89 comments

[ 2.7 ms ] story [ 144 ms ] thread
This is sound advice. But I would suggest that you choose words for which you can find some mnemonic to remember them, e.g. by combining them in a nonsensical sentence.
I have usually also used one made up word derived from existing word along with other words, just in case, you know... If someone was to bruteforce 3 word combinations it would make the attack so much weaker.
(comment deleted)
Some time ago I wanted to mass produce new inventions so I generated list of random phrases in form of adjective-adjective-noun and start reading. Most of it was nonsense, occasionally there was something viable, in rare occasion some interesting new idea. Then I stumbled upon this gem:

"Creepy wet uncle"

and I giggled. I kept reading and once in a while there was something funny. After a while I realized that 3 random words can make me laugh, but no 3 random words made me cry.

Before I thought that laughter and crying are equal but opposite emotions, but they are not. Crying is much deeper and requires more emotional attachment. To make someone laugh all you need is 3 random words.

Thanks for sharing this little anecdote:)
So once upon a time the startup I was working for did a promotion at a big gaming conference. We printed a bunch of business cards that had individually unique promo codes people could redeem. I used 3 random words from a dictionary off the internet as the promo codes cuz that seemed more ergonomic than some random characters.

Let's just say the phrases on some of those cards were quite choice. Thankfully everyone had a sense of humor about it and it wasn't a big deal.

> Crying is much deeper and requires more emotional attachment.

I dunno, there's probably a fair number of people who might cry at something like "Unused baby shoes" (obviously cribbing off the apocryphal Hemingway story.)

I did the same but for some activation codes. I used a dictionary of swear words to keep it clean but still got interesting results. Had to make sure the word Jew did not appear as that came up in a phrase that would have not been well received!
I had almost exactly the same situation happen. I had to produce activation codes just before Christmas. I was on my break, chilling at home when I got a text message asking if they could email me the bit of script so I could change it to remove the vowels. I complied and when I got back to the office after Christmas asked why.

Turns out that when you generate over a million random letter sequences some of them are rather fruity words. In fact my original code was being referred to as "the random f*k generator" lol

My solution to this was to pull down some lists of swear words and then forbid every single digraph that appeared on the lists. It eliminated something like 25% of the randomly generated tokens, but the ones that passed this check were pretty reliably un-wordlike.
You don't really need the vowels. I remember a windows license key that started with FCKGW.
Random fact about that word: The scrabble dictionary has a redacted and unredacted version. "jew" is one of the redacted words because scrabble disallows proper nouns, so the remaining usage (as a verb) is offensive.
There are many different types of laughter, but no-one is naming them because it "kills the vibe" or "ruins the moment"
> After a while I realized that 3 random words can make me laugh, but no 3 random words made me cry.

Attributed to Ernest Hemingway though there is some doubt, supposedly written in response to a challenge to write a very short story:

  "For sale: baby shoes, never worn"
My first guess at this would be that the parents bought boy's and girl's shoes, and sold the pair they didn't need. Nothing to cry over.
Or a place that, you know, sells baby shoes.
Personally, I'm partial to:

"For sale: baby shoes, just hatched."

but that's back to laugh.

Maybe in Hemingway’s time shoes were so rare they wouldn’t go unused?
In science we say "Ahah!"

In comedy we say "Hah!"

In art we say "Ah!"

All three are expressions of the experience of making novel connections or seeing things from a new perspective.

Nice! Seems like "Aha!", "Hah!" and "Ahh!" would be more symmetric since they're (almost) all anagrams. More pleasing for both the scientist and the artist ;_)
The original is pleasing in that it's removing the first letter each time.
I've started wondering if people cry when they have no other way to express what they're feeling. It's not limited to just feeling sad for instance. And crying seems to happen more often when people (especially children) are confused by their own emotions.
(One word more) relevant XKCD [1].

Also, a generator for the above [2].

