Generate Memorizable Passphrases That Even the NSA Can't Guess

HughPickens.com writes Micah Lee writes at The Intercept that coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you'll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion. But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You'll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You'll need a total of five dice rolls to come up with each word in your passphrase. Using Diceware, you end up with passphrases that look like "cap liz donna demon self", "bang vivo thread duct knob train", and "brig alert rope welsh foss rang orb". If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words. If you choose two words for your passphrase, there are 60,466,176 different potential passphrases. A five-word passphrase would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.

After you've generated your passphrase, the next step is to commit it to memory.You should write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn't take more than two or three days before you no longer need the paper, at which point you should destroy it. "Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop," concludes Lee. "It's a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training."

Memorizing site-unique passwords isn't possible

[hatemonger]

Diceware is a great recommendation, but you're missing one key consideration: password reuse is a larger danger to users than is having a weak password. The Apple iCloud hack is one of the few in recent memory where a password-related breach wasn't tied to password reuse. What happens most of the time is that a site is vulnerable to SQL injection gets their users table stolen, and "bad guys" use that information to try accounts on related sites. If the compromised website was using a bad (i.e. fast) password hashing algorithm, then having a good password will protect you a little, but you're playing with fire. Password cracking techniques have been advancing exponentially, as has GPU power. But if this site is using reversible encryption or storing passwords in plaintext (which still happens with alarming frequency) then all your other accounts are at risk from the one breach regardless of how great your password is. Of course, if they're using a good password algorithm like PBKDF2 or bcrypt, even a mediocre password will be relatively safe. But what are the chances that every site you've registered with is using a good password algorithm? Probably zero. How can you check the password storing technique of a site you're about to register with? You can't.

Yeah, you could make an algorithm to modify your password across sites so that you can memorize it yet it'll be different, but as "bad guys" combine information from multiple leaks, any algorithm you come up with will be vulnerable to reverse engineering. Especially if your online identity is valuable. The real solution is to use password management software like KeePass, LastPass, or 1Password. Lock your password program with your good password from Diceware, and use unique, truly random passwords for all the websites you've registered on.

Re:Memorizing site-unique passwords isn't possible

[PetiePooo]

... password reuse is a larger danger to users than is having a weak password.

The best of both worlds: use a six-to-eight word diceware password for your password manager, and generate a long, random password for everything else.

Re:Memorizing site-unique passwords isn't possible

[AikonMGB]

... password reuse is a larger danger to users than is having a weak password.

The best of both worlds: use a six-to-eight word diceware password for your password manager, and generate a long, random password for everything else.

This. I also use a separate diceware password for my primary email. That way if someone does manage to break/steal my password manager database, I still have secure and sole access to my email, which many sites will require for you to re-gain control of your account.

Yes, but....

[djbckr]

What about the sites that restrict the length of the password? The only thing I have to say to them is, "You're doing it wrong".

xkcd...

How's that any different from http://xkcd.com/936/?

Re:How about...

[mattventura]

Why would they go through the trouble of reverse enigneering your password system when there's thousands of other people who just use the same exact password everywhere? Unless someone is trying to specifically target you, it's usually sufficient to simply not be the low-hanging fruit. In case of these large password leaks, what they're probably doing is something like this:
1. Take every username (or email) and password combination
2. Through automated means, check if they are valid on other websites
3. Record the ones that worked and abuse/sell those as well.

Prepare to restore from backup often

[tepples]

someone who physically possesses the token has three guesses of my unlocking passphrase before the token locks itself forever and zeroes out the stored keyfile

If fat-fingering your passphrase thrice will make your data permanently inaccessible, then you better have damn good backups and a damn good data plan with which to restore them when and where you need your data.

Re:Prepare to restore from backup often

[AK+Marc]

Yeah, the kids locked my wife out of her iPhone. She put on a password, not thinking it through. The kids kept trying to get in past all the warnings and such, and not reading anything they were doing. It was only after it stopped letting them try to log in that they gave up. I didn't put a password on my phone because the version of Android I'm using makes 911 a 1-click when you are on the login screen. After having to say "sorry misdial" a few times (can't just hang up when you realize what happened, or the police come looking for you), I removed the password, so that 911 isn't a single click away.

Re:Prepare to restore from backup often

[AchilleTalon]

I'm sorry, but even if the hash seems hard to any human being, the way it was generated doesn't use enough entropy. Using the website fqdn or whatever combination reduces significantly the entropy, coupled with your master password in a predictable way and then generating the hash isn't sufficient at my humble opinion to say this is a secure way to generate a password. In particular, if someone has access to the resulting hash for many different sites. The result must be predictable, hence, the combination of the orignal factors cannot change.

This isn't better than a long passphrase.