Passwords are difficult to remember for humans and trivial to break by computers. The XKCD comic Password Strength has described it perfectly. That’s it. That is the blog post.

xkcd Password Strength

Well, maybe not…

The main thing to get is that complexity is not enough: length matters too. For example, “1w\&y.S6u” is eight characters long (the NIST guidelines for minimal password length), has special characters, upper and lower case letters, and numbers. It scored 92% on The Password Meter. However, it can be broken in two days, according to How secure is my password? Therefore, it is a bad password. And there is no chance anyone can remember it!

Four random common words, such as “correct horse battery staple” has a score of 40% and would take 15 octillion years to crack by brute force. Is this better? Probably. However, this format has its issues, as described in this paper Correct horse battery staple: Exploring the usability of system-assigned passphrases. Are you really going to use the same password (or passphrase) for all sites and systems you use? How many do you need to remember? Therefore, that’s not of much use either.

So, what’s a strong password?

A long random string containing upper and lower case letters with symbols more than 13 (at the time of writing, check now) characters long. I use pwgen which generate things like “Ahy~an0vooCaireique!zeeTaod5thob9se5a”. Of course, no one is ever going to remember something like this, much less a few dozens of these — one password per site.

This is where password managers come into the picture. I use The Standard Unix Password Manager, which is really secure but not user-friendly. How do you look for a good one in the sea of offerings? First and foremost, it is about who controls the encryption key. If it is them, it is not secure. If it is you, it could be secure. There will be another blog post about this, please look out for it.

You still need a master passphrase (not a password) to unlock it. So, how do you choose it? A sentence from a poem, a story, or a song lyric can do wonders. Just add some punctuation and a symbol. You should be able to remember it, and it will be difficult for computers to guess. For example, “I see a red door and I want to paint it black” can be modified to read “I C a #f00 door, and I want to paint it #000”.

However, please remember that if your password or passphrase strength matters not if it is leaked in a data breach, a keystroke logger records it, or you fall for a phishing email.

Or you could go passwordless… 😱