Slashdot Mirror

← Back to Stories (view on slashdot.org)

Generate Memorizable Passphrases That Even the NSA Can't Guess

Posted by timothy on from the exercise-for-the-reader dept.

HughPickens.com writes Micah Lee writes at The Intercept that coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you'll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion. But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You'll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You'll need a total of five dice rolls to come up with each word in your passphrase. Using Diceware, you end up with passphrases that look like "cap liz donna demon self", "bang vivo thread duct knob train", and "brig alert rope welsh foss rang orb". If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words. If you choose two words for your passphrase, there are 60,466,176 different potential passphrases. A five-word passphrase would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.

After you've generated your passphrase, the next step is to commit it to memory.You should write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn't take more than two or three days before you no longer need the paper, at which point you should destroy it. "Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop," concludes Lee. "It's a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training."

45 of 267 comments (clear)

  1. Memorizing site-unique passwords isn't possible by hatemonger · · Score: 5, Insightful

    Diceware is a great recommendation, but you're missing one key consideration: password reuse is a larger danger to users than is having a weak password. The Apple iCloud hack is one of the few in recent memory where a password-related breach wasn't tied to password reuse. What happens most of the time is that a site is vulnerable to SQL injection gets their users table stolen, and "bad guys" use that information to try accounts on related sites. If the compromised website was using a bad (i.e. fast) password hashing algorithm, then having a good password will protect you a little, but you're playing with fire. Password cracking techniques have been advancing exponentially, as has GPU power. But if this site is using reversible encryption or storing passwords in plaintext (which still happens with alarming frequency) then all your other accounts are at risk from the one breach regardless of how great your password is. Of course, if they're using a good password algorithm like PBKDF2 or bcrypt, even a mediocre password will be relatively safe. But what are the chances that every site you've registered with is using a good password algorithm? Probably zero. How can you check the password storing technique of a site you're about to register with? You can't.

    Yeah, you could make an algorithm to modify your password across sites so that you can memorize it yet it'll be different, but as "bad guys" combine information from multiple leaks, any algorithm you come up with will be vulnerable to reverse engineering. Especially if your online identity is valuable. The real solution is to use password management software like KeePass, LastPass, or 1Password. Lock your password program with your good password from Diceware, and use unique, truly random passwords for all the websites you've registered on.

    1. Re:Memorizing site-unique passwords isn't possible by mlts · · Score: 5, Informative

      I prefer 2FA when possible. Even a very tough password means nothing if by some means, it gets sniffed by some keylogger, or the password database on a cloud provider gets brute-forced.

      For storage where one is using a passphrase for encryption, as opposed to authentication, I like using cryptographic tokens. TrueCrypt used to work with a PKCS#11 library so I could store a keyfile on a set of Aladdin/SafeNet eTokens. This not just made the key immune to brute force guessing... someone who physically possesses the token has three guesses of my unlocking passphrase before the token locks itself forever and zeroes out the stored keyfile. This also works with Symantec's PGP version, except that generates a public/private keypair, the private keypair always remaining on the token, while the public part is used for the file/drive encryption.

      If 2FA isn't possible, then as above, some mechanism to help with password reuse is very wise. This is useful just in case some website decides to store passwords in plain text, so a person's secure "correct horse battery staple" is now compromised and added to every blackhat's brute forcing library.

    2. Re:Memorizing site-unique passwords isn't possible by PetiePooo · · Score: 5, Insightful

      ... password reuse is a larger danger to users than is having a weak password.

      The best of both worlds: use a six-to-eight word diceware password for your password manager, and generate a long, random password for everything else.

    3. Re:Memorizing site-unique passwords isn't possible by hatemonger · · Score: 2

      Treating numerous accounts as "low security" and reusing your passwords across them is still dangerous, in my opinion, but it's up to you whether the effort of storing those extra passwords in your password management program is worth the added security. Information gleaned from multiple "low security" accounts could potentially be combined to get access to your high security accounts. And once you get password management software set up, I've found it's much easier than remembering and typing, even for the accounts I don't care about. Autofill is glorious, and I really love never having to play the game of "have I already registered for this site?"

    4. Re:Memorizing site-unique passwords isn't possible by AikonMGB · · Score: 3, Insightful

      ... password reuse is a larger danger to users than is having a weak password.

      The best of both worlds: use a six-to-eight word diceware password for your password manager, and generate a long, random password for everything else.

