Better Master Passwords: The geek edition

I’ve always wanted to write a technical followup to an earlier post, Toward Better Master Passwords, but this time going into some of the math behind it. Today’s xkcd comic does that for me:

Indeed, what took me nearly 2000 words to say in non-technical terms, Randall Monroe was able to sum up in a comic. This just shows the power of math, but that’s another issue. So for those of you who want to understand the comic and see how it relates to my earlier post, read on. But first read or re-read my earlier post on strong master passwords.

If, like most sane people, you don’t want to dive into a technical discussion, then stop here and just read the original, non-technical, post that says the same thing as the comic. It’s also where the practical advice is.

The only thing I’ll restate

There is one concept (well, actually two concepts) from the Toward Better Master Passwords post that needs to be restated. It is central to everything that follows:

The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system.

This embodies two things that we need to take into account when looking at the strength of some components of security. Kerchoff’s Principle, and entropy.

Kerchoff’s Principle

Kerchoff’s Principle states that you should assume that your adversary knows as much about the system you use as you do. In this case it means that if you are following advice about how to generate strong memorable passwords, the people who will be trying to break that password are at least as familiar with that advice as you are.

I can’t over-emphasize the point that we need to look at the system instead of at a single output of the system. Let me illustrate this with a ridiculous example. The passwords F9GndpVkfB44VdvwfUgTxGH7A8t and rE67AjbDCUotaju9H49sMFgYszA each look like extremely strong passwords. Based on their lengths and the use of upper and lower case and digits, any password strength testing system would say that these are extremely strong passwords. But suppose that the system by which these were generated was the following: Flip a coin. If it comes up heads use F9GndpVkfB44VdvwfUgTxGH7A8t, and if it comes up tails use rE67AjbDCUotaju9H49sMFgYszA.

That system produces only two outcomes. And even though the passwords look strong, passwords generated by that system are extremely weak. Of course nobody would recommend a system that only produced two outcomes, but people do recommend systems that produce a far more limited number of outcomes than one might think by inspecting an individual result of the system. This is because humans are far more predictable than we like to believe.

Entropy

What unit do we use to measure the number of different results you can get from a system? The answer to that is “bits of entropy”. The silly system I listed above can get us two different results. We can represent two different outcomes using one binary digit (bit). Passwords from that system have just one bit of entropy.

Now suppose we had a similar system that involved rolling one die. That would lead to six possibilities. Six outcomes can be represented in three bits (with a little room to spare). The actual number of bits is closer to 2.58. (And for those who really want to know where that number came from it is the base-2 logarithm of 6.)

One feature of using bits of entropy as a measure is that each bit represents a doubling of the number of possible outcomes. Something with 10 bits of entropy represents 1024 possibilities, while 11 bits will double that to 2048 possible outcomes. There are many reasons that we use bits instead of the number of possibilities. I won’t go into the mathematical reasons, but one nice result is that it gives us manageable numbers. In cryptography we routinely deal with things that have 128 bits of entropy. 128-bits would represent 340282366920938463463374607431768211456 possible outcomes. It’s hard think about or compare such numbers.

Working through the comic

Now lets look at a few things in the first pane of the comic. Let’s start with the stuff I’ve put into the green pink box. The single small gray square in the bottom of the green pink box shows that the choice between capitalizing or not capitalizing the word adds one bit of entropy. Of course people could add more entropy by possibly capitalizing other letters, but people don’t capitalize randomly. The do so at the beginning, at the end, or sometimes at internal word or syllable boundaries.
If people capitalized randomly that would add a lot of entropy, but capitalizing randomly would make the password impossible to remember.

Now let’s look at the stuff that I’ve put in the blue box. Here 16 bits are awarded to picking an uncommon, but non gibberish word. That would imply that the person picked a word in a truly random fashion from a list of 216 words (65536). I don’t believe that people would be truly random in their choice of base words, so I would assign fewer bits to this choice, but I’m not going to quibble about a few bits here and there.

The red box covers three “tricks”. Adding some punctuation and a numeral to the end of the password. Adding a numeral gives us roughly four bits of additional entropy, and punctuation gives us four. We get one additional bit by not knowing which comes first, the digit or the punctuation.
I didn’t put a box around the common substitutions and misspellings of changing something like Troubadour to Tr0b4dor; three additional bits seems about right.