[1] https://xkcd.com/936/ [2] https://www.correcthorsebatterystaple.net/

Do you think it’s bad that I set my password to correcthorsebatterystaple for all my accounts?
Just checked on haveibeenpwned correcthorsebatterystaple has been seen 130 times.

It seems a lot of people took the xkcd at face value.

When implementing a password strength checker lately I relied mainly on https://github.com/dropbox/zxcvbn (which is great) but added in a check for correct horse battery staple (and variants). Probably not that important in the big scheme of things but I thought it might get a chuckle and/or some respect if anyone happened to activate that code path.
> It seems a lot of people

Or some people stopped caring

Or just people sharing accounts with random strangers.
This.

If a system requires an account/password, and people find ways to bypass or weaken account security, perhaps you shouldn't be using accounts.

In days of yore, "cypherpunk/cypherpunk" or "cypherpunks/cypherpunks" was a common convention. Those are found 140 and 38 times respectively in haveibeenpwned.

Considering many systems went out of their way to prevent / disable such accounts, and the convention fell out of practice, that's notable.

Or just ran with the joke. Likewise I'm sure somewhere out there is a codebase containing

    int random() {
        return 4; // randomly chosen by roll of a fair dice
    }
That would make a somewhat interesting testing strategy.

In a similar vein, React intentionally calls user-implemented functions which are meant to be pure twice in a row (even though that's technically unnecessary), just to ensure the programmer actually makes the function pure (so the application behaves reproducably in the future).

Haha nice, if ever there was a design decision worthy of the title "glorious bastard", this is it.
Except for your HN account, unfortunately.
Years ago I needed to generate default/initial passwords for CRM systems that weren't trivially crackable. I wrote a little script that picked 5 words from a 22e3 dictionary. It's about 70 bit security assuming the adversary knows the dictionary. Not perfect but a whole heck of a lot better than installing stuff with "admin:admin" as is shockingly common.

It still irks me how many places have 1. short password length limits and 2. stupid character class requirements. I use long as heck pass phrases everywhere I can't use a password manager but a shocking number of businesses are still like "max length 12 use 1 capital 1 number 1 symbol" :/

At least in the UK, the Cyber Essentials scheme (increasingly becoming a bare minimum cyber hygeine cert. there, and required for any business that wants to work with HM Gov) has sane password requirements.[0] Enforcing a maximum password length, for one, is an immediate fail.

[0] https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-... (page 8)

Most people have a limited vocabulary, in the order of 14 bits. They don't know how to come up with three random words either. That means < 52 bits, probably a lot less. So, these people would need a password generator. Which makes the point moot.

Edit: 3*14 = 42, not 52...

The final section of the article about ‘password diversity’[0] is interesting to me; allow me to think aloud for a little bit.

Whilst I appreciate the recent shift to advising passphrases (and password managers, but that's a different topic) for normal users, the I've noticed that received wisdom tends to be that the words need to be unrelated, i.e. don't use a quote from a book (although I notice that the NCSC's own guidance[1] does not state this).

However, surely this would be an acceptable workaround for those who would struggle to remember (or, as you say, conjure up) an assortment of random, sufficiently-complex words? Password diversity would be enhanced if the text-based authentication ecosystem included traditional passwords, random passphrases AND semantically-meaningful sentences, more so than with only the first two?

Of course, quotations have their own strength problems (i.e., in a language like English any sentence will contain a lot of 1–3-letter words), and perhaps ‘it was the best of times it was the worst of times’ would just become the new ‘123456’, but perhaps the ecosystem-wide strengthening effect could mitigate those?

[0] https://www.ncsc.gov.uk/blog-post/the-logic-behind-three-ran...

[1] https://www.ncsc.gov.uk/collection/top-tips-for-staying-secu...

How many users actually read? I don't trust the surveys on this, at all. But if they've read a book, many a passphrase will be "you're a wizard", or some other YA cliche. In book quotes, there will be extremely little diversity. And nobody is going to type 'it was ...', as long as 'hunter1234' suffices.