      This. I also use a separate diceware password for my primary email. That way if someone does manage to break/steal my password manager database, I still have secure and sole access to my email, which many sites will require for you to re-gain control of your account.

    5. Re:Memorizing site-unique passwords isn't possible by TWX · · Score: 3, Informative

      I stopped using Groklaw back in the day because they started requiring excessively complex passwords. They seemed to feel that their forums were rather important, when in fact the only really important part was what people could read, not what they would post.

      I'm sure that most of us would be upset if our accounts on various forums or bulletin board systems were compromised, but it wouldn't be life-altering for the vast majority of us. Social Media that's designed to avoid anonymity like Facebook would be worse but still ultimately doesn't affect one's bottom-line, but things like banks and e-mail services where everyon's stuff ultimately consoldiates are much more important.

      I wish that we could trust central ID systems, where we could create an account on a forum site with a unique user ID and then link that user ID to a central authentication database so that our central credentials give us acces via that unique user ID, but I just don't trust the authentication databases. I'm already leery enough of Active Directory that I don't use work passwords anywhere else to begin with, but companies providing such a service don't necessarily know what they're doing, and they're probably too willin to hand over information for what sites people would need authentication to as well.

      --
      Do not look into laser with remaining eye.
    6. Re:Memorizing site-unique passwords isn't possible by Kjella · · Score: 2

      The real solution is to use password management software like KeePass, LastPass, or 1Password. Lock your password program with your good password from Diceware, and use unique, truly random passwords for all the websites you've registered on.

      At the cost of travelling around with the keys to the kingdom. Imagine you're on vacation and you want to pop into an internet cafe and log into /. because abstinence. Except it has a keylogger/trojan that'll steal your key file and your master password. Now you've compromised your email, online bank, ebay, paypal, steam and all the other passwords that might really matter. Personally I tend to keep three:

      1) My mail, because it gets all the password resets.
      2) My bank, but it's using two-factor anyway.
      3) My "assorted junk" password where I might lose my forum account or whatever that doesn't *really* matter.

      I really try not to use the first two on an untrusted device unless I really have to, because afterwards I need to change it. In fact if I know I will need to use it I'll change it on a trusted device up front and restore it later, good memorized passwords are a pain to relearn.

      --
      Live today, because you never know what tomorrow brings
    7. Re:Memorizing site-unique passwords isn't possible by hatemonger · · Score: 3, Funny

      No, when you're traveling you use the mobile app to access your password database, read it off your phone, and then you type it into the infected computer. No need to be stupid about it.

    8. Re:Memorizing site-unique passwords isn't possible by Anonymous Coward · · Score: 2, Funny

      Now I know where Pink Floyd got early song titles from.

    9. Re:Memorizing site-unique passwords isn't possible by Fwipp · · Score: 2

      I wish that we could trust central ID systems, where we could create an account on a forum site with a unique user ID and then link that user ID to a central authentication database so that our central credentials give us acces via that unique user ID, but I just don't trust the authentication databases. I'm already leery enough of Active Directory that I don't use work passwords anywhere else to begin with, but companies providing such a service don't necessarily know what they're doing, and they're probably too willin to hand over information for what sites people would need authentication to as well.

      You mean OAuth?

    10. Re:Memorizing site-unique passwords isn't possible by ghmh · · Score: 5, Funny

      "correct horse battery staple"

      That's amazing! I've got the same combination on my luggage!

    11. Re:Memorizing site-unique passwords isn't possible by reboot246 · · Score: 2

      That would be nice, but my bank won't let me use passwords that long. They won't even let me use punctuation or special characters - only upper and lowercase letters, and numbers. Some security, huh?

    12. Re:Memorizing site-unique passwords isn't possible by darkmeridian · · Score: 3, Interesting

      Your personal email is the most important account you have for the reason you set forth: you can use it to reset passwords to all of your other accounts! That's why I use Google Mail along with the FIDO U2F dongle. This makes my email really secure.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    13. Re:Memorizing site-unique passwords isn't possible by Rei · · Score: 2

      Yeah, the suggested method for generating passwords generates needlessly long passwords. The total entropy is good, but the entropy per character is pretty poor. You get much better entropy per character with abbreviation passwords, where you have a sentence or group of random words and you use the first letter from each, or second, or last, or alternating, or whatever suits you. It's still not as much entropy per character as a random pattern, but it's much better than writing out full words - and pops into your head just as fast (because it is, in essence, the same).

