Over at firstlook.org, The Intercept has an article on creating passphrases (not passwords) that are strong and memorizable. The trick lies in the number of elements (that is, how many words are used in the passphrase) and randomness. Indeed, the principle is not different from how encryption works to secure data. For example, AlertBoot’s managed laptop encryption relies on AES-256 encryption to secure a laptop’s sensitive data.
Creating a Passphrase that Can’t be Easily Cracked
First, get yourself a die, that six-sided cube with dots or numbers that’s used at a craps table. You only need one (hence die and not dice). Then grab a copy of the Diceware word list. Each word is preceded by a 5-digit number.
Roll your die five times to get a word. Do this for a total of seven words (so, 35 rolls). Then, chain these words together for a super-duper secure passphrase.
Why is this so secure that “not even the NSA can crack it”? Again, the answer lies in the number of elements and randomness.
The Diceware word list contains 7,776 words. If you only used one word as the password, there’s a 1 in 7,776 chance that it can be guessed at random. With a fast enough computer, one can go through the entire list of words in a matter of seconds (this act of going through the entire set of possibilities is known as “brute forcing”).
When two words are used, the set of possibilities increases to over 60 million (7,776 x 7,776 – also known as 7,7762). This offers better security but computers can go through trillions of these per second, so it’s not actually secure enough.
It turns out that 7,7767 (that raised 7 is where the seven words come into play) is a huge number. Even at a brute force rate of a trillion tries per second, it would take 27 million years to exhaust the list of words. If someone were to get lucky and manage to find the passphrase within the early stages (say, the 10% mark), that still represents 2.7 million years. The 1% mark? 270,000 years.
Cool. So what’s the deal with the die? Can’t you just pick any seven words?
Nope. Because when you pick random words, they’re usually not random. They tend to be words you know. And words you know are probably those that most people know and use. This tends to limit the set of words (for example, you probably wouldn’t select “zootropic” from the top of your head). Furthermore, chances are you’ll arrange them in a linguistically logical way so you can memorize the passphrase more easily. Again, the effect is to limit the passphrase set.
Of course, using the Diceware method above doesn’t provide failsafe randomness. For example, you roll five numbers and look up the word…and it’s a word you don’t like / can’t memorize / never seen before / is against your religion / whatever and roll again, finding a word that is more suitable for your awesome passphrase.
Such an act also artificially limits the set of words. People in the business of hacking passwords don’t rely on brute force methods. Rather, they try to get into your head, have a stab at what you may have decided to choose as a password or passphrase. That’s why names of family members, dates of birth of loved ones, your personal heroes, the name of your first pet, etc. are generally considered to be valuable clues, as these and other personal information is generally used as a basis for a password.
Only true randomness protects you from yourself. Which, incidentally, is the basis of modern encryption.
Related Articles and Sites: