
Passwords: Using 3 Random Words Is a Really Bad Idea (2017) - indigodaddy
https://paul.reviews/passwords-why-using-3-random-words-is-a-really-bad-idea/
======
evrydayhustling
I guess this is a good primer for some folks, but there are two really
spurious arguments:

(1) Your working vocabulary of 20k words is irrelevant. If you pick the words
yourself, they aren't random and your random-word-vocabulary (the ones you'd
actually pick) is waaaay less. If you use a randomizer, which you should, just
give it the full dictionary (or say, top 100k for memorability).

(2) Faced with the suggestion of adding more words, they show that 4 is
crackable. But go to 5, and you're solid for 400y. This is so clearly relevant
that excluding it seems suspect. This article should be as simple as "use 5
random words, not 4".

Password managers have their own issues, both with usability and their
tendency to provide centralized targets. And, they still require a secure
passkey themselves -- for which a long random phrase is a perfectly reasonable
approach.

~~~
PaulMoore
Hi evrydayhustling

"If you use a randomizer, which you should"

That's a big IF. People should use a password manager, or create unique random
passwords for every site... but they don't. Of course, if someone other than
you chooses the words, you'd need to include the entire dictionary.

"But go to 5, and you're solid for 400y. This is so clearly relevant that
excluding it seems suspect."

I haven't excluded this; I make reference to DiceWare at the bottom of the
page. This covers both using more words chosen at random, which is the entire
point.

Thanks

~~~
evrydayhustling
Oops - I didn't notice this part was related because I haven't used diceware!
I still think it's weird to put something this fundamental to your argument in
a footnote under one product above, but apologies for implying you if ignored
it entirely.

------
strictnein
No, using 3 random words isn't "a really bad idea". That's complete nonsense.

The only "really bad idea" for passwords is password reuse. A unique 14
character three word password for each site you use will protect you from the
threats you face online.

The fact that someone can relatively quickly crack your password if you used 3
random words is meaningless. That only works if they knew that you did that in
the first place. Capitalize one random letter in all of that, throw a number
between the second or third letter, add dashes, whatever and they're totally
screwed. Game over, you win.

~~~
UncleMeat
Even if they know it doesn't matter. Online password brute force attacks are
extremely rare. If you don't reuse passwords then offline attacks don't really
matter to you.

~~~
gmuslera
This very week you had the Quora users info leak
([https://blog.quora.com/Quora-Security-Update](https://blog.quora.com/Quora-
Security-Update)) where users info, including and their encrypted passwords,
were compromised.

Password reuse, or even following a simple pattern for having different
password for each site (i.e. a seed+site name) is the main problem here. If
one site falls, then it should not be trivial to deduce your password or how
to attack it for other, maybe more important or secure, sites.

~~~
strictnein
So they brute force an account (a not insignificant effort and the attacker
now sees your password of "fuzzykittytoes". What are they going to do with
that information?

Target a bank with it? They can't bruteforce a 14 character password for the
bank over the internet. What trivial method would you use to get into your
bank account, if you didn't reuse that password?

------
scblock
I'm not sure how this made it to the front page. It mashes up several things
about passwords, some of which are dangerous, some of which are smart. It
acknowledges the strength of a system like diceware. Then it concludes 'Don't
use words in passwords. Ever.' while failing to distinguish between passphases
based on words (like diceware generates) and having a password that is
"benisgreat".

~~~
TotempaaltJ
Here's 1Password's article on creating a master password (spoilers: it is
_way_ better): [https://blog.1password.com/toward-better-master-
passwords/](https://blog.1password.com/toward-better-master-passwords/)

~~~
daveFNbuck
> Change a weak Master Password, otherwise leave it be

I wish LastPass would take this advice. They ask me to change my master
password every time I log in because I've had the same one for a long time.

------
gravy
The ONE thing stopping me from using a password manager is fear that I'll lose
the master password. How do I get over this fear?

Another thing is for example Chrome's built in password manager. If I make a
bunch of accounts with these passwords, do I NEED Chrome to ever be able to
log in to these accounts?