      --
      "99 dead duelists of Dios on the wall. 99 dead duelists of Dios! Take one's ring, pass it around..."
    14. Re:Memorizing site-unique passwords isn't possible by TeknoHog · · Score: 3, Funny

      "luggage"

      Wow! That's the combination to the staple holding the energy source to my battery-powered equine robot -- the right one, not the wrong one.

      --
      Escher was the first MC and Giger invented the HR department.
    15. Re:Memorizing site-unique passwords isn't possible by arth1 · · Score: 3, Interesting

      Use a password manager and you:
      - Cannot access your accounts without the password manager. Like when you've had everything stolen at an airport and need to transfer some money.
      - Lose access to all your passwords in one fell swoop when you lose your password manager, or move to a system where that (by then) old piece of software won't run.
      - Lose all your passwords in one fell swoop to any blackhat who manages to brute force or key log your password manager.

      Password managers defeat much of the security of having passwords.

    16. Re:Memorizing site-unique passwords isn't possible by dbIII · · Score: 2

      I stopped using Groklaw back in the day because they started requiring excessively complex passwords.

      People were being paid to disrupt Groklaw and even stalk and shame the founder. It's not paranoia when serious cash is being splashed to deface your website and a fucking insane horror writer (who pretends murdering ghosts are real) is parked across from your house watching your front door.
      It's a special case.

    17. Re:Memorizing site-unique passwords isn't possible by pspahn · · Score: 3, Interesting

      This is pretty much what I do. I personally don't like all the generic words, and instead use variations of a similar pattern. I have several main patterns that I can determine which one to use based on a rule I know that takes the site's name into account. This is my base password.

      Then I take the site's name and apply another rule to it. This becomes my salt.

      Together they become a very complex password that is unique for each site and yet very easy for me to remember. An example (of course not close to what I use, but you get the idea) for Slashdot would be:

      Slashdot.org - TLD is org so we use Gro.dotSlash as the hash + 19 (slashdot begins w/S, the 19th letter) + someone I love's DOB 9-18-80, so the full password is Gro.dotSlash1991880?

      --
      Someone flopped a steamer in the gene pool.
    18. Re:Memorizing site-unique passwords isn't possible by NotInHere · · Score: 2

      The U2F project is one of the really good things google did. I hope it becomes successful. I hate mobile phone "2 factor" authentification because you give them basically your identity, its hard to work with (entering weird numbers?!), and relies on 3rd parties (telcos, security of the mobile network).

  2. Yes, but.... by djbckr · · Score: 4, Insightful

    What about the sites that restrict the length of the password? The only thing I have to say to them is, "You're doing it wrong".

    1. Re:Yes, but.... by khasim · · Score: 3, Interesting

      Let's be a bit more specific about that.

      If they're restricting the length to something like 8 or 12 or 16 instead of 128 or 256 then they are PROBABLY not hashing the passwords.

      Which means that your password is PROBABLY being stored in plain text (or possibly encrypted). NEITHER of which are acceptable methods today.

  3. Still not allowed by many places. by timrod · · Score: 5, Informative

    Many websites, especially those designed to be more secure (banking, education, employment) still require passwords in a certain form (usually requiring some combination of caps, numbers, and special characters) and don't allow passwords like these.

  4. xkcd... by Anonymous Coward · · Score: 2, Insightful

    How's that any different from http://xkcd.com/936/?

    1. Re:xkcd... by idontgno · · Score: 2

      Well, the obvious difference is you can't use "correct horse battery staple", because the NSA knows about that one. Their CIA colleagues probably managed to extract it using the $5 wrench decryption algorithm.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    2. Re:xkcd... by duranaki · · Score: 3, Interesting

      Well, they read the comic, but then thought, "Damn, thinking of random words is hard! If only we could make a 37 page document and use dice to pick words!" And then someone else shouted, "Genius! I own shares in Yahtzee! This will totally increase sales!"

    3. Re:xkcd... by Your.Master · · Score: 2

      It's difficult to quantify "hard to remember-ness" but I strongly suspect that if you could normalize for difficulty remembering a password, adding more words is more efficient that mutating existing ones for a looooong time.

      It's not that hard to memorize Shakespeare's "To be or not to be" soliloquy character-for-character even though it uses terms and turns of phrase that are no longer current or even grammatical. I had to do that in grade 11, I thought it was dumb, but I remember it to this day, complete with the punctuation used in my copy (I know different copies can punctuate a little differently, but we had to get the punctuation nonetheless).