I don't think this is a problem with an easy solution. The low hanging fruit, enforced password rules, has been tried, further strengthening requires alternative solutions, such as 2FA, hardware keys, one-time pads, etc.

Expanding on this, is it possible to quantify the effect on entropy of the words in a passphrase being semantically related rather than randomly-chosen? Without being a cryptographer/statistician, my gut feeling is it would involve Markov chains somehow.
Is 16k really a limited vocabulary? The only reference I found online had that as the amount of vocabulary for the highest levels of language proficiency.
16k is indeed pushing it, certainly w.r.t. generation (they'll recognize around 16k words, but won't be able to use them). And because they're never going to recall truly random words, there'll be 30 bits or less in the final passphrase.

Just in case: correct, horse, staple, battery are far more frequent, and acquired earlier in life, and thus more likely to be part of a passphrase than e.g. rime, bagnio, pungently, cruse.

I find that the brain is just optimized to remember language and language-like constructs. It's not a trick; you've sunk decades into training your brain to do it. Words, phrases, 6/7 digit numbers like phone numbers, etc. Being able to pronounce them out loud or internally is a huge part of it. So it's just easier to remember the same amount of entropy with such a secret compared with other methods.

Diceware is the older brother of this method:

https://en.wikipedia.org/wiki/Diceware

A few years ago I wrote a diceware generator at work and used it to generate my login passwords. But then they changed the complexity requirements and I couldn't use that method any more. I was most disappointed.
Can we finally get WebAuthn everywhere and not have to remember any passwords at all? It's 2021, our civilization is almost at an end and we haven't even managed to solve passwords.
Before I used a password manager, I used three random word phrases, but with the first word lowercase, the second upper case, and the third (chosen to contain at least one of "aeio") with tr/aeio/4310/. This gave phrases that passed requirements like "must contain a mixture of upper and lower case" and "must contain at least one number". It also increased the search space for guessing. In some cases I had to chuck a "!" on the end to meet a "must contain a symbol" requirement.

"crystal lizard rekindle" became "crystal LIZARD r3k1ndl3" etc.

Then there's places that don't allow that long passwords, like PayPal! Max 20 characters.
> In some cases I had to chuck a "!" on the end to meet a "must contain a symbol" requirement.

Put the "!" at the front or in the middle. That way if you accidentally type or paste the password into bash or zsh it won't end up in your history.

That's because "!foo" or "bar!foo" are parsed as requests to substitute the most recent prior command that starts with "foo" in place of "!foo". Assuming you don't have such a command in your history this fails with an error about event not found. No command is generated, and so there is no attempt to run a command, and so nothing goes into history.

"foo!" on the other hand is parsed as an attempt to run the command "foo!". Command attempts do go into history.

>"crystal lizard rekindle" became "crystal LIZARD r3k1ndl3" etc.

But you realize any serious offline cracking is going to get both of those right?

Common word in lowercase - no problem

Common word in uppercase - no problem

Common word with 1337 replacement - no problem.

All you had to do to make this significantly more secure… was add a fourth word and not do the things that humans think are clever and machines don’t really care about.

Although I concede that the stupid requirements that websites have make simple passphrases more difficult than needed.

Three random words are great. But for this to work in real life requires dozens of sets of three random words per person.
Passwords are in tiers, ranging from the "must be stupid easy so my in-laws can use my Netflix" tier to the "Can't be stored in the password manager because it unlocks the password manager" tier.

I use diceware with few words in the low tier. Diceware with more words in the high tier. The password manager autogens the middle tier. Most people only need to really know a couple.

(comment deleted)
Getting a '403 - Access Denied' error, and wayback machine has the page, but since the original is some JS-only thing, WB doesn't show anything.
It’s kinda funny because I remember when password recommendations were “use the initial letters of a simple, but novel phrase” and it turns out the password would have been much stronger if actually using the phrase.
In fairness, some of that was due to maximum password length, a silliness I have yet to see totally disappear, but was much more endemic back then.
an additional "twist" is that you can use words in different language: good luck with a "dictionary" attack if a word is in spanish, one in french and the other one in italian (or what you prefer).
If you limit it to languages you know, you're adding 1 or 2 bits of entropy. If you expand it to languages you don't know, you're adding a couple more bits but making it much harder to remember.

