Rolling the dice for memorable and secure passwords

This article has previously been published on my Linkedin.

The first time I used a networked computer was in 1995. I was in first grade and at the time, the (American) National Institute for Standard in Technology, NIST, had defined “strong passwords” in a way that you probably already heard of:

Minimum of 8 characters, needs to contain uppercase, lowercase, numbers and symbols.

This definition, though still widely used, is utterly outdated and vulnerable to password guessing attacks. Following Moore’s law, in the two decades that have passed since my first Internet usage, we’ve had a thousandfold increase of computational power. Meaning: it’s a thousand times easier to guess a password today… wrong! Because in the same time, there has been a revolution in  graphical processing technology used for video games. This technology is equally great at cracking passwords. And to add insult to the injury, analysis on hundreds of millions of leaked and cracked passwords have made the attack algorithms increasingly sophisticated.

In short: use eight characters and you’re doomed.

There is a number of countermeasures that developers and sysadmins can use to protect your data (TLS, salted hashes, etc.). But as an end user, good passwords are your first, and sometimes only, line of defence.

Complexity in a password is good, mathematically speaking. But we’re dealing with humans, and we are made for remembering patterns, which is the opposite of randomness. To create a great password, we need both randomness and our native language. So how can we create this? We actually just need a wordlist (EnglishSwedish), dice, pen and paper.

Pen and paper, you say? But we should never write passwords down! Well, no, you should never keep your passwords on a post-it by your screen. But security experts like Bruce Schneier actually have recommended writing down your passwords for the last decade. It is better to keep a piece of paper hidden at home than to reuse weak passwords.

Dice are random generators that most people have at home  and are excellent for password creation. The principle is simple: roll a die five times and note the outcome. Look up the diceware word list, write the word down. Repeat five times. There, you now have six randomly selected words that you can think out a story about, for example Grave Flour Multi Deter Hansel Peach.

This method is called Diceware, though most of us will recognize it as the XKCD method, due to the comic by Randall Munroe (aka XKCD).

Humans tend to remember things better if they are related to your own interests and strong emotions. Can you make up a picture in your head? Can you see a Grave filled with Flour, Multi purposed, but one of its purposes is to Deter Hansel (and gretel) from eating the old witch’s Peach? Feel free to elaborate on the details, make it absurd, bloody, sexy, whatever makes you remember it.

There are online generators for Diceware passwords, but beware: many of them use clear text. This means they can be picked up in transit. This one is (possibly) secure. The really secure way of doing this is to print your wordlist and roll the dice in private, and then put the password note in your skinny jeans. Type it many times throughout the day, and when you’re confident you remember it, burn the note.

How secure is this method? Given the most advanced adversary we know of, the NSA, and Edward Snowden’s estimation in 2013 that they have the possibility to make a trillion (1 000 000 000 000) guesses a second, it will take them on average 3505 years to crack your password, even if they have the exact wordlist. Not bad for such a simple method!