When we add up all of the bits of entropy that this system uses we get 28-bits. Of course the system can be made more complex and may go up a few bits, but almost certainly at a great cost of memorability.

For those who recall some laws of logarithms, you now can see an additional benefit for using bits as our unit instead of numbers of possible outcomes: We can add the bits contributed by each choice instead of having to multiply the number of possibilities. It is very convenient to say that such-and-such adds X bits of entropy.

Now contrast this with using a sequence of random common words. It is absolutely crucial that the words be chosen in a truly random fashion. Here 11 bits are assigned to each word. That means that the list of common words used has 211 elements. That is, it is from a word list of 2048 words. This gives a more memorable password with 44 bits of entropy.

Cracking time

Depending on what sort of access the bad guys have, they can test from 1000 passwords per second to hundreds of thousands per second. For more information on how we slow this down, see the post on PBKDF2. Only you can decide how much effort someone will put into cracking your master password if they get hold of your data.

Using Diceware alone with five words (you know what I’m talking about because you read the earlier post) you will get 64 bits of entropy. If you add your own private scheme (say it contributes 10 bits) then you will have 74 bits of entropy, which would take about 500 million years to crack at one million guesses per second. Not everyone needs that kind of strength in a master password.

Of course if you do have Three Letter Agencies willing to spend hundreds of millions of dollars specifically on getting at your secrets, then you have problems bigger than what can be managed through software alone. Indeed, let me point you to another favorite xkcd comic.

[Updated: August 11 to correct my colorblindness error and spelling of Randall Munroe's name. — jpg]

47 replies
Newer Comments »
  1. Tommy
    Tommy says:

    Nice article Jeff. IMO it begs the question though: When will a password generator that uses this strategy be added to 1Password? Even though the software is such that you shouldn’t have to have memorizable passwords, it would still be nice.

    • Jeff
      Jeff says:

      Thanks Tommy.

      The post not so much begs to question of when we will put this in the Strong Password Generator, but it begs for the question to be asked in the comments.

      The answer is that it’s something we’ve been talking about, but have come to no firm decision. Thanks for letting us know it would be useful.

      Cheers,

      -j

    • Jeff
      Jeff says:

      Oops.

      I’m now going to grumble at the people I asked to look over this before posting, but we’ve all been unbelievably busy with the Safari 5.1 extension, so I guess I’ll just have to forgive them if they skimmed it.

      As should be obvious by now, I suffer from a form of colorblindness. And that pink still look green to me.

      Cheers,

      -j

    • brenty
      brenty says:

      lol Andy. I have no idea where that came from, but thank you for that! :)

      “It is not the spoon that bends, it is only yourself”.

  2. Chris Darling
    Chris Darling says:

    This issue is definitely a fascinating one. I especially enjoyed that cartoon. A picture is always an immediate way to explain something, be it an outcome, concept or a process. I was wondering however, what you though of Steve Gibson’s assertion (Podcast #303 – password haystacks: http://www.grc.com/sn/sn-303.txt) that though Entropy IS important, that password LENGHT is of far greater importance – that is, entropy is necessary, but within a given password “space” that a brute force attack take much, much, much longer with say a LONG padded password – one that a user could create and pad with a simple methodology? Wanted to hear your opinion. Thanks!

    • Jeff
      Jeff says:

      Hi Chris,

      I have enormous respect for Steve Gibson, but this isn’t the first time I’ve disagreed with him. His argument depends on the assumption that password cracking software is dumb. That is, that after checking a few common passwords it simply tries all possibilities with a of a given length. In other words, he is assuming that password cracking systems assume that passwords are truly random. Under such assumptions length would be the crucial factor.

      But we know that password cracking software isn’t dumb. And it gets smarter every day. Indeed, exactly the kinds of things illustrated in the first pane of the comic are included in modular “rule sets” for popular password crackers. Just as there are rule sets that perform the common substitution or add some numbers at the end, it would be easy to add rule sets that check for passwords based on Steve’s recommendations over at https://www.grc.com/haystack.htm

      Going back to Kerchoff’s principle, consider what would happen if a substantial portion of people started following Steve’s advice. Password crackers would quickly adjust. (Remember that the people actively working on password cracking have access to millions of stolen passwords to study.) Now suppose that a substantial number of people followed a diceware-like approach that I advocated earlier. These systems do no lose strength through the mere fact that attackers know we are using them.

