Generating Passwords

Hacking Password

Image used under Creative Commons license from https://www.cafecredit.com/

Your password is a vital piece of defence in the digital age. Or, more likely, passwords, since you probably have several. And choosing a strong password for every login you have is therefore very important.

The Problem

But often password generators give you a long and hard-to-type (not to mention impossible to remember!) string of characters. And the conventional advice of picking a word and then swapping out random characters for similar-looking numbers or symbols isn’t much better.

And then you’re told you’re meant to change your passwords regularly, so just as you’ve gotten one string of gobbledegook down it’s no longer valid!

To make it worse, these passwords aren’t actually that strong against a dedicated attempt to crack your password. Thankfully, there is an easier and simpler system you can use to have fairly easy to remember and easy to type, yet strong passwords.

The System:

Pick four random words which are 5-7 letters long. From a book, from this blog post, from your favourite quote of QF&P, it really doesn’t matter!

Make any two of them ALL CAPS.

Choose a random symbol from the following: -, +, :, or /, and put one between each word.

Pick four random numbers, and put two on each end.

Pick a random symbol from the following: !, ?, @, & and put it on each end.

You’re done! That’s your password. To demonstrate, I’ll make one right now.

An Example

My favourite Advices and Queries is 17. So, if I pick four random words, I might end up with “discern”, “listen”, “untrue”, and “hurtful”.

I’ll make the first and third caps. So, now I have “DISCERN listen UNTRUE hurtful”.

From the separators listed above, I’ll go with +. Now I have “DISCERN+listen+UNTRUE+hurtful”.

This is a quote from A&Q 17, which in my copy of QF&P is on page 19, so I’ll use 17 and 19 (these aren’t quite random numbers, but it’s weird enough that some mindless bot trying to guess your password are never going to think of them. Just don’t use something like your birthday or address). Now we have “17DISCERN+listen+UNTRUE+hurtful19”.

Finally, from the padding symbols listed above, I’ll go with !. That means my finished password is

!17DISCERN+listen+UNTRUE+hurtful19!

Sure, that’s a weird sentence, but it’s much easier to remember than something like “wK5Jj3$6”, and far, far stronger.

Have A Personal System

Here’s another tip – you can use the same caps pattern, separator and padding symbol for all your passwords. Just make sure you use different words and numbers for each one. Since everyone will (hopefully) pick a different combination, anyone who’s trying to crack your password won’t know what you went with.

So, having generated that password, it would then be even easier to make my next one. Let’s say I ended up with something like

!38INVOLVE+resist+DESIRE+seeming22!

See how, since I now have a system, I only have to remember which numbers and words are in my password? I know that the first and third words are the ones in caps, that the words are separated by +, and that the password is padded with !.

So, the only thing I have to remember is “involve resist desire seeming, from Advices and Queries 38, on page 22.” To make it even better, if I then wrote the above down and someone else found it – it wouldn’t tell them my password! They don’t know my system for padding out the password, only the unique parts of this one.

And because my system is consistent across my passwords, and is simple (“first and third, +, !.”) it’s very unlikely that I’ll forget it.

But the examples I gave above won’t show up in any list of the most common passwords (like “123456”, or “password”) and if you check the strength, you’ll find they are extremely strong against brute force attacks.

Online Resources

If you don’t want to generate your passwords manually, you can use this online tool:

https://xkpasswd.net/s/

And if you want to check how strong a password is against brute force attacks, as well as read a more in-depth explanation of why this type of password is stronger than the ones that are normally recommended, check here:

https://www.grc.com/haystack.htm

Using this calculator, I can see that to be sure of guessing “wK5Jj3$6” someone would have to check 6,704,780,954,517,120 potential passwords, while to be sure of guessing “!17DISCERN+listen+UNTRUE+hurtful19!” they would have to check a whopping 1,678,502,284,981,138,890,416,014,999,354,759,820,605,904,877,122,660,028,807,660,366,626,495 potential passwords!

Which, even with a ridiculously fast system, would take 5.34 billion trillion trillion trillion centuries! Somehow, I don’t see anyone spending that long trying to get into my email account. (If you’re curious, cracking “wK5Jj3$6” with the same system would take only 1.12 minutes – that’s how much difference having a longer password makes!)