~~~
Spooky23
Write it down on paper, put it in an envelope, and leave it in your home,
preferably in a small fire resistant lockbox that you keep other important
documents in.

If your home isn't secure enough for this purpose due to roommates or other
issues, ask a trusted friend, parent or relative to hold onto it and your
other important documents on your behalf. If your situation makes putting it
in someone else's hands a problem, you can split the password or other key
material between multiple locations as well. 1Password makes it easy with the
"rescue kit", and KeepassXC can use a combination of a password and file-based
key for this purpose.

Security conversations on this topic typically go down some rabbit hole about
the government, police etc. Keep it simple and don't crawl into that hole. End
of the day, in the United States, the most reliable and legally secure place
is your home or in some cases an attorney's office.

~~~
philwelch
Not a safety deposit box at the bank?

~~~
Spooky23
Safe deposit boxes are an option but are expensive, inconvenient and often
less secure. A bank clerical error, fubar, or payment issue could result in
loss of the contents at any time. (See:
[https://sacramento.cbslocal.com/2018/07/26/safe-boxes-
stolen...](https://sacramento.cbslocal.com/2018/07/26/safe-boxes-stolen-
drilled) )

When you need your password at 4:30PM, the bank is closed.

Also, it’s an awful place for important documents like a will, as the bank
will require a court order for your family to open it upon your death.

------
guitarbill
i hate this kind of pedantry. it just has to be better than what people
currently use, which is stuff like password1, or 123456. yes, in an ideal
world we would all use password managers, but that hasn't happened yet,
either.

~~~
PaulMoore
I'm sorry, but that's nonsense if you actually think about it.

Existing passwords are broken in a matter of milliseconds, perhaps a few
seconds. Do you honestly believe it's sufficient consolation to an end-user to
know it took 40 seconds instead? The end result is the same... they're
breached.

My point is simple. We already have FAR superior techniques in 2018 and
wasting time advocating questionable techniques is an exercise in futility.
The people who follow the advice are still at considerable risk, the majority
will ignore it and remain almost as vulnerable.

~~~
guitarbill
That's if they're encrypted in the first place. Avoiding re-use is far more
important, as others have said in this thread. And humans are bad at
remembering random combinations of letters and numbers, but ok at remembering
words. If I could get my parents to use a password manager, I would.

But until then, three words is better than re-use, and your pedantry still
isn't helping the people who need it most, i.e. people lacking technical
literacy in the first place.

~~~
PaulMoore
I'm guessing you mean hashed, or am I being pedantic? ;)

Anything is better than re-use, that's not really an argument. If I
recommended using "1", "2", "3" for three different sites, that's technically
better than reusing the same password... but still not safe.

Labelling it as pedantry really ignores the wider point. Having 3 unique
passwords which take 40 seconds to break really isn't a great improvement,
neither is it pedantic to point out that fact.

------
mbreedlove
I feel like the real take-away from this article is that MD5 is broken,
something we've all known for ages.

An application using a memory-hard algorithm like bcrypt would yield the same
results, but without the hassle of retraining all users to use longer
passwords.

~~~
jeremysalwen
Yup, also no mention of salting the passwords.

The 200 billion md5 hashes per second figure they use matches up nicely with
this 8x GTX 1080 system:
[https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a27...](https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40)
which cracks bcrypt (at a weak security factor) two million times slower.