      We can, in this case, turn Kerchoff’s Principle into a Kantian question. Does our advice remain good advice if everyone follows it? It’s not that I actually realistically expect the world to start following the kind of advice that I’ve given, but it still seems like it is a useful way to think about the quality of the advice.

      Cheers,

      -j

    • Ross
      Ross says:

      After reading this article and a lot of the other commentary on the XKCD, I wonder if it would actually be more true to say this: length is a better generator of entropy than any other mechanism of obfuscation. That is: the decision of which letters to capitalize or which letters to replace with l33t sp33k give you two or three bits of entropy, but simply slapping one more dictionary word onto the end of your phrase gives you 11 bits, and an all-lowercase truly random alphabetical sequence that is 10 characters long gives you about 50 bits of entropy, while an 8 character one that requires at least one each of upper, lower, number, and punctuation, is more like 42 bits.

      And also, length (in the absense of other constraints) has a markedly lower impact on memorability than the other kinds of obfuscation.

      Does that sound right?

      • Jeff
        Jeff says:

        Hi Ross,

        I think you are on the right track, but length matters of the elements are chosen at random. But if the elements are not chosen at random, then length doesn’t help. (Take another look at my coin flipping example in the article, which resulted in very long passwords.)

        When elements are chosen at random from an “alphabet” then the entropy will be proportional the length. Now what’s a little tricky to keep in mind here, is that for these calculations the length of “correct horse battery staple” is 4. That is we’ve strung together a four elements from an “alphabet” that contains 2048 elements. Because each element is chosen at random from a list of 2048 elements, it contributes 11 bits of entropy. Adding an additional word, would add another 11 bits.

        What makes these memorable is that each element (even though it is drawn from a long list) has meaning. People remember meanings, so by using familiar words, we just have meanings to remember.

        The diceware list that I talked about earlier has more elements (and are short words, but some are obscure) so we get a few more bits of entropy for each. Plus, the diceware scheme provides a really terrific mechanism to pick the words at random.

        But back to meaning and your question, random words are easy to remember than random character substitutions or random capitalizations. Because of this, people don’t actually add capitalization randomly.

        Cheers,

        -j

  3. Scott Jangro
    Scott Jangro says:

    What happens to the entropy when it becomes fairly common practice to use 4 (or 3 or 5) random common words as passwords?

    At that point, the people trying to break passwords aren’t doing it one character at a time, but one word at a time. How long does it take to go through every 4 word combination of the few thousand common words?

    • Jeff
      Jeff says:

      Scott, this is exactly the right question to ask!

      As I just responded to Chris, we need to ask ourselves how good is a system if everyone starts to use it. The system of four common words as illustrated in the comic provide 44 bits of entropy even if an attacker knows exactly what system you used. That is a whole lot better than typical passwords, but I’m not sure that I would consider 44 bits enough for a 1Password master password for those really anticipating a concerted effort at cracking.

      The advice I offer in my earlier post on the matter would give you about 74 bits of entropy, which should be plenty. Please take another look at the section of “Crack time” in my post above.

      Note that estimates crack time for schemes like what I’m suggesting already assume that the attacker knows what system you used. Most crack time testers on various websites, however, make the entirely unrealistic assumption that the password being tested was chosen at random.

      Cheers,

      -j

  4. Daniel
    Daniel says:

    This is a very interesting post. I love mathish stuff like this.

    How many bits do the strong passwords generated by 1Password have? It would depend on the parameters, I suppose, but given a “Random”, 50-character password with numbers, symbols, ambiguous characters, and repeats, that would be … what? 300 or so bits?

    That would take many many millennia to crack one of those babies. It would be quicker to point a gun in my face and ask (which is probably the MO for the TLAs).

    How would one take into account that you can have up to 10 digits in a 1Password-generated password, but you don’t know which characters are the digits?

    • Jeff
      Jeff says:

      Hi Daniel,

      If we set parameters for the strong password generator to zero digits and symbols, allow characters to repeat, and not to avoid ambiguous characters, then we have an alphabet of 52 characters. The number of possible results (we use a cryptographically strong random number generator for doing these) will be 56 to the Nth power, where N is the length. So the number of bits of entropy will be ln(56^N)/ln(2). (Recall that to calculate log base a of x is just ln(x)/ln(a), where “ln” is the natural logarithm.)

      So for your example, with N = 50, we get: 285 bits, which isn’t far from your guess of 300. I’m not going to do the years to crack calculation on that. I already know that 128 bits already is on the order of 10^30 times the age of the universe.

