.
- Check out Micah Lee’s in-depth and very interesting article here: Passphrases That You Can Memorize — But That Even the NSA Can’t Guess
Bottom Line
Considering strong passwords play a critical role in today’s online security, the Diceware method is certainly worthy of consideration.
I’ll close by asking you to participate in a sort of poll – the question is this: Given that you follow Micah Lee’s advice on how to memorize passphrases, which is as follows:
I recommend that you write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn’t take more than two or three days before you no longer need the paper, at which point you should destroy it.
Do you believe you would eventually be able to easily remember a Diceware created 6-word passphrase… yes or no?
Maybe I should sell a boxful of my method of creating passwords.
Take an old keyboard and pluck off all the letters,numbers and symbol keys, put them aside, pluck off all the other keys and create 26 lower case letters and numbers on paper, cut to suit a ‘key’ size and tape in place on the un-needed keys, black out the numbers on the symbol keys with el-cheapo black nail polish from the ‘Bin’ in the chemist shop.
That’s it.
Find or make a cardboard box with a lid from a cereal or other cardboard box to hold all the keys, a good percent larger than the whole amount of keys.
Cut a hole in the lid to allow one only key to fall out when tipped.
Put all the ‘keys’ in the box, fix in place with ‘sticky tape’ or other method.
When a new password is required, shake the box, tip out the number of keys required, use the keys for a new password.
A new password required, ‘it’s in the box’, who needs an online password generator!
A free tip for DCT…….:-)
In all honesty Jonno, a software password generator sounds a lot simpler. 🙂
Besides; the object here is to create a strong yet easily remembered password.
When you have elderly clients with the same mindset as I have, they don’t have a hope of knowing how to use a password generator, let alone remember passwords, they even forget where they left the book containing all their passwords.
The boxes of keyboard buttons were given to them as a ‘bingo style’ method of creating passwords…..it is amazing that many think that password generators are hackers, same as they don’t realize when they take their bank-books to the bank, all is transferred via Internet…..:-)
I like the idea of a phrase that can be easily remembered, perhaps related to a time and place or event, or combination of such; then use the first letter (or digit) of each word (number) to form the password. I made up a phrase that includes the names of myself and my wife, the date of when we got married and where we went for a honeymoon, of course just including the first letter/digit of each word/number to make the password. With this I have a 19 digit password that I can remember. Caps & symbols can be used to mix it up too, i.e. “&” for “and”, large case for a name, etc. Other than that, I use Roboform for many of my logins. 🙂
Some people insist on doing things the hard way. Here’s a simple password generator technique anyone can try.
Choose a phrase. Any phrase. But, for the sake of simplicity, try to keep the phrase below twenty words. For the sake of complexity, try to keep it above ten words. For my example I will use the ukelele tuning phrase, “my dog has fleas, so does my cat.” I know… that’s only eight words. But, I don’t have all day for this.
Now, to create a unique and seemingly random string of characters, write down the last letter of the first word and the first two letters of the next word. That gives us “ydo”.
Working in sets of two words at a time, move on to the next two words in the phrase and do the same thing… write down the last letter and first two letters of those two words. That gives us “sfl” which, together, gives you “ydosfl”.
Next set of two words… last letter and first two… gives us “ydosflodo”. Looking pretty good, but, we’re not done yet.
Next,and last, two words in our phrase… again, the last letter of the first word and the first two letters of the second word… gives us “yca”. All together, we now have a strong 12 letter password: ydosflodoyca
I just made all that up on the fly. I tested this on https://telepathwords.research.microsoft.com/ … a site that tries to guess the next character of your password as you type it. It only guessed two of twelve characters, which makes it a strong password.
Now, all I have to do is make one or two letters upper-case, add a number and a special character to make it look something like
+ydOsflodoYca55\
I added a + because it *adds* to my password. I chose the first and last vowel to make UPPERCASE. I added the year of my birth to make the password numerical. But, I could easily have used the number of spots on my dog’s back for my number. And, finally, I added a back-slash to signify the end of my password, which adds an additional character to add to the complexity of the password, but not greatly complicate the formula.
I’ve never actually used this method before. I just made it up. What I just did was to create a rather simple formula for creating strong passwords. When I test this password on the various password rating sites, it gets “very strong” ratings on all of them.
If I thought about it, I could incorporate something in the website’s domain name where I’m using the password to make the password completely unique to that account, and use the exact same formula on other sites and accounts, but have a slightly different password for each.
No one can remember twenty different passwords. But, anyone can remember one formula, which includes a keystroke pattern.
The formula I actually use allows me to create a unique 13 character password that is alpha-numeric and includes upper and lower case keys, using only 4 different keys on the keyboard for each particular account. I have dozens of different passwords. I don’t need to remember any of them. All I have to remember is my formula and my keystroke pattern. And I will put my 13 character password up against any randomized 13 character password. 🙂