Somehow in all the posts I’ve written about 2FA and other security concerns, I have not really spent much time talking about passwords themselves, except to say that I believe in password managers and use LastPass 1Password.
The topic of what a strong password is always a tricky one, as the infosec professionals tend to divide themselves between those that subscribe to XKCD’s policy that raw password length is more important than composition, and those that keep insisting that dictionary attacks are the only thing worth protecting against, with some graduation between these two positions. I would say that in this case, the correct answer is somewhere in between.
There are indeed too many ways for a simple password to become just too easy. A password that requires to only have numbers (effectively, a PIN), is not only bad because of the small number of combination possible, but also because humans will lead to something they can memorize easily… a date. Or, if they are mathematicians, physics, chemists, or spent enough time in one of those disciplines, they’ll end up using one of the important constants.
Similarly, if only letters are allowed, lots of people will go for names, or nouns, or in general what we call “dictionary words” (which is confusing for a Scrabble player, because proper names are not considered part of the dictionary there). And once you ask for both letters and numbers, you just end up with leetspeak, which is pretty much a simple translation layer on top of the dictionary, which may extend the entropy a little bit, but not really in a significant way.
Effectively, the password composition rules, probably designed to stop people from using dictionary passwords, just slightly increased the size of the dictionary, but not really the safety of those passwords. Which is why most of everybody got very happy when NIST dropped the composition rules in their recommendations.
And as the Naked Security article points out, the recommendation focused a lot on the length of passwords. Because a longer password is a stronger password, if it’s not in the dictionary. And an easy way for it not to be in the dictionary is following XKCD’s approach and using a set of words, instead of a password. This is unfortunately not as scalable as we would like, as too many websites refuse strong passwords.
So what you need is to maximise the entropy extracted from your memorable passphrase so that it fits within the rules of the various websites. One of this is SuperGenPass, which I used to use myself. It applies a derivation function on top of the passphrase and the website domain do generate a new variable-length password. It sound cooler than it is, because unless you also keep a mapping between equivalent domains, and you keep in mind which website still has composition rules that require symbols and which don’t, and the length of the passwords for each, you now augmented your memorable passphrase with a constellation of parameters that are nearly impossible to remember. Including how many times the password was compromised.
On the other hand, SuperGenPass is still a better option that Manuel Blum (of CAPTCHA fame) tried to suggest to people during the last ENIGMA conference. Blum’s suggested method is, supposedly, a way to mentally apply a formula that collapses a “master password” and the name of a given site into a string of letters and numbers that can be used as a password. Most of the people in the known at the conference have been openly disagreeing with this option being even remotely friendly to users, not just for the requirement of being able to perform complex mental arithmetic (which I’m not fond of myself either, to be clear) but also because it does not solve any of the actual issues with memorizing passwords.
In particular, Blum’s method ends up generating passwords that are relatively short, bringing them within the reach of non-dictionary bruteforce attacks. They also do not the memory problem because in addition to the master password, and the formula, you would have to know the length of the password expected by each site. And in addition to that you need to have a “generation” number to use when the password gets invalidated (and the site refuses to let you keep or re-use the old password). It effectively only solve one issue: the fact that once your password is leaked, it’s very hard (if at all possible) to figure out the master password and thus compromise another website.
I’ll also add that I find Blum’s theatricals annoying. In the talk he goes on to say that when he’s asked for the password of a website like REI, he can say he does not remember whether he had an account with that website, but if he did, he can tell what the password is. This obviously can’t be true, given the limitations I listed above: you’d have to know the length of the password, and you would have to know the “generation” of it, if you have ever burnt through any because of compromised passwords.
Okay, so SuperGenPass and Blum’s methods are both useless. I have already said that my personal preference is to use LastPass (but you can use whichever password manager you want), and have it generate random passwords that are long enough, so that they can’t be bruteforced. You don’t have to remember a 40 characters password for each website, you just need a strong, long, memorable password for your manager, and from there, you can just have the new password stored in encrypted form. No derivation function, no need to remember how many times you changed password for a given site: in case of compromise, just go and generate a new 40 characters password.
