The xkcd comic criticizing the state of passwords made sense to me. Why are we subject to password requirements that point us toward hard-to-remember and less secure passwords? Why don't we optimize for memorability and security?

xkcd: Password Strength


Requiring a mix of punctuation, capital letters, and lowercase letters has become the standard way for administrators to "increase security." In actuality, this encourages people toward two bad practices: choosing passwords that are hard to remember and reusing one complicated password across multiple sites. A person is likely to come up with one password that meets most of these rules and use that same password at many sites. The problem with this approach is that the places we enter passwords are not always entirely secure. Alternatively, these places may simply be incompetent. There are far too many sites that store passwords in plain text, which is unacceptable from a security standpoint. If a site has the ability to email you your own password, they are doing something wrong. If a person with nefarious intentions is able to determine your password, perhaps as a result of sloppy non-existent security at another website, you don't want that to be your one true password. This is why you should never reuse passwords. Use one unique password for each site that requires one.

To implement the solution proposed by xkcd, you have to be able to use long passwords. For reasons that are certainly not technical, many sites insist on an absurdly short maximum password length. Modern computing systems could easily handle passwords that are hundreds of characters long, so why would a system mandate that the maximum password length is 20, 12, or even 8 as I have seen recently? Sites that do not allow spaces or special characters in a password raise the exact same question. There seems to be a correlation between sites with short maximum password lengths and sites that are trying to be more secure. I have seen the problem on banks, loan management, and accountant's web sites. If the password hash wasn't stored securely and a bad guy set up a cloud computer to guess passwords, they could guess at the rate of more than 2 billion per second. That means it would get through every combination of 8 letters and numbers in less than half an hour.


Keeping a unique password for every different site sounds overwhelming, but there are a few techniques that make it entirely possible. The first is to use a password safe for all of your passwords. This works a lot like a little black notebook full of all of your passwords, but it is much more secure and has the advantage of being digital. There are several options here, but I like using KeePass. This program is open source and available on any computer, smart phone, or tablet where you might need it. It creates an encrypted file that secures all of your passwords behind a master password. KeePass can also generate purely random passwords for those sites that insist on only a few characters. The master password is the only one you have to commit to memory. I put this file in my dropbox folder, which gives me the most up-to-date copy across all of my machines and a solid backup of this important file.

Everywhere possible, especially your KeePass master password, use four random words, as the xkcd comic suggests. Not coincidentally, I have written a small python script that will generate these passphrases for you. This is a really simple program you can run from the command line that generates 5 random passphrases made up of four random words each. Here is the meat of the code:

python for _ in range(number_phrases): for _ in range(number_words_in_phrase): # SystemRandom is a cryptographically secure way # to generate random numbers. print word_list[random.SystemRandom().randint( integer_min, integer_max)], print

For each word, the program generates a random number in a cryptographically sound way. When using random numbers for passwords or cryptography, you want something that is truly random, and not simply based on an algorithm that is made to look random. If the random number comes from an algorithm, it may be possible to deduce the number if the bad guy knows the algorithm. SystemRandom in Python gets its numbers instead from a module built into your computer's processor which is designed to provide a truly random source. This number is used as the index into a list of the 10,000 most common English words. The hardest part of this little project was coming up with that list of common English words, but that's a story for another blog post. The result is that you get a word chosen at random from this list of the 10,000 most common English words. Four of these words make up each passphrase. Here are the output passphrases from one run (Don't worry, you shouldn't see any of these passphrases repeat unless you run my program once a second for 63 million years):

sultan mad viewpoint trading

rusty fashion try trunk

winning theorem pipes alabama

harper yours romance disadvantage

legitimacy particles fright deficits

Just as the comic suggests, I have found that your mind begins making up funny little stories and pictures to go with the random sequence of words. I wouldn't expect to be able to remember all the passphrases for the multitude of sites I frequent, but because of the stories and pictures, I find that I am able to recall the passphrases more often than expected. For those that I can't recall, I simply look them up in my KeePass file.

I am interested in ways to improve and simplify security in computing, and I will undoubtedly be blogging about this topic in the future. Using unique passphrases for each place you need a password and storing them in a KeePass file is a great way to accomplish both of these goals. Try out my script for generating your next passphrase or follow me on Twitter and get in touch.

You can discuss this on Hacker News.

If you liked this article you might also like the Dropbox Tech Blog post on how they created their new password strength meter

Written by B. J. Potter on 2013-04-09.
Tags: Programming Python Passwords Security