Continuing with the security-related posts for this month, today I’ll show you how to create strong passwords that are easy to remember. I’ve been using this technique for years now, and the passwords I use are my “best” passwords to date. I’ve written before about how it’s counterproductive to ask your employees to change their passwords regularly.
Measuring the Strength (Entropy) of Passwords
Password strength is not a subjective quantity. It’s measured in bits of entropy.
Specifically, if we select our characters from English alphabets and symbols, they come to around 72 unique symbols including punctuation, ampersand symbols, hashes (#), etc.
The number of bits required to represent 72 symbols is simply:
log272 = 6.17 bits
So let’s say you have a password like this: AoE^Xo$L88qM
The total entropy (number of bits required to represent the password is):
6.17 x 12 = 74 bits of entropy.
This is assuming a purely random distribution of letters and characters. I generated the above password by using a random password generator, so there are no “patterns” in it. When normal people think of so-called “random” passwords, they typically tend to place certain letters together. This reduces the password entropy considerably.
Truly Random Passwords are Not Easy to Remember
Consider the password I just used: AoE^Xo$L88qM. You’re not going to remember that! The challenge is to create high entropy passwords that are not a meaningless jumble of characters.
It’s critical here to remember that you should never generate the password out of your own head. I’ve mentioned it before, but human beings are simply not good at randomly generating strings. Even if you try, a computer can tell the difference between a human generated random string, and a truly random one a high percentage of the time.
Using Diceware – A Powerful Technique
We see from this formula:
Password strength = log2(A) x B bits
A = Number of symbols to choose from
B = Number of characters in the password
That there are two ways to increase the password entropy. Either we increase A, or B. Most people choose to increase B. That’s why you have minimum password lengths on many sites.
Alternatively, we can choose to increase “A” instead. We have a limited number of symbols, but we can work around this by creating a list of words, that act as symbols. This is the standard list that’s used to create diceware passwords.
Roll a Dice 5 Times for Each Word
In this list, each word is chosen by rolling a dice 6 times. Get the sequence (42664 for example), and find the corresponding word on the list. For the above sequence of dice rolls, the word is “mph” as shown here:
These days, based on current computing capability, you need at least 6 words to form a strong password. Repeating the process 5 more times, I get:
Putting it together, our password is:
mph wife pureness neglector basis dumpling
That’s weird! But with a creative imagination, you can think of some scenario involving your wife’s pureness like a dumpling or whatever! And once you think of it often enough, it’s very ridiculousness makes it easy to remember.
There’s even an xkcd strip referencing this principle!
Calculating the Entropy of the Above Password
For this, I’m going to assume that our attacker has the word list! Assuming that our hackers know that we chose the above password from the publicly available list, the entropy of the above phrase becomes:
Password strength = log2(7776) x 6 = 77.55 bits
Each word on the list is a “symbol” or “character” that we choose from. And there are six words, so our password has only 6 characters! But as you can see, this is 3 bits higher than the initial random password generated at the beginning of the article. And a lot more memorable!
Attacker Doesn’t Know We Used Diceware
In reality, there’s no way for our attacker to know that we used diceware to generate our password. So they’ll think we’ve just randomly selected characters. In which case, the entropy becomes a lot higher. Specifically:
Password strength = log2(26) x 42 = 197.4 bits
That is an insanely high entropy. Something that a supercomputer would take trillions of years to crack. Even if it optimized its algorithm to detect common words, the strength wouldn’t go down by that much. The strength of this password is far, far higher than anything you could randomly imagine.
But Be Sure to Roll the Dice!
Don’t think you can get away with just selecting six words at random from the list. You cannot choose randomly. So forget about it. Generating high entropy requires work. A link that’s closely related to the second law of thermodynamics. So roll the dice, and enjoy your high security password that’s easy to remember!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!