So, that same system would crack a 3 word password at this weak bcrypt setting
in about 3 years, and a 4 word password in 50 thousand years.

~~~
PaulMoore
Salts make no difference here. They do not harden passwords, but make an
otherwise deterministic process random to ensure no two inputs result in the
same output.

Of course, using a slower hash algorith will increase the time required to
break it... but we know the majority of sites don't adequately protect
passwords.

There are 331 breaches on HIBP. 108 used MD5, 43 used SHAx... meaning half of
all firms used algorithms which we can break quickly & easily.

------
dominicr
I think this misses who the intended audience of this simple password advice
is. Hint: it's not us.

Normal people's passwords are terrible! It's the site name, their name,
"password123" or a single word with a number on the end.

A lot of advice about passwords is aimed at getting normal people to make easy
steps to make their passwords better, not perfectly uncrackable.

Complex passwords don't work for lay users and most of them aren't going to
switch to password managers. So getting people to make small steps, like not
reusing the same password and making it more than one word and a number, does
make a big difference to users' security.

------
danShumway
Outside of the Twitter-verse, who actually advocates to use a 3 word
passphrase? Use 5 or 6 words and the problems listed here vanish. Also, use
diceware or an equivalent generator.

If you're writing out a string of letters and characters, that's not going to
be random either. The only way to generate a random password is to use a
device that gives you random numbers. If you're relying on your working
vocabulary and picking passphrases out of thin air, then your 12 character
letters, numbers, and symbols isn't going to very good either, because you're
not good at choosing things randomly and picking letters out of thin air won't
be any better than words.

This entire article could be rewritten as one sentence: "Use a program or a
dictionary/dice to generate your >4 word passphrase."

~~~
jarfil
It doesn't even have to be truly random, just "random enough". If you were to
use a passphrase like "Use 5 or 6 words and the problems listed here vanish",
that wouldn't be random per se, but for an attacker it might as well be.

------
scandox
The simple answer here is to use non-word words. A sample might be:

eggscellent frantillion scrofulon

Ok. I'm skewing to the letter 'L' \- but they don't have to know that.

~~~
ritchiea
You can also, add irregular punctuation & capitalization, throw in some
numbers within words, include words from other languages that you know or look
up. Or use near words of other languages.

I have always thought of "3 random words" as a starting point for randomizing
a password not literal advice to follow.

~~~
SketchySeaBeast
I wonder about that - given that a dictionary attack relies on known values
(and can substitute out "l"'s for "1" and "!") - what happens if you write
something like "Ger!bils"? Is the dictionary attack totally nullified, or is
that possibly accounted for? That would seem to open up the potential space a
ton.

~~~
romdev
Depends on the attacker, but it's probably accounted for at least partially.
In some passwords where I don't care much about security I'll use this
technique and some personal, site-specific mnemonic - if their logo reminded
me of a gerbil, I might start with the name of a pet gerbil I once had and
obfuscate it with character replacement or keyboard proximity replacement
(same characters, one row up or down). These passwords are always unique to
the site, which doesn't get any financial info.

When I need a secure password that's easy to remember I'll obfuscate the
initials of a memorable passphrase from a joke, poem, song or book. My
password manager is offline (remember the LastPass hack?) so I need to read
from it once and type it in.

Update: I remembered this old article that describes some of the techniques
that have been used to crack passwords, including 133t-character replacement:
[https://arstechnica.com/information-
technology/2013/05/how-c...](https://arstechnica.com/information-
technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/)

------
mcphage
This depends on the cracker knowing that you only use words in your password.
If they don't know that, then they're back to cracking it based on length. Or
at least, attempting all of the words _first_ , then brute force.

~~~
hyperpape
If you have _n_ schemes that you’re targeting, that’s only a slowdown by a
factor of _n_ , because you share effort between the two schemes.

A cracker can try all the word combinations below a certain depth, then try
all the passwords below a certain depth. Then increase the search space a bit
for each, as long as they want.

~~~
mcphage
That's fine if your only other scheme is "exact matching words". But once you
break from that, even a little bit, the number of different possible schemes
balloons quickly. For instance, 3 words + a symbol at the end. A cracker can
try all the words, sure. But they're probably not going to try every different
"all the words plus a little twist" schemes.

~~~
hyperpape
Most of those schemes fall into the category of:

sym,word,sym,word,sym,word,sym

Where sym is 0-1 symbols or numbers, and comma indicates concatenation.

If you use 5+symbols you’re probably creating enough entropy, but you’re
veering into hard to type, might as well just use gibberish territory.

~~~
mcphage
They are, but like—how many of these schemas is a cracker going to try between
"test just words" and "brute force". There's a ton of possibilities, and I
really don't think they'll bother enumerating them all. That's the point—the
cracker doesn't know what schema you're going to use. Sure, maybe they'll test
word lists. But not all of:

* word sym

* sym word

* word word sym

* word sym word

* sym word word

* word word word sym

* word word sym word

* word sym word word

* sym word word word

And then what about 2 symbols? Or separating words with spaces, or dashes, or
underscores, or nothing? How many schemas are we up to by now? At what point
is there no value to trying all of these, and just running the brute force
lookup?