      Also, the random key that is encrypted by your master password is “only” 128 bits (again, gadzillions of times the age of the universe to crack), so there is no gain in having a master password (or really any password) stronger than that.

      I think some pictures that I took on a recent vacation illustrate that point:

      http://i.agilebits.com/blog/bear-proof.png

      I haven’t had time to sit down and do the math for the symbols and digits business. Knowing that there are exactly N symbols or M digits certainly takes away some entropy, while, as you correctly say, not knowing where they are adds some. I haven’t done the calculation, but my intuition is that it adds more entropy than it takes away. (Think of it like the common substitution trick.)

      Those particular features of the Strong Password Generator are designed for people using web sites that actually say “you must use 3 digits and 1 symbol in your password”. As such websites are, thankfully, becoming less common, we may take a different approach the next time we redesign the Strong Password Generator.

      Cheers,

      -j

  5. Lri
    Lri says:

    A Tr0oub4dor&3-style password would be more secure if the modifications were less predictable. For example three characters could be substituted with random printable ASCII characters (like tr}u?adGr).

    • Uncommon long-ish dictionary words: ~ 16 bits (like in XKCD)
    • Replacement characters: 95^3 (or (95-1)^3) ≈ 20 bits
      • One number, one capital letter and one special character: ~ 102633*3! ≈ 16 bits
    • Combinations of letters to be substituted (from a 9-letter word): comb(9, 3) = (987)/(3*2) ≈ 6 bits

    So about 40 bits, but the methodology could be even more unpredictable. In comparison 26^9 ≈ 42 bits and 95^9 ≈ 59 bits.

    • Lri
      Lri says:

      Whoever’s moderating the comments: the Markdown formatting for italics messed up some of the multiplications… And it should be Tr0ub4dor&3.

      • Jeff
        Jeff says:

        Hi Lri,

        I’m not sure what markdown issues you are talking about. But if you let me know more, I’ll see what I can do.

        The 8-bits of entropy that come from adding the “&3″ at the end are accounted for elsewhere. Where I mentioned “Tr0b4dor” I am only talking about the entropy added by common substations and misspellings. We shouldn’t count the “&3″ suffix twice. But I could have been clearer by referring to it as the transformation from “Troubadour&3″ to “Tr0ub4dor&3″.

        Thanks!

        -j

    • Jeff
      Jeff says:

      You are absolutely correct, Lri, that truly random substitution would make the Tr0oub4dor&3-style passwords much stronger. But it would also make them much harder to remember. Likewise, making some randomly chosen letter uppercase and throwing in the random digit and character added at a random location would add the entropy you describe.

      If you can manage all of this and really do the random parts randomly and then actually remember the password you create through such a system, more power to you. But given the difficultly of generation and memorability, I think you will see why that is not something I would be advising to our users.

      With diceware anyone who can download the list and has some dice can generate memorable, strong passwords.

      Cheers,

      -j

  6. Jeff
    Jeff says:

    Hi, Lri,

    Can you email me (jeff@agilebits.com) a screenshot or more detailed description illustrating the markdown issue?

    The 8-bits of entropy that come from adding the “&3″ at the end are accounted for elsewhere. Where I mentioned “Tr0b4dor” I am only talking about the entropy added by common substations and misspellings. We shouldn’t count the “&3″ suffix twice. But I could have been clearer by referring to it as the transformation from “Troubadour&3″ to “Tr0ub4dor&3″.

    Thanks!

    -j

  7. euresi ergasias
    euresi ergasias says:

    You should had included some entropy for the format a password may has such as the punctuation and number position, where the capitalization will be and the language a user might use different from English

    • Jeff
      Jeff says:

      Hi Euresi,

      There are plenty of other password generating schemes in addition to the one illustrated in the comic, but each would have a similar analysis. There are, of course, word lists available to crackers for a variety of languages.

      If people could actually pick a language at random (out of say the 6000 languages still around, plus a few documented extinct ones, and of course the ever popular Klingon and Elvish) that would add substantial entropy. But I think it is fair to assume that people won’t pick randomly. Someone who knows just a little bit about me use a Hungarian dictionary as well as an English one.

      In the very old days, I used passwords based on languages such as Chichewa, Chamorro, Dyirbal, Miwak, or Yip, but even these weren’t really chosen at “random” it’s just that I had a very good pool of relatively obscure languages to draw from.