But all of this just pushes the problem around, as the password manager, your system and some high-value accounts now need strong, long, memorable passwords, or even better passphrases. Your password manager, because that’s what protects every other password you have. You system, because you log in to it so many times a day (don’t you?), that you need something you can remember rather than something you can store. And valuable accounts, because some of them are too important to store in a single point of failure such as a password manager (my personal Google account password is not stored in LastPass — which is why I can actually trust it to unlock access to my LastPass account when I’m in countries I have not visited before).
This brings me to my personal suggestions on how to make such a memorable password in the first place. I don’t think you can do so with mental algorithms, or with a long word association game like Randall Munroe thinks — I never can remember the order of the four words in his example. I can tell you that’s the case because one of the throwaway accounts I shared with people used that as password, and I always had to look up xkcd for it. Oh and by the way, don’t ever use that string for a password for Internet-accessible services, because it’s high-up in the dictionaries of common passwords, together with love, sex, secret and god.
Instead, I like the option that my high school computer science teacher provided us with. Take a memorable quote, and mangle it, in a memorable way. His example, in Italian, would be to take the first line of a famous poetry from Giacomo Leopardi (La donzelletta vien dalla campagna), replace one word with another non-sense one, and another for an alternative, but similarly sounding word (La donzellotta vien dalla montagna — replacing “countryside” with “mountain”). This works well for a number of uses, and I have indeed been using it in various forms for many years, when long passphrases are needed.
You can extend this not only to poetry, but to quotes from movies or lines from songs. Even an unmodified phrase, such as the title of a book, can be much stronger than your average password, particularly if the book is not extremely famous and its title long. Even if there was a dictionary of book titles to go through, there are significantly more combinations of those that can be used than just single-words. The best thing, though, is to just mutate the title, quote or line in such a way that it’s not obvious. This also prevent an unexpected information leakage if you start whistling the song to yourself as you login on the system.
For instance, if you take Monty Python’s famous song, you can take the line
Always look at the bright side of life
This by itself, if looking at mindless bruteforce, is a fairly strong passphrase. Indeed a random online calculator of password “search space” (that at first sight appears to not spew nonsense, so I thought it made sense linking to it), reports the search space to 2.10×10e73 combinations. I actually think they are lowballing it, as they assume that you only need to search the space of the characters you’re composing from, but adding a digit to the passphrase does not extend its strength.
It’s the fact that you can use digits, that increases the number of combinations that brute forcing needs to go through. There is a caveat that if you don’t use numbers, your password will fall into a simpler search space, but that requires the attacker to either settle for a smaller search space to begin with, or target you and know you’re not using numbers. And in that case, shoulder-surfing is still probably easier.
As the website I linked shows, though, this number does not actually represent a password strength by itself. In addition to the fact that these are all normal English words, this is a phrase that can be found not only as a song title, or as a song line, but also as a common phrase in use. If an attacker is bruteforcing strong passphrases, a list of commonly used phrases would be the first part of a dictionary attack to use.
So what if you mutate some of the words?
Sometimes look at the dark side of death
This phrase is actually longer than the other, and the search space is reported as 1.52×10e77. But it truly is not that more complicated than the other if the attacker is focusing on strong passwords. Indeed, you’re just replacing a some of the words with either their antonyms, or with similar adverbs. Replacing “Always” with “Never”, “Sometimes”, “Often”, and so on means that the brute forcing just need to go and mutate some of the words separately with a list. It’s the passphrase equivalent to replacing ‘l’ with ‘1’ and ’t’ with ‘7’. If “password” is the first dictionary word tried, “p4s5w0rd” is not far down the list either.
Always look at the bright grail of Brian
This phrase has the same search space, but since you’re not replacing antonyms, but rather mashing up a famous Monty Python song with the title of the movie it came in and another effectively unrelated movie. You can still sing it to yourself in your head to the same tune, while at the same time it makes it nearly impossible for a mutating algorithm to think of doing it.
See, here is the trick for safe, strong, and memorable passwords: creativity. Because computers don’t have creativity and so they can’t figure out your passphrase that easily.
It gets even better if the passphrase is in a different language than the site it’s for. Even better, if the passphrase itself is actually composed in one language, but typed in another, with a 1:1 substitution of words that do not build a sensible phrase:
Sempre guarda a il splendente graal di Brian
The hard part with these two suggestions is that if you go too over the top with the substitutions, you end up with not memorizing your passphrase, and that makes things… complicated. But that’s really up to you to be careful with, and there’s no hard and fast rule to help you in that context.