Hacker News new | ask | show | jobs
by rotnewson 4735 days ago
If you can't remember 1 password over 20 characters that you will use a lot with a password manager you probably need to change what kind of passwords you make.

Instead of "E=E<4oc^(z&kj6Snm9uy" do something like "The Brown cow jumps over the m00n!".

Set the password manager to make you enter the password if you haven't used it for 30 seconds (for a few days so you remember your password).

You're using a password manager with a good password that is easy to remember but the you do use the password manager to generate hard to remember passwords like the one above.
2 comments
dllthomas 4735 days ago
Do not give password advice without looking at the entropy.

Estimates of the entropy of English text place it below 1.5 bits per character. "The brown cow jumps over the moon." would, generously, have about 34 * 1.5 = 51 bits of entropy, plus a few more for the simplistic substitutions - say 70 bits total? This is assuming the sentence was, in fact, chosen uniformly across English sentences, which is obviously not going to be the case (this one being a modification of a line from a nursery rhyme), so in actuality it'll be even worse.

A fully random password of length 20, from characters on a typical keyboard (say 94, it seems to be on mine) would have 20 * lg(94) > 20 * 6.5 = 130 bits. But impossible to remember and a pain to type correctly.

Picking from my /usr/share/dict/words with no restrictions (99171 entries), it would take 70 / lg(99171) = 5 words to be stronger than the sentence and 130 / lg(99171) = 8 words to be stronger than the gibberish, with no substitutions or tweaks, however not all of those passwords could be typed on my keyboard.

Restricting /usr/share/dict/words to those which match (with LANG=C) '^[a-zA-Z]\{1,10\}$' yields 61078 words at about 7.3 bits of entropy per word, so you would get security comparable to the above with 5 (again - aliasing) and 9 words respectively.

Some nine-word passwords generated this way:

    embryo distressed Ramadan chocks broaching official outstript explicit formulas
    tokens bruskly realizing rubric earmarks aphorism sweeps hallelujah Bardeen
    respects jocularity crummier leave spinsters Rodriquez hatch assurance torture
    patinas Elba dairymaids blabbing kissing handyman Ind tobogganed directed
    mossy Flora concepts medalist kidding heinously deafened evaluation nodes
    Steinmetz lizard Janette scatted cunning geckos belched demurring grandest
    faints nicest unleashes navel Monroe frostbites Pl loon careening
    overtake tasselled quahog utters Upjohn incloses punchy Jericho reveille
    sicked sinning premiere Satanism loiters accrual Caspar infatuate renewable
    dinning hereabouts Lithuanian formalism voiceless demoted bundle teed fluent
The above were generated with LANG=C grep "^[a-zA-Z]\{1,10\}$" /usr/share/dict/words | rl --reselect -c 10 | xargs

This is, obviously, reliant on an assumption that rl produces cryptographic level randomness, which is probably not the case but should certainly be near enough the case for examples (and in any case will be much, much closer to true than any method involving humans - we are very poor sources of cryptographic entropy).

link
elehack 4735 days ago
There is also the excellent Diceware: http://world.std.com/~reinhold/diceware.html
link
croikle 4735 days ago
I'm a fan of Diceware. Strong entropy guarantees and memorable passwords.
link
rotnewson 4735 days ago
Thanks for taking 1 tiny part of my point and trying to destroy it.

I chose the passphrase "The Brown cow jumps over the m00n!" as an example not "The brown cow jumps over the moon." which is a significantly worse passphrase, especially considering every word is available in a dictionary.

The OP had trouble memorizing more than 16 characters for a passphrase so I suggested something easier yet still solid yet you seemed to think I suggested just a plain english sentence of words.

link
thirsteh 4734 days ago
If you think "m00n" vs. "moon" or "The" vs. "the" matters, you're not paying attention. A memorizable, but randomly composed string of words all in lower-case ASCII is significantly stronger than anything "complex" (for you, hardly for the cracker--common substitutions are basically worthless: they provide no entropy) you can concoct and remember.
link
dllthomas 4735 days ago
Again, you're not looking at the entropy.

Anything you can generate without much more unpredictability from a plain English sentence is not a significantly better passphrase than a plain English sentence. Better? Yes. And I credited you for that.

link
dmix 4735 days ago
https://xkcd.com/936/
link