      So while there are different password generating schemes, the trick is really getting randomness into them (while keeping them memorable). People can be very clever in what they do, but their cleverness is rarely random.

      Cheers,

      -j

  8. Alan
    Alan says:

    Loved the article. Making tough passwords has been something I’ve tried for a long time (being IT based and a geek to boot). Am interested in what you would classify a master password I created once. Details below (though not the password of course =0)

    It’s a 15 character alpha/numeric/symbolic password, with one numeric counter somewhere within to iterate through when the password needs changing. Letters are randomly capitalised. It is basically three random groups of five characters that I trained myself to touch type in quick succession, relying on the fact that muscle memory is often stronger than mental memory. I believe it is quite secure as I can type it, but not write it down if asked to. It also doesn’t require me to recall the word or password, just the numeric counter.

    It is also reliant on a specific layout of keyboard (as a number of the characters are in different places in other keyboard layouts.)

    As you note above, this is the geek edition and my post will doubtless confirm me as one, but I am interested in what you would consider this to be. =0)

    • Jeff
      Jeff says:

      Hi Alan,

      As I said in my earlier article, we are working toward better master passwords, and your scheme is certainly better than what the vast majority of people do. One thing to keep in mind though, is that if you have a counter in the password and an “old” one gets discovered in some place, then your current one is largely predictable from the compromised one. This is why we here at AgileBits advocate non-memorable, strong, and unique passwords which are stored in our password management system. If one gets compromised the others will be safe. Regular readers will know that they can’t really shut me up on the topic of password reuse.

      in this discussion I’ve been focusing on a master password, which should not be changed once a good one is selected. Again, this is discussed a bit more in the earlier blog post.

      I don’t mean to doubt your word, but if your capitalization pattern really is random, then you’ve done what few people can do when picking which letters to capitalize. Also, something like that will make the harder to remember and type.

      Again, your scheme is better than the majority of actual password schemes that most people use (e.g., “123456”), so I don’t think that you have anything to worry about. But again it doesn’t really pass the test of “what if everyone followed that scheme and password crackers adapted to it.”

      Cheers,

      -j

      .

  9. Ralph Schaefer
    Ralph Schaefer says:

    Very good! My only concern is that, while I have my own system that generates ‘strong’ passwords, I am limited by that fact that most of the systems I use only allow 8 characters for the password. In fact, my last employer, in an attempt to encourage good passwords, had such strict rules that it actually made it easy for me to guess my colleagues passwords in only 3 or 4 tries. The first character had to be a capital letter, one of only three symbols could be used: @, #, or $; at least one number and no repeating characters. Even after I explained how this actually weakened the passwords, they refused to believe me or change the policy.

    • Jeff
      Jeff says:

      Ouch!

      You’ve described an extreme example of what happens when people put together policies without actually understanding the reasons behind certain security advice.

      Cheers,

      -j

  10. Parrotlover77
    Parrotlover77 says:

    The comic assumes that the service being attacked does not have an account lockout/throttling policy. You can set up a very relaxed policy and change the outcome by orders of magnitude. For example, what if you limited it to one authentication attempt per account per second? No human will ever go over that limit, but that means that the password cracking example goes from 3 days to 3000 days. Just like that.

    Developers need to consider lockout policies and authentication limits more often. Microsoft already does this. Ever type a bad password into Windows? It pauses for upwards of five seconds. That’s not authenticatoin protocol latency. That’s a deliberate hard-coded tarpit time for a bad password attempt.

    All that said, I absolutely agree that longer passwords made from words/phrases are better than character substitution passwords. I do a combination of both, personally. Because, why not? I just don’t go overboard on the character substitution. For example, capitalize horse, and add a 3 at the end. Now it passes old complexity systems and adds orders of magnitude of security to an already secure password.

    • Jeff
      Jeff says:

      You are absolutely right about lock-out policies. Four digit codes (10 bits of entropy) work reasonably well for automated teller machines precisely because after a few failures access gets locked.

      But let me provide some context for this post. I am really focusing on the choice of master password for 1Password, our password management product. Here we are looking at protecting highly valuable data in the event that someone captures a user’s 1Password database, either through the theft of a computer or a breach of a cloud syncing service.

      The kinds of passwords that people need differ on based on the circumstances. I don’t read too much into the 1000 guesses per second figure from the comic. If the encrypted passwords of a system get captured, then we can get 100s of thousands of guesses per second if something like PBKDF2, bcrypt, or scrypt aren’t used.

