Passwords

I recently had a conversation with a couple of friends about passwords and what makes a good one. I realized during the discussion that there’s still a general impression that is not quite accurate about passwords. It’s not surprising. There are many computer science academic papers written annually about passwords because picking bad passwords is easy. Picking good passwords is hard but can be easy. It helps to understand a bit about entropy and psychology first.

Many of the aforementioned academic papers discuss the psychology of passwords as well as the science. They have to because a key factor of computer passwords is that they are mostly created and input by humans. And humans are very very bad at random.

Human brains are wonderful pattern matching machines. We excel at linking cause and effect. Our brains are so good at it that they often find patterns that don’t exist. This is how conspiracy theories, “bad things come in threes,” thinking 3,5,8,13,21,44 is a better lottery pick than 1,2,3,4,5,6, etc., all happen.

We tend to think that complexity is what makes a good password, but we don’t really understand complexity. We think if it looks more complicated then it must be better, but entropy is a better measurement of difficulty in guessing than complexity.

Entropy is the lack of order or predictability. Simple entropy beats complex predictability every time. For example in my lottery numbers above, 1,2,3,4,5,6 is simple and predictable, but 3,5,8,13,21,44 is also very predictable if you are familiar with Fibonacci numbers. 3,17,25,29,31,35 doesn’t look anymore complicated, but those 6 numbers were randomly selected. There’s no pattern to predict the digits.

That’s the secret to good passwords. Entropy or alternatively, randomness.

G00dP4SSw0rd looks like a more complicated password than GoodPassword, but because number/letter substitutions are so common (back to how predictable humans are) it’s actually no better.

So, how do you pick a good password? The secret is to provide the medium for the password, but use random selection to create the password from the medium. Or use a tool that uses randomness to create passwords. I’ve written lots about Lastpass and KeyPass, which are password databases that also support password generation, so I won’t write about them again. But here are a couple of easy ways to create a good password.

Grab a book off the shelf. Any book. Grab a six-sided die. Roll the die twice. The two rolls are your page number. Say you rolled a two and a five. Open the book to page 25. Roll the die twice again. Those two numbers together are the word. If you rolled a six and one then pick the 61st word on the page. (If the word is just one or two letters, try again.) Do this four times. Now you have four random words from a book page. That’s your password. This is a good, strong password that’s pretty easy to remember and easy to type in. You can also write down all your rolls and be able to look up your password again (assuming you keep the book).

Here’s another way. Use an online word based password generator like egansoft.com/password/ It basically accomplishes something similar to the dice rolling.

Here’s another way. Take a quote such as, “Anyone who hates children and animals can't be all bad.” - W. C. Fields

Now take the first letter from each word: Awhcaacbab. This is a decent password that is easily remembered and typed. Its entropy is decent because, despite the structure of English which makes word prediction in sentences easier, the use of just a single letter makes it much more random. And by the way, you don’t have to use the first letter. This single phrase could be used for several passwords by using the second letter or last letter.

Longer passwords are better, but random passwords are best.

Finally, more important than picking good passwords is not reusing passwords. Never reuse a password.