George V. Reilly

Passphrase Generators

Password Strength

I’ve been using password managers for at least 15 years to keep track of all my passwords. I have separate, distinct, strong passwords for hundreds of sites, and I’ve only memorized the handful that I need to actually type regularly.

I started out with the KeePass desktop app originally, but I switched to the online LastPass app about a decade ago. At work, we use 1Password.

When I register for a site, LastPass generates a random password for me, such as:

tV%5joS$U6^uY5xU
T2oEUY!g70Iv1b&I
8kNHg9*A5GMR9%8D

LastPass securely syncs my passwords between machines and devices. Its browser in­te­gra­tion and its Android and iPhone apps mean that I rarely ever have to actually type any of those ugly messes in.

But when I do have to type in such a password, it’s unpleasant in a browser. It doesn’t help that LastPass in some cases displays passwords in a sans-serif font that makes it easy to mis­rec­og­nize letters such as Il, 0O, 5S, or 8B. It’s far more painful in an Android app, where you have to switch the keyboard in and out of symbol mode. It’s usually even worse in iPhone apps, which rarely offer you an option to see your password in the clear as you’re la­bo­ri­ous­ly typing it, so it’s easy to make a mistake. When I tried to use a remote control to enter my Netflix and Amazon Prime passwords into a new set-top box, I got so annoyed that I brought down a real keyboard and plugged it into the USB port.

Passphras­es have nice properties compared to random passwords: they’re human readable, they’re much easier—if longer—to type, and you can actually remember them if you have to. A passphrase of at least five words (chosen by a secure random generator) is com­pu­ta­tion­al­ly infeasible to crack.

The ur-example of random passphrase generators is Diceware from 1995. There are various problems with the Diceware wordlist, which are rectified by more modern lists, such as the EFF Wordlists.

Which would you rather type? The line noise above or one of these passphras­es?:

confident starfish aftermost elsewhere jasmine
shun baggage chaps reward cuddle
avenue rut pardon skating earlobe
latter blissful snippet jolt corroding
upstage-divinely-ninth-unfilled-skeleton
SkimmingMachinistBlessHesitancyKissableRink

When I want to generate a random passphrase, I tend to use either the Python diceware command-line tool or Glenn Rempe’s JavaScript-based Diceware website. Both use cryp­to­graph­ic random number generators to generate excellent passphras­es.

The 1Password Online Generator (in Memorable Password mode) also generates passphras­es, as do the desktop and browser versions of 1Password.

My master password for LastPass is a passphrase, as is my laptop password. I’m also using Authy for 2FA, but that’s a post for another time.

Tip

If you have to supply answers for one of those mis­be­got­ten security questions, such as your favorite movie or your first car, do not answer truthfully. Truthful answers increase your risk of identity theft. The answers are often guessable, can frequently be learned easily about you, and may be obtained through a password breach on another site.

Instead, generate a passphrase as the "answer" and store it and the question in the Notes field of your password manager. If you have to supply the answer to a security question over the phone to a customer service rep, you’ll be thankful that you chose something that you can clearly say aloud.

Also Facebook quizzes and memes like "Your porn name is your middle name and the first car you had" are trying to obtain your answers to common security questions. Don’t answer them.

blog comments powered by Disqus
Punctuating James Joyce » « Accidentally Quadratic: Python List Membership