~~~
hyperpape
Most of those are covered by what I wrote. I said they’re ranges of 0-1
symbols.

~~~
mcphage
Right, but my point is that since the cracker doesn't know which you're going
to use, they'll need to stick to broad schemas that will take a long time. It
doesn't matter if you only use 1 symbol, if the cracker needs to try every
combination of up to 5 symbols. And even a broad schema like you suggest—which
would take a long time to complete—will have holes that would be easy to
squeak through, which means even those broad schemas have minimal value.

Ultimately, even a schema like "sym? word sym? word sym? word sym? word sym?"
is useless. They'll have to use brute force, and that means the difficulty of
cracking your password is back to being based on the length.

------
billfruit
I really do hate that many websites/services put a max length on passwords
that is really short like 16.I remember even outlook.com restricting it to 16
chars,really bad for people who would use long sentence like passwords.

------
atoponce
Niceware ships 65,536 unique words. 3 words chosen randomly is 1 "password" of
281,474,976,710,656 possibilities.

[https://diracdeltas.github.io/niceware](https://diracdeltas.github.io/niceware)

If that password was hashed with a single pass of vanilla MD5, the Jeremi
Gonsey's cluster of 8 Nvidia GTX 1080i GPUs [2] would be running at
307,200,000,000 hashes per second.

[https://gist.github.com/epixoip/ace60d09981be09544fdd3500505...](https://gist.github.com/epixoip/ace60d09981be09544fdd35005051505)

In order to exhaust half of the keyspace, so odds would be in the favor of the
password cracker finding the original hash, they would need to search only
140,737,488,355,328 hashes.

At 307.2 gigahashes per second, this would take approximately 458 seconds, or
just under 8 hours using the Niceware list.

However, jumping to 4 random words grows that time by a factor of 65,536,
which means reaching 50% exhaustion would take approximately 1 full year.
Moving to 5 randomly generated Niceware words, and it's impractical to attempt
cracking the MD5 hash.

Cherry-picking 3 words is a little dishonest for the discussion surrounding
password security. The right "best answer" for password generation is to use a
password manager, no argument there. And I don't know of any password
generators that generate passphrases by default, Niceware, Diceware, or
otherwise.

But if a user wants a passphrase instead, I don't know of a security expert
who would recommend 3 words.

------
scotchio
Quickly just sharing:

I must have read online for 2 solid years about how much better/safer and
secure Password Managers are before I finally switched to one.

After switching though, the CONVENIENCE of a password manager is the most
undersold part of it.

Nothing seems to be perfect solution with security, but if you're reading this
and haven't switched to a password manager for whatever reason, security
benefits aside I would highly recommend finally doing it.

~~~
SketchySeaBeast
> CONVENIENCE of a password manager

Absolutely. The only issue I have is when I'm logging into something I log
into every day, but other than that it's great to log into the manager and go
"ah, here's the password I set up a decade ago".

------
akatechis
What I don't understand is the math. Author makes the claim that using 3 words
changes the combinatorics from 62^12 (62 characters, in 12 positions) to
20,000^3 (20k words, in 3 positions) but a hashing algorithm doesn't work with
words, it works with characters, so if the words are 4 characters each, you've
still got 12 characters to fill. Since an attacker doesn't know that you've
not used symbols or numbers, they can't reduce the problem space to 26^12.
Right?

Have I missed something in the article that would make the connection?

