Never have secure account passwords been more important, yet never have they been harder for humans to remember. Think of all of the times you have had to make a password that had a certain number of special characters, numbers, upper case, lower case, DNA samples, and a map to the One Ring. We’re all creatures of habit; I would bet money you put your upper case letter at the beginning of the dictionary words you used, replaced a couple of letters with typical numbers or special characters (@ for a, 3 for e, etc), and maybe finished it up with some numbers (like a special year) and punctuation. If I figured you out, don’t feel bad. Everybody does this. Recognizing that we have a problem is the first step. Previously, I discussed the benefits of using different passwords on each account, password management software, and taking advantage of two-factor authentication. Now, let’s delve into how to make a secure password that you can remember.
Normally using a dictionary word in a password is a big no-no, but what if you use more than one? If you add enough characters to a password, you’ll add entropy; everything seemingly more chaotic. Stringing multiple dictionary words together turns our password into a passphrase, but the problem is that it’s still predictable. Our goal should be as much entropy as possible, so a good passphrase should only use completely unrelated words chosen at random. We could use lots of different ways to randomly pick those words, but dice are always a solid choice. You can raid pick some up at the toy store, raid your board games, steal from a D&D nerd, or go overkill with some casino dice; regardless you’ll want five of the good old-fashioned six-sided dice. Do not use anything computer-based. Despite what you think, computers do not generate random numbers very well.
- First, roll the five dice and write down the numbers on each of the dice as you see them. It should look something like this:
1 4 3 6 3
- Roll them again for each word you want to generate. Here, I’ll generate a six-word passphrase:
1 4 3 6 3
2 3 3 2 1
5 5 4 6 2
3 4 2 2 1
6 4 4 5 3
2 3 5 1 6
- Next, compare them against a 7776-word list like this classic list first posted to *sci.crypt* by Peter Kwangjun Suk. For extra credit, search the internet for other word lists. Consider one in an alternative language, if you’re comfortable with it.
1 4 3 6 3 - blond
2 3 3 2 1 - doze
5 5 4 6 2 - steele
3 4 2 2 1 - irish
6 4 4 5 3 - write
2 3 5 1 6 - dry
- That’s it! In about five minutes time, we built a 28-character passphrase (blond doze steele irish white dry) that’s fairly random and easy to remember. That’s right, the spaces count. Want more easy entropy? Make every **d** a capital letter. Make every **i** an exclamation point. Roll five dice and put the result between the words like a PIN (blond4 doze2 steele6 irish6 white1 dry). You get the idea.
The beauty of diceware is that it is fast, portable, reliably entropic, and most importantly: memorable.
How Many Words?
That’s the big question. Back in 1995, diceware creator Arnold Reinhold considered five words the minimum length for typical users. While challenging, an organization with a suitable number of number-crunching machines could still crack this today. As of 2014, Reinhold began recommending six word passphrases as the new minimum. It is believed that this will protect against all but the most determined governmental agencies. Seven or more words should be reasonably secure until at least 2030. As always, plan according to your assessed threats and tolerance for risk. Joey Accountant and Bashar Political Dissident have very different needs for securing their Twitter accounts.
Man, That’s Still Too Much Work
Don’t like rolling your own dice and searching word lists? Want to support an enterprising sixth-grader with better password security practices than you? Mani Amini at dicewarepasswords.com will generate one for you and mail the only hard copy right to your address for only $2.00.
You can learn even more at this handsome classic web site.