In the wake of Heartbleed there’s a whole lotta password changin’ going on, reawakening the always-lively discussion of what constitutes a strong password. Xkcd has a legendary answer to that as well: Correct horse battery staple. In other words, four randomly chosen words beats g0B!deEG00kk. The information theory explanation is that there is more entropy in those four random words than in a quirky misspelling of “gobbledegook.” Xkcd reminds us that if you can picture a horse asking if that’s a battery staple, those four words are also hugely easier to remember.
Bruce Schneier disagrees, and (as always) he lays out a good case. His password-generation scheme is certainly harder to crack than choosing four shortish random words. However, some scorch spot in my genes makes it hard to use a mnemonic like that. Remembering passwords is key, since a password that’s miserably difficult to remember simply won’t be used. Nonetheless, if you can do it, it’s golden. There are traps, however. Some years ago, when I first had an account that allowed (almost) arbitrarily long passwords, I used a favorite line from Tennyson:
Down along the beach I wandered, cherishing a youth sublime
That was in fact an excellent passphrase for a couple of reasons, one of which was unintentional. (Can you guess? Answer below.) Using Bruce’s method combining the initials of this line and the one that follows gives us:
datbiw,cays-wtftosatlrot
I’ll bet that’s damned hard to crack. However, it took a lot of work to extract that from the text, given that I had to extract it every time I typed it in. I could actually type both lines in full twice in the time it took me to extract the initials once. So as password generators go, it’s not my favorite. Furthermore, I intuit that automating initial-extraction from passphrases findable online (like lines from famous poems) would be trivial.
Once I learned a little more about dictionary-driven password cracking, I stopped using lines memorized out of famous poems. Given the size of modern hard drives, and the boggling number of offline hashes that modern GPUs can calculate per second, having a dictionary of all lines from virtually all famous poems, plays, and novels would be a computational blip. (Text is small.)
That said, the passphrase above is actually stronger than you’d think, because, well…it’s wrong. That’s not how the line goes in Tennyson’s “Locksley Hall.” The correct line is:
Here about the beach I wander’d, nourishing a youth sublime
Assuming I hadn’t spilled the beans here, I might actually have gone back to using it, because, having used it for a couple of years, it got pretty well set in my memory. Alas, consistent misremembrances of this quality are scarce. Poetry can work, however, since structures of rhyme and meter make poems easier to remember. It can work if you write the poems yourself. Your mileage will vary. I’m oddly good at both writing poetry (which doesn’t mean that it’s good poetry) and then remembering it. In fact, bad poetry is lots easier to remember. Just now, this line popped out of nowhere:
“Piffle!” said the Golmodox. “His niffled head is all but rocks.”
This is actually two reasonably strong passwords, or one if you’re paranoid. What makes them strong? Two of the words are made up. Words that don’t actually exist make cracking miserable. Poetry makes phrases easy to memorize. So sit yourself down, my writer friend, read some Lewis Carroll to get your brain revving in the right direction, and write a nonense poem. Read it several times until you can recite it out loud without hesitation, and then encrypt it (strongly). Choose a line from the poem and make it a password. As you need passwords, choose other lines from the poem. When you run out of lines, write a new poem.
Nothing is uncrackable…but when you’re the highest fruit on the tree, you’re not going to get picked any time soon.
The difference between you and Bruce is the practical vs. the theoretical. I gave up on gobbledeygook passwords long ago, choosing chains of ordinary words very similar to the XKCD comic… except I stole that from CompuServe, which used that basic arrangement for its password assignments. Which *they* sent to *you*, on dead tree pulp, in an envelope with a stamp on it.
As far as the amount of processing power available, its usefulness is limited by what you’re trying to do. If you have a system’s password file in your grubby digital mitts, you can run any attack you want against it. But even crude web-based systems only allow you a few failed tried before making you wait, or simply locking your account. Even simple passwords offer a useful level of security if your average time between attempts is in minutes instead of milliseconds.
What frustrates me are the number of sites, some of them large financial firms, that limit password length. One site limits the length of a password to 8 bytes.
My method for passwords is a good password manager. I’ll let it generate a random password, store it with the site information and then I can get to it anytime I want. There are just too many sites and too many passwords for me to remember all of them any longer.
I have one of those little vest-pocket spiral notebooks beside my keyboard containing passwords, network setups, etc.
I figure anything on the hard disk is vulnerable eventually. Even if I get hacked, they won’t get everything easily.
Although I agree with Tony Kyle that a good password manager is the best option for important passwords, which should all be different, there is another set of pseudo random characters that are quite easy for us amateur radio hams to remember. Mix a couple of friends call suffixes with a Q-Code or two and some numbers and punctuation and I think it would survive a dictionary attack fairly well.
One other advantage of using a password manager is that you can paste the password without typing. Helps if there is any keystroke logging.
QSL et 10-4 OM! –30–
Ham radio jargon is a good one. Invented words are another. The late George Ewing was a rich mine for some of mine (you won’t find snoguloid in any dictionary). Dr. Seuss is also a great source for invented but memorable words (Yertle the turtle etc.) Another possibility (since I suspect many readers here are techies) is to pick some bit of a programming language that you know only too well. Like 7a7b3000, eh Jeff? 🙂
I do use the xkcd model for my home Fedora desktop, using some of the items in view from the monitor as the strung-together words, with a couple of vowel-to-digit replacements. 16 characters, which most sites will accept if need be, and *very* unlikely to be guessed unless you were a visitor to my home and could guess the order I’d arranged them in.
> home
…and that brings to mind an even older Far Side panel, where the password was “swordfish.”
And the even older Marx Brothers sketch, where the pass-“word” was a swordfish.