EDIT: Yes, hashing works with bytes, so technically, it can be even stronger
if we include charsets from other scripts in the problem space.

~~~
eric_bullington
Exactly. The attacker would have to _try_ a word-based attack to benefit from
the ~7 hour time-to-crack.

So I disagree with the article's advice: "Don't use words in passwords. Ever."
Yes, you should use caution when using words in a password, but even if you
use a password manager, a 5- or 6-word diceware password is ideal. Even better
if you stick on a 4-digit numeric "salt" to your diceware passwords.

But yes, I do agree that a 3-word password is too short (~33 bits of
entropy[1]). It should be at least 5 words (~55 bits). And you really need at
least 6 words (~66 bits, obviously) for a master password.

1\. Using EFF's user-friendly, ~1200 word list for diceware.

------
jsgo
Novice in the area, so grain of salt (and if you can correct me where I'm
wrong, that'd be great. All for learning):

1) I don't think the base changes nor the exponent deviates from the character
approach (in reference to the 20,000, 40,000, and 171,000 base stated). If
we're in a system that allows all uppercase letters, all lower case letters,
all special characters, and all numbers, then the base is the sum of those:
regardless if my password is purplepenguinparade because you don't know that
I've artificially set parameters for my password within the existing
parameters. It could be argued you could try all permutations of lowercase
characters first (base 26) but then how do you know to go to 26^19 before
adding more to the base?

1a) if the hashed passwords give away tells as to what the decoded password is
like (in this case 3 words lowercase), that'd seem like a concern about the
encryption moreso than the password.

2) The 20,000 and 40,000 part seems like a meaningless piece of trivia. What
if one of the words I want to use doesn't fall in your 20,000-40,000 word
store? You're never going to crack my password. Better go the full 171,000 or
whatever it was and hope I don't slip an extra character of the numeric,
special character, upper/lower case variety.

\-------------

While I do personally use a password manager, it isn't perfect for me either
(requires loading 1Password 2x on Windows 10 for me because the first attempt
does nothing, but loads on second try). I do hope more OS creators do like
Apple did to better tie in with password managers and that may help alleviate
some of it). So I don't see my parents or grandparents, for example, using
one.

That said, for the rank and file folks that are taking their security advice
from the government and police departments, I think pushing for various words
in sequence is much better advice than "8 characters in length because it
takes longer to guess than 6 characters" or whatever it is that people
predominantly operate under and usually ties back to something about
themselves that someone with some familiarity about them could guess (if I
recall, this is what happened to Sarah Palin when she was hacked shortly after
being McCain's VP nominee).

~~~
sidedishes
To your first point, I think it's about priors about password choices. To take
an extreme example, even if a site allows up to 32 alphanumeric characters, we
don't just say passwords on this site are uniformly secure under metric
(26+26+10)^32 because theoretically a brute-force approach would have to go
through up that many permutations. (Such a number is an upper bound on your
password security.)

In particular, short passwords with up to 8 characters are weaker because they
form a small and common subset of passwords that people often draw from, and
attackers exploit that by trying short passwords first.

Passwords that are 3 dictionary words, with possibly some small perturbations
like punctuation inserts or replacements (which helps but only expands the
space so much), also form a relatively small subset of passwords that people
increasingly draw upon, and attackers aware of this will tailor their brute-
force search accordingly.

~~~
jsgo
I might be misunderstanding your first paragraph, but I'm not saying that the
exponent is constant, just the base.

What I was saying is if the rules of the site allow for all lower, all upper,
special characters, and numerals, the sum of that is your base. If your
password is purplepenguinparade, the expectation is you've cracked it by the
time you've completed combined_base^1 through combined_base^19. They could
artificially limit it (most people use lowercase characters and this site
allows just lowercase characters, so let's try 26^n), but they'd run the risk
of never cracking it because characters could've been added that deviate from
their parameters.

~~~
sidedishes
Oops, that was my misunderstanding in the first paragraph :)

Maybe a clearer example w.r.t. the base^exponent value would be another highly
structured class of long passwords, instead of short passwords. For example,
those that are just a 2-character sequence repeated 20 times (e.g. abab...ab).
You can still say that it'll take maybe up to 26^40 tries for an attacker to
guess this, but that number should be more obviously too charitable, since
less entropic classes of passwords are more likely to be guessed first.

