Matt Haughey offers up a few other password-generating schemes that I hadn’t thought about before. I like them better than passphrases, which seem to almost guarantee that you’ll get them wrong, but there’s still the issue of which song for which site. And what if you pick “867-5309”?
I’ve already worked up my scheme, so I suppose I’ll stick with it.
[UPDATE (2/14/05): Robert Hensing makes a much more convincing case for using passphrases than the link above. I’ll have to think about this a bit more: I’m fairly convinved since I care about security but I do maintain over a hundred passwords—of which there are at least 70 unique ones. The migration will be a bit of a pain.]
[UPDATE 2 (2/14/05): I’ve changed my main work password to a 37-character phrase so I can see how comfortable I am with the idea. I think the key thing to remember about passphrase usage is that dictionary attacks, hash comparisons, and the other current techniques don’t fundamentally know what style of password you’re using. If the attacker knows your schema, then breaking it becomes much simpler: he can forego dictionary comparisons if you’re using sentences. If your passphrase comes from a movie quote, it wouldn’t be too difficult to download all of the IMDB quotes and run a hash comparison against it.
The trick is, as I see it, to use such quotes that are easily to remember but substituting one or more letters with their hax0r equivalents. That totally defeats a straight hash comparison attack and a more-or-less random changing increases the possible combinations astronomically.
I think, in the end, that a 37-character password is going to be uncrackable even without such hax0r modifications. It won’t stand the test of time, naturally, since both hardware and software are advancing apace but it’s a good opening salvo with future scalability.]
[UPDATE (2/17/05): After the second time calling our help desk today to reset my network password, I think I’m going to end this crazy experiment. My password was “I could make your life a living hell!” from Ace Ventura: Pet Detective. It was definitely easy to remember but easy to mistype. The worst part of using passphrases is that if you lose your place, punch two keys at the same time, or lose confidence in your space bar application, you must start over from scratch. And if you make a mistake twice, the most important thing in your life suddenly becomes getting the password right on that third attempt.
I messed up on that third try two too many times. Passphrases: good in theory, bad in three-tries-and-you’re-out practice.]