The Magic Pantry
Published in

The Magic Pantry

Secret Squirrel

Your Password is Terrible!

You might think you have a good password. After all, it’s unique to you, and it contains numbers and punctuation in weird places.

Well, have I got bad news!

Passwords are Easy to Guess but Hard to Remember

Other people will have a hard time guessing your password. But other people don’t guess passwords. Computers do.

The fastest password-guessing computer that we know of can make about three hundred and fifty billion guesses per second. And that was in 2012. Let’s assume it can make a trillion guesses per second by now.

That means it can guess your password in the blink of an eye.

Making up a password from words and numbers that have meaning to you, perhaps adding some punctuation and scrambling things around, as so many people do, is a really, really bad idea. Please stop doing it.

How to Make a Password Hard to Guess

Guessing passwords is exactly the same thing as guessing numbers.

Don’t believe me? Imagine a list of all possible passwords. Finding your password on the list is the same thing as finding how far through the list it is. Which is a number. QED.

If the list isn’t very long, your password isn’t very strong.

When you choose a bad password, you are effectively choosing a random password from a relatively small list. By which I mean a list with just a few hundred billion different passwords on it, which is teeny-tiny by the standards of a computer that can make a trillion guesses per second.

How long should the list be if we want it to take an average human lifespan for the computer to guess our password?

Step 1: Choose a Large Maximum Number

Let’s take the average human lifespan to be seventy-five years. According to NASA (and they know their stuff), there are 365.2422 days in an average year, and 86,400 seconds in a day.

After seventy-five years, our computer should have managed to try half of the passwords on the list if it is going to take that long to guess your password on average. For a computer that can make a trillion guesses per second, and rounding a little, that gives an impressively large number:

4,722,366,482,869,645,213,696

Step 2: Select a Random Number Between 1 and the Maximum

You can choose a random number between 1 and the number above by flipping a coin seventy-two times, so we call it a seventy-two bit number.

Don’t believe me? Set your number to zero. Flip a coin and double your number, then add one only if you got heads. Repeat seventy-one times.

Here’s one I chose earlier: 2094332601996363358145

That would make for a pretty good password. The only trouble is, there’s no way I’m memorising a 22-digit number. Not happening.

How to Make a Password Easy to Remember

We can make our hard-to-guess random number easy to remember by encoding it with more than just the ten digits.

One way of doing this is by using uppercase and lowercase letters as well as the digits (with a few ambiguous characters like the letter o and the number 0 omitted). Here’s what we get for our random number: 2SpT2paxdqGDE

That’s much shorter; just thirteen characters instead of twenty-two digits long. To a computer, it’s still the same number, and still makes for a pretty good password.

Don’t believe me? Try pasting it in to one of them doohickeys that show you the strength of your password, and it’ll go off the scale. Trust me.

There’s just one catch. It’s still hard to remember. Luckily, there’s another encoding we can try…

Step 3: Encode the Random Number Using Words

I’ve built a list of thousands of simple words, omitting ones that are hard to spell, or which may have several different meanings, or which may be offensive to some people.

We can encode our large random number using just six words from the list.

Here’s our encoded random number: tripod reach rye cure loft cocoa

To a computer, that’s identical to: 2094332601996363358145

I hope you agree that it’s easier to remember!

Step 4: Commit the Encoded Number to Memory

To remember these six words, start by dividing them into three pairs:

  • tripod reach
  • rye cure
  • loft cocoa

Next, imagine walking through the front door of your home, and make up a funny story that places these three pairs of words in that physical space as you move through it, using a sequence of three sentences. Like this:

Opening the door I saw a tripod which I had to reach down to pick up. Then I entered the kitchen to pour a glass of rye to cure the pain in my feet. I slumped to the sofa wishing I had a loft so I could hide away with a cup of cocoa instead!

Do you think you can remember this secret, without writing it down or modifying it in any way (both of which would make it less secure)? Great!

Your New Password is Awesome!

Let’s recap what we’ve learned so far.

  1. People choose terrible passwords. Really, really bad. Srsly.
  2. To choose a good password, start with a large random number.
  3. Then encode that large number as a short sequence of simple words.
  4. Finally, memorise the words by associating an amusing story with something you remember well; walking through your home. You’re done!

To make this even easier, please visit secret.kranzky.com, where you will find an interface for doing all of this, and more!

Get a Password Manager

Now that you can memorise a random 72-bit number, you should use it to protect a master list of all of your other passwords and private information.

You can do this with a password manager. I like to use LastPass, but there are several other great solutions, like DashLane and 1Password.

If you’re not sure how to get all this set up, ask someone who is good with computers. You’ll know you’ve asked the right person when their eyes light up when you say “password manager”.

And never, ever tell them your password. It’s your secret. To conclude:

  1. Use a password manager for choosing and storing your passwords.
  2. Protect this with an unguessable secret that you’ve memorised.

And, just in case…

Never choose tripod reach rye cure loft cocoa as your secret! It’s mine!

(joking)

(but seriously never choose it; generate your own)

References

--

--

--

The Online Weblog of Lloyd Kranzky

Recommended from Medium

Terrorist Tech-comms

Privacy 101: What is Phishing?

HACON CTF 2020 Writeups

Symmetric and Asymmetric Encryption

Want That Unflattering Photo Gone? Here’s How

Fireeye Hack and Culture

Boss of the SOC v1

THE ECOCREDIT NATIVE TOKEN-

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jason Hutchens

Jason Hutchens

Procrastinating perfectionist.

More from Medium

Apple Watch 8 Bug: SwiftUI Navigation Stack pops back with TabView

Utiliser votre MacBook Touch ID comme 2FA sur GitHub

Portofolio Part 5: “Mavible”

Fortinet Client on Mac OS Monterey (M1 Chip)