More generally, this kind of counting analysis depends on your choice of
attacker, and it's plausible for attackers to be more sophisticated than just
trying all the strings in lexicographical order. A more concrete but still
practical attack sketch adapted to the frequency of password schemes today
could be: guess dictionary word combinations first, starting with common/short
words/phrase lengths, then repeat with small perturbations, then more
perturbations, and so on until you search all the remaining strings.

Then, the number of tries for such an attacker to find a 3-word passphrase
with a few changes would be much closer to (some small constant) * (#
dictionary words)^3 than (# characters)^(string length). Of course, you can
still say that such an attacker would take at most (# characters)^(string
length) tries to get it, but such an upper bound isn't as useful when the
password is much more structured and easy to guess with a slightly more
sophisticated attacker.

(Yet another way to put it: one shouldn't expect a password that's 'slightly
out of reach' to be significantly more secure than a password that follows a
scheme exactly - a more sophisticated attacker would test neighbouring
passwords as it brute-forces the combinations in the scheme)

------
jlmcgraw
I wrote a perl script a while back to create random passphrases based on a
random mnemonic word

It seems like a good idea to me but I’m not knowledgeable enough about
cryptography to know if that’s really true and would be very interested to
hear from anyone who does know

[https://github.com/jlmcgraw/mnemonic_passphrase](https://github.com/jlmcgraw/mnemonic_passphrase)

------
josefresco
This was posted here a few years back, and it's still a tool I use:
[https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-
pass...](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-
strength-estimation/)

Anyone else still using this?

------
raverbashing
Yes, if you use 3 common words it's not a good idea.

But most people don't, and the attacker doesn't know that.

It's useless to use a strong password if it's going to be stored in plaintext
on some service.

------
hyperpape
While I use strong passwords (better safe than sorry), how important is it
really to worry about this kind of offline attack if you don't reuse
passwords?

------
norswap
I believe it comes from a good place, but this post is bad.

Why?

Because it doesn't apply the same comparison standard to character-based
passwords than to word-based passwords.

Sure, we only use a few common dictionary words. But by the same token, our
character-based passwords aren't random strings either: they are variation
based on random words.

This is the basis of the xkcd advice to use 4 random words:
[https://xkcd.com/936/](https://xkcd.com/936/)

Notice Randall gives each word 11 bits of entropy, meaning he considers each
word is chosen at random amongst a pool of ~2000 words. Yet that base is still
much bigger than ~64 for characters.

If you take 3 common words, you get ~8 billion possibilities. 4 common words:
17,000 billion. That's much more than than ~400 billion for a perfectly random
(again: that's not the case in practice) password of 12 characters. And four
words is easy to remember, 12 random characters is HARD.

If anything bad can be said about the xkcd comic, it's that it doesn't hammer
the point that it has to be FOUR words. As three is much less secure (but
still probably more secure than the 12 characters password people are likely
to use in practice).

~~~
drbawb
This post also fails to take into account people's exposure to fiction. My
vocabulary may be limited, but many of my passphrases use nouns/concepts/slang
that are drawn from video games, novels, movies, etc. Some of these works
(authored by family, friends, and myself) aren't even published. I reckon the
chance of these "words" being included in some cracker's dictionary is quite
close to zero.

Also as you point out their analysis of the entropy of random words is quite
uncharitable. It fails to account for any sort of punctuation, capitalization,
etc. Is my password "correct horse battery staple" or "correct Horse, battery
staple!" or "CORRECT HORSE! Battery staple.", etc. There is a lot of entropy
inherent in crafting a phrase.

~~~
norswap
The point being that even so it's already better while simultaneously being
easier to remember (because indeed, what did I capitalize again?).

------
dawhizkid
what if you use a non-dictionary word as one of the three words?

------
mcstafford
Here's a sample from my 4x dictionary-based generator. Let me know how quickly
you can re-create it via brute force.

Pocahontas-ballot-balustrade-blackouts

[https://www.xkcd.com/936/](https://www.xkcd.com/936/)

------
nix0n
According to XKCD[0] you need a fourth random word.

[0][https://xkcd.com/936/](https://xkcd.com/936/)

~~~
josefresco
Also this, which references the same comic:
[https://github.com/dropbox/zxcvbn](https://github.com/dropbox/zxcvbn)

