

Creating memorable and secure passwords - bmahmood
http://www.economist.com/node/21550763

======
digitalsushi
I am a security layman; whenever I create a password for an account I tend to
just use very long sentences. To log into my laptop, I have to type something
completely unlike "oh man here i am again logging into this stupid thing".

I've always wondered if this is any less secure than some nice mixed meta
characters. "SS7s$@a8" as it were.

I can remember my sentence very easily and type it far more quickly than I can
henpeck the pure random mix.

Also, I am very curious - if the encrypted password ends up being a uniform
length N, is there any value having a passphrase longer than length N, if by
that point the correspondence between the encrypted passphrases might be many-
to-one with their unencrypted counterparts?

I feel there is so much more coffee-talk understanding to cryptography I have
before I could even begin the barest math essentials of understanding it.
Perhaps my naivety is founded by low math self confidence. _shrug_

~~~
AgentConundrum
I am also a layman, but I think the answer to your first question is "it
depends". Specifically, it depends on the length of our mixed meta password
and the length of your passphrase.

I ran the numbers for passwords up to 30 characters long and made a chart in
Excel showing the total possible passwords, one to thirty characters long,
given a variety of character spaces, using the form s^l (character space to
the power of password length). [1] The weakest space I used was lowercase
characters only (26), the most complex was "all keyboard characters" (96). (In
between are various combinations of lowercase, uppercase, numerics, common
punctuation, and all punctuation. It's not entirely relevant to my point
though.)

One interesting point I found was that a purely lowercase password only needs
to be 30 characters long to beat an "everything on the keyboard" password of
22 characters, and is a _lot_ easier to remember.

One serious point to consider is that passphrases aren't the same thing as
"lowercase-only" passwords. If you consider each word as a "character" you
could use a dictionary to brute force it, meaning that rather than brute
forcing the series as ["a", "b", ... "z", "aa", etc.] you could brute force it
as ["an", "as", ... "an account", "an acorn", etc.].

Personally, all of my passwords but one are ridiculous mixed passwords that I
don't even know. The last password is the password to my KeePass database,
which is a longish passphrase (also the phrase I use doesn't make any damn
sense, which is sort of the point). The idea is that long mixed passwords are
hard to remember but are more secure than an identically long phrase, so I
want to use those as much as possible, but because it's essential that I
remember the KeePass password (because forgetting it would lock me out of
_everything_ ), a passphrase works as a memorable but still complex password.

I'm not entirely sure I've done any of my work correctly, so I'll just sit
here and wait for Thomas or Colin to come in and take me to school.

[1] <http://i.imgur.com/4tMEX.png>

~~~
janzer
Here is some recent research on the strength of a multi word passphrase.
[http://www.lightbluetouchpaper.org/2012/03/07/some-
evidence-...](http://www.lightbluetouchpaper.org/2012/03/07/some-evidence-on-
multi-word-passphrases/)

------
wbrinkley
Perhaps the future lies more with the "something you have" form of
authentication than the "something you know", like passwords, that this
article complains about.

For example, Google's two-factor authentication seems very secure, even with a
weak password. To log in, I need to enter the ever-changing six-digit number
off my iPhone as well as my regular password. Similar to this are other
schemes which use any SMS-capable phone: enter your username and password on
the web site, then enter the word the system just texted to me. Some banks use
this to secure the addition of a new electronic bill payee, for example.

If you think about it, password safes, client-side SSL certificates, SSH
private keys, etc., are really all just "things you have."

Computers aren't getting any slower; the gap between what you can remember and
what they can guess is only getting smaller.

------
subleq
I wrote a tool for this, mouseware: <http://www.fusionbox.com/mouseware/>

It generates a memorable password using entropy from your mouse movements to
seed a CSPRNG. It is completely in-browser, no data is ever sent to the
server.

Source available here: <https://github.com/fusionbox/mouseware/>

------
DanBC
Passwords do not need to be memorable. You need one very secure master pass
phrase[1] and a good password safe.

[1] Use diceware to generate it. Avoid swapping words out for something easier
to remember (see the article for examples) and, if you need to, write it on a
piece of paper while you learn it, but treat that piece of paper like a high
value item.

------
jamesgriff
<http://xkcd.com/936/>

------
VaibhavZ
Thanks.