If you stick to one language and add a fourth word, you're adding 10+ bits of entropy (depending on the size of the word list you're choosing randomly from).

Missing is the analysis of the amount of entropy in an unaided "three random words" password.

I'll try: people are lousy at random picking. Their choices are highly likely to come from the most common 1000 words, and very very likely to come from the most common 4000 words. If this is true, it gets you an entropy of 30 to 36 bits.

BUT

Just for curiosity I checked out NIST's current guidance on passwords; they actually allow 6-digit passwords (PINs) [with about 20 bits of entropy], as long as there is server-side rate limiting of authentication attempts [edited to add:] and are uniformly chosen by the server. They recognize that this does not mitigate offline cracking attempts. Since even choosing a random "top 100" word would meet the same entropy bar, perhaps my initial reaction is an over-reaction. [https://pages.nist.gov/800-63-3/sp800-63b.html#appA]

That’s exactly what I worked out a long time ago when looking at password managers and policy for my company.

We had 8char, special, number, rolling 90 days, etc. Awful. I had looked at 3 random words as advice and same conclusion, even at 10,000 most common words, it was beyond trivial for offline cracking.

10,000 most common words ^ 3 and 100,000,000 guesses / sec is a few hours to crack.

That’s the same complexity as 6x random keyboard characters. Not even sort of good. Our last pen test was rife with offline cracking.

I ended by teaching passphrases and recommending at least 4 words or whatever tricks they like and will remember. In four years since, not a single forgotten password request.

> None of this is helped by ... the continued low uptake of password managers to both store and generate passwords

This article contains reasonable advice, but I am not sure that is advice that anyone is interested in. Let me explain.

Most of my tech savvy friends/family use password managers (either digital or paper), two factor authentication, and sometimes hardware authentication devices for important accounts.

In contrast, most of my non-tech savvy friends/family do not care about password entropy or really anything to do with security. If the complexity requirements cause them to forget a memorized password, then they reset using their email.

Edit: Actually people forgetting their passwords because of complexity requirements might be useful, since it forces people not using a password manager to login by clicking a link from their email (which is better than a weak password) In this light, maybe companies should start to enforce even more crazy requirements at least 4 numbers, 4 symbols, 8 characters

I just free-associate the first few words that come to mind when I look at the name of the site. It's remarkably consistent and I can derive passwords for accounts I haven't used in years.
If you can derive them, what are the chances someone else can do so too?
If they come up with the exact same words as me along with the alphanumeric salt they deserve the account.
VAX VMS had this sorted around 1983 with SET PASSWORD /GENERATE. We have gone backwards since then.
The strategy I use for generating 4 to 6 digit passwords (for pin keys) is to imagine drawing a shape over a keypad. For example an N shape would be 7193, a T would be 1328 and so on.

Edit: I'd be interested to see what others do!

Reading between the lines this is a political move.

Users hate IT security. IT security like all professions has become blame shifting not about security and made the problem worse.

Password complexity rules don't matter in practice. This keeps users the most happy and is close enough.

OT:If you are a hacker and care about TLA, passphrases seem the best but you need more than 3 words and you need something random in the mix. This is if they have your encrypted hard disk for instance or wallet.

Knowing a password consists of three random words makes it significantly easier to guess it. Knowing a password contains at least a digit and a special symbol and a upper-case letter does not make the password much easier to guess, and, as others have pointed out, it encourages the use of password managers.
Password complexity tends to more harm than good. Users aren't that creative and nearly every password falls into the pattern (A-Z)\w\d!. If we assume that users pad out to the bare minimum length then mandatory complexity actually reduces entropy because we know more specifically what characters are at the beginning and end.
> it encourages the use of password managers

The issue being that the users who have to remember their passwords are often not the same people who decide whether or not to authorise the use of password managers.

