Easy To Remember, Hard To Guess #socs

Guess what I learned this week?

Back in 2003, a manager for the National Institute for Science and Technology (NIST) named Bill Burr wrote a document on password complexity, and how an ideal password was twelve characters or longer and consisted of random combinations of upper- and lowercase letters, numbers, and symbols. In other words, a password like E51p”oDsf;r+Dy6s was ideal, because it was longer than twelve characters and contained a mix of all four of the things you can find on a keyboard. That’s a secure password, because it would take years for a hacker to figure it out, somewhere in the neighborhood of 150,000 centuries. Problem is, it’s also difficult for you to remember. Password managers like LastPass can keep track of them and, if you’re lucky, plug them in to all the apps you have on your smart devices. If you aren’t lucky, you can still copy and paste the password from the password manager, usually, but there are times when an app won’t allow you to paste a password, and other times when you’re setting up a new device and the password manager isn’t installed on it, so you bring it up on one device and type it in.

Anyway, Bill, who’s now retired and has had time to think about it, gave The Wall Street Journal an interview and said that the rules he set down in that document were too complex and that the benefit of having a long password of random characters came at the cost of a user not being able to remember it. (The full article is hidden behind the WSJ‘s paywall; if you don’t subscribe, there’s a good summary here.)

Instead, Bill now suggests that users use a passphrase made up of random words, such as serious milly hiding thursday or ceiling kitten watching purple monster, something that would be easier to remember and which still provides the security that the long strings of random characters would. You can throw in numbers, uppercase letters, punctuation, and symbols, like television Headphone hi62823 zipper, honestly as well. Mark, my friend from high school who comments here frequently, says it also helps to use jargon from your job or hobbies, like lydian dominant stratocaster piobaireachd or upper sideband kilocycle WWV delano. I’ll occasionally use a line from a prayer, such as The angel of the Lord declared unto Mary or tantum ergo sacramentum veneremur cernui.

There’s a website called Use A Passphrase that will generate a passphrase for you of four, five, or twelve words (it gave me the passphrase burnham clayton square special a minute ago). He also says that it’s not necessary to change your passphrase every 90 days, and in fact you need only change it if a website says you should.

One other thing: a lot of websites have you enter answers to challenge questions, like “In what city were you born?” or “The name of your first pet.” No reason you can’t use a random phrase as the answer. You just have to remember what it is. That’s where LastPass comes in handy.


Stream of Consciousness Saturday is brought to you each week by Linda Hill and this station. Now, a word from our sponsor.

20 thoughts on “Easy To Remember, Hard To Guess #socs

  1. Hey John,
    I just read about your post and the article you recommended from Janet’s site. I’ve heard of LastPass and others like it but have always been wary of using that: it seems unsecure to store my passwords online.
    Just a few weeks ago, I was alerted that someone had stolen my identity and it’s been a real pain to get everything changed. I don’t know how someone got all my info (social security number, debit card number, etc) but I kinda assumed that my info was with a bunch that got released when someone hacked a big major company’s database. Who knows. But my bank was on top of it: they declined an attempted purchase because the thief, when using a card with my debit account number on it, swiped the card as opposed to using the chip reader and that flagged the transaction and it was declined. The bank immediately sent me an email to confirm my last four purchases. Three were in fact mine and the latest was the one that was declined. So they didn’t get far with my info, thankfully. And I was alerted that someone attempted to get a credit card using my information but that didn’t go through either. But it was a giant hassle going through all the steps to get a new debit card and then change all my auto-debit and bill-pay/subscriptions and deal with all the credit bureaus to put a fraud alert on my name.

    I like the idea of the passphrase so I’ll have to give that a try. Thanks for posting about it.

    Michele at Angels Bark

    Liked by 1 person

    1. Regardless of how secure something is online, there’s always some (pardon the French) asshole sitting in his mom’s basement trying to get rich quick by hacking into someone’s accounts online and stealing their money. I also use LifeLock to alert me when something like that happens, although it tends to alert me when something I actually did (e.g. Mary’s health insurance) happens and fails to let me know when something I didn’t do happens. I’ve had two of my credit card numbers stolen just in the past year, and it’s been the banks that caught it, not LifeLock. Still, LL has caught a couple of applications for credit cards that someone attempted to open using my information. In the more recent credit card episode, they appeared to have a credit card, because they were charging things at McDonald’s and other places where they would have to be present with the card. I think some clever individual has figured out a way to come up with bogus credit cards complete with magnetic strips and is selling them on the dark web, because Mary and I always send our old cards and other records through the shredder where they can’t be reassembled.

      With anything these days, you take a calculated risk and there’s always a tradeoff. LastPass has been hacked before and no doubt will be hacked again, and has taken what I consider to be good moves to strengthen their security setups so that, even if there was a hacker attack, the chance

      Liked by 2 people

    2. cont’d….

      that they would be able to get my information is minimal. And, I’ve taken steps (unique passwords for everything, strong passwords, two-factor authentication, etc.) to minimize the chance that my information would be stolen. But, there’s always the guy in his mom’s basement… you get so mad, you want to find the person and dispense some Dick Tracy justice…

      Liked by 2 people

      1. Wow, you’ve been through the mill too with this theft bulls***. Interesting experience with LifeLock. I’ve thought about signing up with them. Now I’ll have to think about it some more…
        The banks really are on the ball with this stuff. I was just talking to my banker the other day about what security precautions they can put on my accounts. He told me that just last week he had a customer who was going through a complete identity theft and the bank refunded her $80,000! I said “So if someone gets into my accounts and manages to steal all my money, Chase will give it all back to me?” And he said Yes. That made me feel better at least…
        Thanks for sharing your experience.


  2. Just wanted to let you know that I mentioned you and this post in my most recent post. You are always so good about mentioning me, I wanted to return the love. Thanks!

    Liked by 1 person

  3. I’m often changing mine because I forget them! I’m wary of storing them digitally because of hacking and I don’t write them anywhere. Hubby has his written down in a coded format that only he can work out but sometimes he forgets the code! In answer to your question of course I do Sudoku plus lots of other Japanese puzzles – one of my favourite sites is: http://www.brainbashers.com/logicpuzzles.asp

    Liked by 1 person

    1. It happened a couple of years ago, as a matter of fact:


      Evidently, they encrypt the passwords (including master passwords) using a powerful algorithm that makes it less likely anyone who gets the information can actually use it, and they also recommend using two-factor authentication, where logging in with a password is the first step and responding to an email or text message is the second. They did recommend that users change their master passwords when it happened, which rehashed everyone’s data.

      Liked by 2 people

  4. I read that article this week and hope businesses will change their criterion. I am SICK of two types of letters, numbers, symbols. I use words and numbers that have no relationship to me. I have never honestly answered a single security question honestly. Not even for the bank. Those are dumb. Anyone who really knows me can answer all of those!

    Liked by 1 person

  5. Interesting. I have to keep my passwords in a special address book or I never remember them. Glad to hear it is not necessary to change them every 90 days. Thanks for the info, John!

    Liked by 1 person

    1. I use LastPass to keep track of my passwords, because I have so many (half of which are for sites that no longer exist or I haven’t been to in years). Nice thing about it is it’ll plug in my user ID and password when I go to a site, and there’s a place to keep notes for challenge questions. Plus, I can get at it from all my devices, so I rarely have to type in a password. There’s a free version, but I don’t think you can get at it from places besides a browser, so I have the premium version, which is only a couple bucks a month.

      Liked by 2 people

Comments are closed.