Reply to post: Sigh

It's World (Terrible) Password (Advice) Day!

GIRZiM Bronze badge


I've been here before, I'm sure of it.

Caveats and qualifications abound and I'm prepared to accept that the maths is beyond me and it's possible that the xkcd approach is sufficient but my forays into computational linguistics over the three decades of my fascination with A.I. lead me to suspect that there is some realm of mathematics beyond my ken that means that using real words is still a weaker approach than the one I learned from Bruce Schneier (something to do with Stochastics, possibly) - I further figure that if it's good enough for him, it's good enough for the likes of me and I ain't arguing.

So, just to make the point, yet again (sigh): If you're going to use a password, make it long (as explained above) and complex (complexity helps). You can make this memorable as well by following Schneier's instructions as follows:

Take a core phrase that doesn’t vary and is easily remembered—not a song lyric or famous quotation though, nor something from a book, but some phrase you make up yourself.

You then add an extension to it that is unique to each site/service you use.

For example: This is my very own, secret, core passphrase and the unique extension for this site is: my Register forums password

Take the first letter of each word and any punctuation: Timvo,s,cpatueftsi:mRfp

Substitute ‘l337’ style: 71mv0,5,cp47u3f751:mRfp

It’s 23 characters long (which is the single most significant hindrance to cracking it), contains a combination of alphanumerics and ‘special’ characters (punctuation), is unique to you, becomes a simple matter of muscle memory recall in a short time and is less demanding cognitively, because all that actually need be remembered for each site/service is the unique (and short) extension (which the site/service you are using will remind you of), can’t be cracked by a brute force dictionary attack in any language.

There have been a number of attempt to improve over this approach—and from biometrics to password managers, all have failed one way or another to do so in any manner that outweighs their weaknesses - as yet, the single most secure approach there is is still a password and, as yet, the most secure password is the one that exists only in your head.

No, I'm not interested in debating this any further; it was done to death on the above linked thread and, as I've said, I'm prepared to accept that maybe my intuition is ill founded and the xkcd approach is just as secure. It's just that, as a psychologist, I have to say I guarantee you that not only is the cognitive load of trying to remember twenty-three random words considerably greater than that of Schneier's approach but even remembering a story that ties them together is horribly prone to errors in recall and could well result in failures such as the incorrect colour of the batterypoweredhorse'sstable (or was it the batteredwhore'stable?) - moreover, how many stories explaining twenty-three random word sequences are you going to be able to keep in mind before you either have to stop using any more services, start re-using the same password or else get them mixed up and locked out of one or more of them?

So, there you go: Bruce Schneier's approach is good enough for me - it might be for you too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019