      If I took every word and made a single-character mutation (insertion, deletion, or replacement), and raced you against somebody memorizing the text straight up (assuming neither of you are really familiar with the speech), I bet by the time they had it solid you wouldn't have even a quarter of it.

  5. Wait? by ArhcAngel · · Score: 2

    I thought we were just supposed to use

    CorrectHorseBatteryStaple

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    1. Re:Wait? by zugmeister · · Score: 2

      I thought we were just supposed to use
      CorrectHorseBatteryStaple

      Nah, hunter 2 works much better.

    2. Re:Wait? by 91degrees · · Score: 2

      The list doesn't contain "Correct", "Battery" or "Staple". I declare it useless!

  6. Re:Wait a sec by hatemonger · · Score: 3, Informative

    Exactly the opposite: "Encryption works" was one of the key points made by Edward Snowden. The NSA found it much easier to just bypass encryption. There are some instances where we suspect the NSA has had a hand weakening or backdooring some algorithms (like recommending odd seed values for elliptic curve cryptography) but nothing definitive.

  7. Re:Wait a sec by ArcadeMan · · Score: 4, Funny

    ROT13 is pretty safe, especially if it's used twice.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  8. 6 sided dice? by 31eq · · Score: 5, Informative

    makepassphrase()
    {
    # Requires GNU sort
    grep -vF "'s" /usr/share/dict/words |
    sort -R --random-source=/dev/urandom | head -${1-5} |
    while read word
    do
    printf "%s " "$word"
    done
    echo
    }

  9. change your username by jd142 · · Score: 4, Interesting

    I forget where I first read it, but this sounds like a good workaround. Pick a nice secure-as-you-want password. But each website gets a different username. It sounds like most attacks are of the kind "joe_bob uses P4$$word on amazon, let's see if joe_bob uses P4$$word on this banking site too." They don't seem to be looking to see if joe_bob_amazon is the same account as joe_bob_wellsfargo. Or you could be joe_a_bob and joe_wf_bob.

    Even better is if you have some control over your email accounts. They are probably smart enough to see joe.bob@gmail is j.o.e.bob@gmail(although that does let you filter incoming mail a little easier). But if you have control over the domain you have a catch all address and be me_amazon@myplace.com and me_wellsfargo@myplace.com.

  10. Assuming fair dice by hawguy · · Score: 3, Funny

    This procedure assumes fair, unbiased dice. For years, the NSA has required precise machining of dice to generate predictable rolls. Once someone cracks the code, Casinos will lose billions.

    What, other than precision machining, would explain why plastic dice with a materials cost of pennies cost over $2/each?

  11. Re:And anyway... by praxis · · Score: 2

    First you claim that they use malware to send my plaintext passwords to themselves. Then you claim they have been caught red-handed doing the first claim...by compromising networking equipment which never sees my plaintext passwords.

    I understand your point, but your claims are rather incongruous.

  12. Obligatory XKCD by Irate+Engineer · · Score: 2

    https://xkcd.com/538/

    If they can't afford enough computer to crack your passphrase, they can still afford a $5 wrench

    --

    Left MS Windows for Linux Mint and never looked back!

    Vote for Bernie in 2016!

  13. Re:stupidly weak by Fwipp · · Score: 2

    No.

    There are 10 digits, there are (in this list) 7.7k dictionary words.

    If you tell a hacker "my password is 5 digits" - they have 10^5 keys to test, or 100000.
    If you tell them "my password is 5 words" they have 7700^5 keys to test, or 2.7 * 10^19 - which is more than twice as hard to crack as an 19-digit password, which again is 10 trillion times as hard as your 5 digit password.

    It's just math, people. You don't have to rely on hand-rules like "dictionary words are bad."

  14. Re:How about... by mattventura · · Score: 3, Insightful

    Why would they go through the trouble of reverse enigneering your password system when there's thousands of other people who just use the same exact password everywhere? Unless someone is trying to specifically target you, it's usually sufficient to simply not be the low-hanging fruit. In case of these large password leaks, what they're probably doing is something like this:
    1. Take every username (or email) and password combination
    2. Through automated means, check if they are valid on other websites
    3. Record the ones that worked and abuse/sell those as well.

