We all know that our passwords are not very secure. Few of us know what to do about it, or how to evaluate security processes. This is an attempt to clarify questions that I have heard and give some tools for non-tech people to go forth with an idea of where to find answers for themselves.
The default; any password you have used elsewhere; your favorite word or an obscure term from your favorite pastime; your kid's or pet's name. Anything ever used as a “security question” whether true or not - your mother's maiden name, birthday, the street where you grew up; etc. Passwords of fewer than ten digits are generally considered insecure.
Two things: length and entropy.
With each added character, the number of guesses a miscreant must guess grows by the log base 2 of the number of possibilities for that character. You don't need to know this to have efffective passwords, but suffice to say that it gets harder at a logarithmic rate with each added digit.
Entropy is a measure of randomness: while "aaaaaaaaaaaa" technically has an equal chance of being a randomly generated twelve-character password as any other, it is one of only 40 possibilities a guesser must try if the set of possibilities is 26 letters, 0 – 9 and four punctuation marks.
But memorizing a random string of twelve characters is a pain in the ass, and trying every combination of twelve characters won't take long for a determined digital decipherer.
Luckily there is a solution: the passphrase!
Just what it sounds like: a longer string than a password that is composed of multiple words.
How many words?
Four at a minimum; six is better. Use as many as you like to the limit that the system will allow.
Whenever possible, especially:
Full-disk or device encryption
Encryption keys
Password managers (more on that later)
Atleast one email account (so other passwords can be reset)
Any device going across an international border
Like all elegant solutions, the passphrase has been immortalized in art: XKCD Home Page
Despite the evidence displayed by some drivers on the road, humans are pretty bad at randomness. The state of the art is a system called diceware, and it uses - ta da! - actual dice! (Seriously, those six-sided ones from board games. DO NOT use a digital random number generator for this.) If you want to support the Electronic Frontier Foundation in all they do to keep us safe and get their set to show off at your next backgammon sesh at the same time, that would be cool of you.
Go here: EFF Password Dice
You will also need a wordlist. There are other wordlists, but EFF's large list is the gold standard:
It can be used over and over again, so I favor making a print copy; you may choose to peruse it on the EFF website. Either way, there are a few simple precautions before you begin:
The wordlist has five-digit numbers on the left; they are arranged in ascending order but each digit is from 1 - 6. This is because they are gauged to go with a set of five six-sided dice (if you want to come up with base-20 version to go with the icosahedron ones used in role playing go for it, but it makes my head hurt already).
Step 1: Roll the dice
Arrange them as close to the order, left to right, in which they came to a stop. Write the numbers that appear on some scratch paper.
Step 2: Roll the dice
Don't worry about looking at the wordlist yet (though there is nothing wrong with doing so), just note the numbers down.
Step 3: Roll the dice
Step 4: Roll the dice
Step 5: Roll the dice
Step N: Roll the dice
Yeah, you get it. Do this for as many words as you want to use in your passphrase.
Step N+1: Look up the corresponding words, keeping them in order. This is your new passphrase.
For a six-word passphrase I rolled all five dice six times:
32514 gracious
63642 unfixable
46442 reabsorb
12314 arguably
65665 voicing
56664 subatomic
So my new passphrase is graciousunfixablereabsorbarguablyvoicingsubatomic.
There are some mnemonic techniques which help people remember:
I refer you back to the XKCD panel above. For some people, it helps to draw a picture relating the words together. Guard any such drawing like you would any written password.
Sometimes the rhythm of the words suggests a song. Lyrics are a great way to remember (just don't sing your passwords in the shower; humming is fine).
The Method of Loci, also known as the memory palace. This is used by people who compete in memory contests, and consists of creating a mental map, usually of a familiar place that you can remember or imagine vividly. On a path through that space, find the most resonant features and assign each one to the words in your passphrase in sequence. By telling yourself a story in a context that is already familiar, the individual words are more easily adopted into a narrative which keeps them in order and anchors them to your emotions. Pro tip from champions of memory contests (yes, people will compete in anything): the ruder and more shocking, the easier your tale will be to remember.
Given the previous example, I visualize Daisy from The Great Gatsby, who is graciousi and unfixable (and quite self-absorbed) going back in the door of Beacon Towers, reabsorbed into the mansion while arguably voicing theories on subatomici physics. Okay, it's a clunky sentence, but the picture is in my head is memorable and it should only take a few tries before I remember it easily. Probably could have it done in two, but this is a family show.
Password managers are like digital safes that hold all of your passwords and passphrases: you just need one passphrase for everything. That means you only have to memorize one, but it is also a single point of failure – if your password manager passphrase is compromised, everything inside it is. EFF has more information here:
Physical pen and paper can be the most secure in some situations; it all depends on whether you are more likely to be surveilled online or in physical space. Just remember to keep your passphrases in a different location than your computer, phone, tablet, etc. A discussion of threat modeling is here: Threat Modeling paper (EFF)
This adds a feedback step for extra security. One part is just like normal security; the second step generally uses either something you have like a phone, or something you are, like a retinal scan. It is like a credit card that texts a code to your phone when you swipe it to make a purchase: if you do not input the code, the transaction is not completed; if you get a text while you are not making a purchase, you are alerted to possible fraud. It is a good idea to enable two-factor identification when available.
https://ssd.eff.org/en/module/introduction-threat-modeling
https://github.com/HACK-BLOSSOM/DIY-Feminist-Cybersecurity
http://remembereverything.org/memory-palace-the-method-of-loci/>