I’ve been thinking about passwords lately since we’ve been needing a lot of them at work and I’ve been registering at a lot of sites. I want to make my passwords of sufficient strength and variety to insure that the compromise of one does not open up every site, that the passwords are usable, and that the breaking of any one of them is exceedingly difficult.
My current practice is to use a schema consisting of a random number of a variant length sandwiched between two random English words. For example, a random password would be something like “cozy31hardly” or “hold988legacy”. The words are chosen as different parts of speech with little association—I keep trying until I get two words without linkage. The number varies between one and four digits, depending on the importance of security. It seems pretty secure because a dictionary attack wouldn’t really address two words separated by a random number and the possible combinations are insane (sorry, my algebra is rusty but I figure with 600,000 words in the English language and a possible 1,000 random numbers the possibilities should be astonomical). It’s also pretty easy to remember two words and a number so I have a majority of the passwords memorized, even though they’re also being stored securely in my Keychain. Of course, I’ve just committed a cardinal sin of password security by even relating my schema but I can always alter it at any time by including foreign words (I know French pretty well, Spanish less so, and enough German, Esperanto, Russian, and Italian words for this purpose) to confound the hackers of the world. Plus, I readily violate my schema in random instances with an alternate system for less stringent security requirements—stringency being defined by methods known only to me. So I feel pretty confident that knowing this schema would not help a password hacker on any particular site.
Others have expressed a preference for random words geeked up and with random punctuation thrown in. So, hypothetically of course, a password might look like this “!g00dn3$$*gr4c10u$%” which reads poorly as “goodness gracious.” This schema makes hackery impossible, I daresay. The combinations approach infinity since the word choice is unknown, the punctuation is possibly present in a variable number of instances, and the l33tspeak is occasionally random. The problem is that it’s impossible to remember and it’s difficult to type, so you end up writing it down to communicate it or copying and pasting it into dialog boxes—meaning that it has to be available in plaintext somewhere.
So what’s the best system? Do you go for inscrutability even though it’s value is diminished by reduced memorability and communication? Or do you go for ease-of-memory even though it’s marginally easier to crack? I think the latter is a better approach because the value of password complexity becomes asymptotic after a certain point. Is my system complex enough? Good question. Got any thoughts, gentle readers?
[UPDATE (12/4/03): In the comments, regular reader Jay Schwartz linked to a MacOSXHints post about a password security analyzer present in Panther’s Keychain Access utility. Someone made a poignant comment in that thread about the nature of password security: “ Really, a good password is protecting you against stray eyes seeing what you’ve typed. It’s very uncommon to try an [sic] brute force guess someones password.” Well put. Brute force attacks are overrated once you get beyond the obvious dictionary checking and educated guessing.]