  15. Re:How about... by hatemonger · · Score: 2

    Yes, "don't outrun the bear; outrun your companion" is a fair strategy in computer security. But if you're made of particularly juicy and delicious man-meats (which would be analogous to having your name be Brian Krebs or Jennifer Lawrence or being a Google employee or having a three letter twitter handle), some bears might decide that it's worth a little extra effort to run you down instead. It's a personal decision as to how much effort you're willing to put into protecting your online identity.

  16. Re:stupidly weak by Xrikcus · · Score: 2

    Your first word is 7 digits your second is 3, so clearly one is stronger than the other. "nom" is not in the diceware set, which helps a little, but it isn't so uncommon to be in a search dictionary. The numbers are in the diceware set.

    You're comparing 7700^3 against 7700^7. Your more secure password isn't any better than chickensandwichwafflesworkcraigcrossafrica, probably a lot less good because chicken, delicious and nom clearly correlate heavily and nomnomnom is almost one word really. 7700^7 is 1604852326685300000000000000 according to my calculator. If I assume 72 characters (52 letters, 10 numbers, 10 special characters) then I need a 15 character random password to beat it in terms of search space. Maybe this: }&X$0ueUo~ravx&.

    Further, if you put numbers between your letters you are turning a search space of 7700 into 7710 or whatever. If you replace l with 1 and so on, you are surely turning 7700 into 7700*(number of replacement options and combinations thereof). So mathematically, I would think that replacing e with 3, a with @ would actually be a stronger encoding that what you suggest.

  17. Prepare to restore from backup often by tepples · · Score: 4, Insightful

    someone who physically possesses the token has three guesses of my unlocking passphrase before the token locks itself forever and zeroes out the stored keyfile

    If fat-fingering your passphrase thrice will make your data permanently inaccessible, then you better have damn good backups and a damn good data plan with which to restore them when and where you need your data.

    1. Re:Prepare to restore from backup often by mlts · · Score: 3, Interesting

      I have a third option: An admin passphrase that is a lot longer than my user passphrase, but had more retry attempts. That way, if the short passphrase gets typoed, I can still unlock the device with the admin one.

      You are right about backups... that is why I have three of the USB tokens, just in case.

    2. Re:Prepare to restore from backup often by AK+Marc · · Score: 3, Insightful

      Yeah, the kids locked my wife out of her iPhone. She put on a password, not thinking it through. The kids kept trying to get in past all the warnings and such, and not reading anything they were doing. It was only after it stopped letting them try to log in that they gave up. I didn't put a password on my phone because the version of Android I'm using makes 911 a 1-click when you are on the login screen. After having to say "sorry misdial" a few times (can't just hang up when you realize what happened, or the police come looking for you), I removed the password, so that 911 isn't a single click away.

      --
      Learn to love Alaska
    3. Re:Prepare to restore from backup often by rtb61 · · Score: 2

      I have a even simpler option. Use a pass phrase that you can easily remember. Now before you use that pass phrase, pass it through an encryption program that will encrypt it in the same manner every time. Then use that encrypted content as the actual password. Now that encryption is done locally on the fly and it never passes across the internet nor is it stored any where, except locally. By the addition of one step it becomes very complex whilst still in reality being easy to remember. When you want to access the password, simply type in your easy to remember phrase, access the encrypted password and preferably cut and paste it in. You could use a separate encrypted password for every site all actually based upon you one preferred password, each encrypted password being different based upon including the site name into the encryption algorithm. You could build all of this into the browser, so you only need a local master password to access many different sites with many different passwords. This could be a core function of web browsers, rather than an add on. So 'easytoremeberpassword' becomes '23d5n039tn310(ME))()@JFjfjfs@#%NFI@' now good luck with that. It works better because password checking programs could double the processing time between each failed password attempt (it doesn't tale make attempts to slow the process way down) and if they have the password, when text recognition programs try to figure out that it is the password and not just another failed encrypted pass, simply fail to recognise when they have the password.

      --
      Chaos - everything, everywhere, everywhen
    4. Re:Prepare to restore from backup often by AchilleTalon · · Score: 3, Insightful

      I'm sorry, but even if the hash seems hard to any human being, the way it was generated doesn't use enough entropy. Using the website fqdn or whatever combination reduces significantly the entropy, coupled with your master password in a predictable way and then generating the hash isn't sufficient at my humble opinion to say this is a secure way to generate a password. In particular, if someone has access to the resulting hash for many different sites. The result must be predictable, hence, the combination of the orignal factors cannot change.

      This isn't better than a long passphrase.

      --
      Achille Talon
      Hop!