      So while I was primarily addressing users of 1Password about the selection of their master password, the points made here apply to other high value passwords, subject to off-line attacks, that an individual must remember. But you are, indeed, correct about the need for well thought out lockout and throttling policies.

      Cheers,

      -j

  11. George Flanagin
    George Flanagin says:

    I agree with most of what is said here. The weak links in any password creation system involving the user’s wetware are [1] the decrease in entropy caused by the limited number of things the user can think of at any one time, and [2] the degree to which the user imprints his view of the world on the password, and makes it much more vulnerable to social engineering.

    I posted a (hopefully) helpful follow up.

    • Jeff
      Jeff says:

      Hi George,

      I love well commented code! We, of course, recommend the Strong Password Generator built within 1Password. But I note that your utility has the ability to take pick a word from a list, which our generator currently lacks.

      One caution I would make to anyone who wants to use your program to help generate important, strong passwords is that your randomization mechanism is not up to cryptographic standards. I understand that it wasn’t aimed to be, but I just wanted to flag that for those reading this discussion. Using random() and seeding it with time(0) is fine in code demonstrating other concepts, but it’s a no-no in actual security products.

      Of course I completely agree that the easiest way to get someone’s password is to ask them for it (social engineering).

      Again, thanks.

      -j

  12. Sander
    Sander says:

    This is interesting stuff. I recall a class during my college years about calculating information density which was also done in bits. The context was data compression but the principles are the same. Always nice when things from yesteryear (somewhere in the 80s) bubble back to the surface.

    I like the way you point out that ‘hard’ passwords don’t have to be gibberish and may even be easy to remember. The thing is that it’s still hard to remember more than just a few of those easy to remember passwords. I mean are you going to memorize different passwords for gmail, amazon, etrade and your bank plus 10 more? Not likely. So you end up using a password manager of some sort. At that time you could decide to forgo word based passwords and go completely random. Secure your password manager with an easy to remember but hard to guess password like what you’re describing above.

    Anyway, you all recognize this of course. Passwords security is more complex than most ‘normal’ people realize. Pick a secure password and re-use it all over the place and you’re at the mercy of -their- security to keep all your accounts safe. I admit that despite having a pretty long CS and IT background I still learn new security tricks regularly. This article being one of them. What I try to do is put the pieces together and update my security ‘protocols’ (sounds 24 like but what other word to use?) as needed. In fact I think my keepass passwords could be more secure so I’ll do that right away.

    One of the things that worries me a bit is how passwords are stored on various sites I visit. I don’t care too much about some kid getting access to a car forum under my name. I do care about him seeing what password and email address I used and learning perhaps how I construct my passwords. This is another reason why substituting @ for ‘a’ doesn’t add as many bits of complexity as it seems. You’ll most likely always apply the same transform so once they learn what that is you’ve lost 1 or more bits per character right there. Another argument for random passwords for every account you have. Not necessarily very long ones but completely unrelated.

    Thanks for posting.

    • Sander
      Sander says:

      Oh, I see now that you -sell- a password manager :) Clearly you understand the value of those then. If anything it shows the value of your article because you didn’t sneak in advise to buy your product :)

    • Jeff
      Jeff says:

      Hi Sander,

      As you’ve since noticed, we are in the business of fighting password reuse though our password management system, 1Password. The idea is to have strong and unique passwords everywhere which you don’t have to remember. Because humans don’t have to remember them, they can truly be random. Your password management system remembers them for you.

      With the Strong Password Generator within 1Password (and I’m sure that many competing products have similar tools) and its integration with the web browser, it’s not just that I don’t have to remember these passwords, but I’ve never even seen most of mine.

      We’ve posted about the problem of password reuse here a great deal. Indeed, I think some of our regular readers would wish that I’d shut up about it. We have a post on password resue also sparked by an xkcd comic, as well as some more recent posts on the topic and tips for identifying and updating such passwords.

      So yes. Three cheers for random, unique passwords that no human needs to remember!

      Thanks!

