How to make a truly random password
Password managers like KeePass, 1Password, etc are all great and largely interchangeable, you should definitely use one and let it generate a different password for every site you visit. But know that it is only as secure as the master password you use to access it. You should be sure it is quantifiably random and unguessable, not just that it feels random or has a few numbers or exclamation marks in it. If we want true randomness, we’re going to need some custom hardware.
Luckily, you can buy inexpensive devices at any corner store that can generate about 3 bits of entropy at a time, without electricity, and which are reliable enough that hundreds of millions of dollars change hands every day based on the infallibility of their randomness.
Rolling a die produces a random number between 1 and 6, which you can represent with 2.58 bits. There’s no partial bits in reality, so we always round up to the nearest bit. In this case, we need 3 bits to store a number up to 6, and in fact we can store 0 and 7 too:
000 - 0
001 - 1
010 - 2
011 - 3
100 - 4
101 - 5
110 - 6
111 - 7The number of combinations of 1’s and 0’s available determines how large a number you can store for a given number of bits. Every time you add another bit, you double the number of combinations you had before. This is easy enough to follow: if you throw another bit on a binary number, you now have all the combinations you had before with a 0 to the left of them, and again with a 1. For n bits, you can store 2^n values. So 2 bits can hold 4 values, and 8 bits can hold 255 values. This is why you could only have 255 rupees in Zelda: they only used an 8-bit variable.
I wanted at least 128 bits for my password. By most accounts, cracking 128 bit encryption is pretty much impossible through brute force methods in fewer than several billion years. Using our 2^n equation, we can store up to 3.4*10³⁸ different values using 128 bits. If you could test 100 billion values per second, it would still take tens of trillions of years to guess the correct one. So, I’m calling that good enough! A solid 128 bit password will almost certainly not be the weak link in your online security.
If each of our dice produces 2.58 bits of entropy per roll, then rolling 5 of them makes 12.9 bits. If we roll 5 of them 10 times, then we’ve created 129 bits of entropy. Yahtzee! But how do we turn that into a secure but memorable password?
I used Diceware, which is a dictionary of words indexed by the 5-dice rolls. Each time you roll 5 dice (or 1 die 5 times), the numbers that come up correspond to a word in the list. For example, if 5 dice came up 1-4-2-6-3, you’d turn to the page with all the 14xxx words and find that 14263 is “blab”. Do this ten times, and you will get a string of ten words. Those ten words — including spaces! — are your password. Use a mnemonic device like a linked list to memorize the ten words by making a story that links each word to the next. It feels kinda silly to do it, but it works, and you’ll be surprised how quickly you can memorize things this way.
If this all seems overkill, remember that this is the password behind which your entire financial and online life resides. It’s worth going overboard for this one thing. Just make an afternoon of it! Go down to the comic shop and buy some dice. Print out the diceware list at work or the library. Once you’re home, make your favorite warm beverage and go into a room where there are no cameras or phones or computers. Roll some dice and write the words you get down on a piece of paper (I rolled for 15 words so I could eliminate a few if I didn’t know them). Then pick ten words and memorize them. That’s your password. Keep your notes locked away for a few days until you’re sure you have the password memorized. This is what you use to log into your password manager
Congratulations! You now have a password you know is truly and provably random, that was not monitored or generated for you by a third party, and which exists securely in your mind alone. You can use it for a few years and it’s the only one you need to know. Even if someone knows you used 10 words, and knows what list you used, they still would have to brute force their way through 129 grueling bits of entropy, and if they are capable of doing that, there are almost certainly juicier targets than you.
Take off your tinfoil hat and go about your life. It’s okay to put it on once in a while.