OK, the article convinced me, especially the end. My next password will be 'mitigationpasswordvulnerabilities'.
I reset my passwords regularly, so this example doesn't provide access to anything of mine, except my old all in one router's wifi that's been sitting in a box in my basement for years.

Hun$@ngF0rM3g-K@rp3_W19m This was a base password I used for about two or three years, altering the W19m ending to be a familiar measurement value for me, like walking 19 meters. It's actually lyrics from a song "Hun sang for meg", from Norwegian band Karpe Diem (song name is "Byduer i dur"). It falls into the problem of replacing letters with alike symbols, but that provides the complexity requirement, while also having enough length to be secure even without doing letter replacements.

My worst passwords are often for the things I should really keep most secure because they have the dumbest restrictions that cripple complexity.

8-16 characters long .. okay, there goes ALL the normal password bases I use, most my passwords are 24-58 characters long.

Only - _ ! . for special characters .. what the actual f**? Why? WHY? This is for my online medical account, WHY!?!?

8 characters of printable ASCII can give you 52.6 bits of security, which is reasonable for many purposes, as explained in more detail in https://news.ycombinator.com/item?id=28103073. Things like TzPb(5>1, #Dalx{NQ, or *^uRup@b. The correct-horse-battery-staple approach gives you more memorable versions of these passwords like "and operation sexual players comfortable", "and tape fleet bell mould", or "AUK HOOD LEAN JOT KID".
This is mostly good, but you should use four to seven random words, not three.

http://canonical.org/~kragen/sw/netbook-misc-devel/bitwords.... has several different ways of generating strings of random words from strong randomness, as well as other forms of random passwords. It uses the frequencies from the British National Corpus http://canonical.org/~kragen/sw/wordlist. The word lists I've found most effective have 2048 or 4096 words, thus 11-12 bits of entropy per word; much larger lists of words include a lot of strange words that are much harder to memorize. So, person acid hidden, cases truck merge, KNIT SOOT CEIL, worn profession products, claw gerry teeth, or TIDY ANY HUG, but not fitzwilliam preside maxine, relieve scottish seminar, or tunis orange formerly, which use a 32768-entry wordlist.

However, three 12-bit words is only 36 bits of entropy. If an unsalted password hash database containing 2000 users' passwords gets stolen, every 34 million hash operations will yield one of those passwords. If a salted password hash gets stolen, every 34 billion hash operations will yield one, but the attacker can choose which one.

To non-computer people this probably sounds like a lot, but john on one core of this quad-core laptop can try 8500 md5crypt passwords per second or 480 bcrypt passwords per second with 32 iterations. So one password cracked per 34 million hash operations, assuming md5crypt, is one user account cracked every 17 minutes, and one password cracked per 34 billion hash operations is an average of 12 days to crack your target password.

Unless the attacker has more than a US$300 used laptop to attack with, that is. If they're using a 19" rack full of equipment, possibly equpiment that doesn't actually belong to them, they could quite easily have 256 times as much hashpower, so they can crack your password in 65 minutes. Or 19 hours if you were using bcrypt or something better like scrypt, configured for that level of resistance.

By contrast, if you use four random 12-bit words, they'll need 130 years with my laptop to crack your account if it's using md5crypt, 6 months if they're using a rack full of equipment, or 9 years if they're using the rack full of equipment but the passwords were hashed with 32-round bcrypt.

With a 72-bit-entropy password like "thank reason massive derived reasonably go", "pick sat adams orcs arabs being", or "ALL JURY SAUL BILK ADD RULE CUB", you should be reasonably safe even with a poorly chosen password hashing algorithm and a more seriously funded attacker.

If the password hash database is not stolen, and the attacker is limited to an online attack, three words might be reasonable, but four words is safer.

A key point that people often miss here is that you really need to use real randomness to generate the passwords. Don't use "random" passwords from your mind, because, as any mentalist knows, those are enormously less random than you think they are. Use actual physical dice, as with Diceware, or /dev/urandom.