This particular article sprung pretty much fully formed from an XKCD comic. It’s the one called “Password Strength” and talks about password entropy and about choosing a password by selecting four separate words at random. I’m sure my readers, sophisticated souls that they are, already know of it.
I decided to flesh out Randall Munroe’s comic by explaining what information entropy is and how it applies to passwords. I talk about the entropy of an ATM PIN (which is generally just four digits) and how it’s just not that great and that we rely on the bank shutting down the attempts rather than hoping the guesser gives up. Interestingly, just after I’d written the article but before it was published, someone did a wonderful analysis of what people choose for four-digit PINs and that it just isn’t that random. (For example: nearly 11% of four-digit passwords in the sample set were “1234” – really, people? – and 6% of them “1111”. Sigh.)
I also go over the absolute need for a password manager, one that can store your passwords securely (and that means using hard encryption) and that generate hard high-entropy passwords for you at the drop of a hat. Failing that, I give a couple of ideas for generating passwords that would be fairly simple to remember but extremely hard to break.
Finally I end up with Munroe’s point: four random words selected from a dictionary of say 2000 has a very high entropy and will be hard to break, yet fairly easy to remember. It turns out that a fan of XKCD wrote a website that can do that for you: passphra.se. The biggest problem with this particular scheme is the number of websites and programs that don’t accept long passwords or passphrases. Nevertheless, despite the brilliance of this idea, you still have the same problem: memorizing a gazillion passwords for a gazillion sites. And we’re back to the password manager concept (I use SplashID since it’s available on Windows, the Mac, and iOS and the database is shared among all of them.)
By the way. I still love the password gag at the end of the article from Nick Helm: “I needed a password eight characters long, so I chose ‘Snow White and the seven dwarves’.”
This article first appeared in issue 314, November 2011.
You can read the PDF here.
(I used to write a monthly column for PCPlus, a computer news-views-n-reviews magazine in the UK, which sadly is no longer published. The column was called Theory Workshop and appeared in the Make It section of the magazine. When I signed up, my editor and the magazine were gracious enough to allow me to reprint the articles here after say a year or so.)