      -j

  13. Ross
    Ross says:

    WookieS.WildlY.WavinG.WombatS
    Do something like that. At least one word that doesn’t exist in many dictionaries, pattern-based capitalization, and words delimited by a random character. The sentence makes at least some sense, which should make it fairly easy to remember…

    Granted social engineering is a far greater threat than password crackers (yum) these days…

    • Jeff
      Jeff says:

      Hi Ross,

      That does look fun. There are a number of schemes that have their merits, but keep in mind that an with an English sentence (after you get past the first few letters) adds about 1.3 bits of entropy for each additional character of English text Using fake word and adding unusual capitalization (though far from random) certainly helps. So will the fact that your passphrase really isn’t a sample of ordinary English text to begin with, but still these aren’t as strong as people may think they are.

      You are also correct that the easiest way to discover someone’s password is to ask them for it. Well that and sit around a coffee shop with free WiFi. But I was focusing on helping people come up with good master passwords for 1Password, master passwords that will withstand a concerted off line attack if someone’s 1Password data does get stolen.

      Cheers,

      -j

  14. Don Lucas
    Don Lucas says:

    Hi Jeff -

    The easiest to remember passwords that I ever used were automatically generated by a DEC VAX 11/750 minicomputer circa 1985-1988. Whenever the VMS operating system wanted you to change your password, it asked how many characters you wanted in your password, then started displaying password suggestions of approximately that length generated similarly to how you suggest, but it did not use words found in a dictionary. Instead, it simply concatenated “made up” syllables of 2-4 characters that met the simple requirement that they be pronouncable, as determined by some undocumented algorithm. It would display, say, 5 possible choices at a time and wait for you to type in the one that you selected (or type in a modified password).

    As much as I liked this method, I always worried about 2 things: 1) how good was its pseudo random number generator (i.e., did it offer the same list of possible passwords to everyone? Did it remember which random numbers it had already used so that it didn’t repeat any of the made up passwords for anyone else?) and 2) if someone knew or could figure out which pseudo random number generated the last password, could it be programmed to start with that number over again and thus reproduce the same list?

    At any rate, I have always wondered whatever happened to that program as it produced passwords that were very easy to remember while still being mostly just random letters. Since you appear to be very involved with this technology, are you aware of this program or know whatever happended to it? It appears to have dropped off the face of the earth!

    Thanks for writing an interesting article!

    • Jeff
      Jeff says:

      Hi Don,

      Randomly generated pronounceable passwords are one approach, and it’s a method that certainly has its place. Indeed, we include this within our own Strong Password Generator built into 1Password.

      But because the number of possible syllables that are drawn from are fewer than the number of words in a language, you would have to make your password many syllables long to get the kind of strength we get from picking words at random.

      You are absolutely correct that the quality of the random number generator behind these generation schemes is crucial. We’ve had a great discussion thread in our forums on where our random numbers come from. I’m not familiar with details of the particular tool you mentioned, but really it was only in the mid 90s that we started seeing common utilities use cryptographically appropriate random number generation schemes. So I would guess that it had a poor psuedo-random number generator.

      Of course there is always this alternative from http://xkcd.com/221/

      I think I’ve used the tool that you refer to, but I’m an old Unix guy, and figured that the only VMS I needed was how to shut it down so that I could install BSD Unix on the VAX. (I now need to duck, so that Marty, our old VMS guy doesn’t clobber me.)

      Cheers,

      -j

  15. Tim Windsor
    Tim Windsor says:

    Quick question:

    1Password can accept spaces in its master password. Given that, is the passphrase more or less secure with the spaces?

    In other words, is a very-long compound word (correcthorsebatterystaple) more or less secure (as it will not be in a dictionary list) than “correct horse battery staple” (which contains four common discrete words)?

    • Jeff
      Jeff says:

      Hi Tim,

      As you will learn, even a quick question doesn’t have a simple answer. In cases like this having or not having the spaces makes little difference with respect to password crackers. But I think that adding the spaces makes them easier to type and remember.

      There is one circumstance, which probably doesn’t apply to many of our users, where adding spaces can be a weakness. This is because when typing a password (or anything else) hitting the space bar makes a distinctive sound. Thus someone who was making the effort (and had practiced in this sort of thing) could learn after a few repetition where there are spaces in your master password if they could listen to you type it in. Knowing where the spaces are means that someone could then figure out the length of each word, and so reduce the search space dramatically. So if you share an work space with an evil colleague who might try to crack your master password then maybe you would do better without the spaces. Otherwise, leave them in.

      That kind of threat isn’t something that most people have to deal with. I personally use spaces in my master password.

      Cheers,

      -j

Newer Comments »

Comments are closed.