Easy To Remember, Hard To Guess #socs

Guess what I learned this week?

Back in 2003, a manager for the National Institute for Science and Technology (NIST) named Bill Burr wrote a document on password complexity, and how an ideal password was twelve characters or longer and consisted of random combinations of upper- and lowercase letters, numbers, and symbols. In other words, a password like E51p”oDsf;r+Dy6s was ideal, because it was longer than twelve characters and contained a mix of all four of the things you can find on a keyboard. That’s a secure password, because it would take years for a hacker to figure it out, somewhere in the neighborhood of 150,000 centuries. Problem is, it’s also difficult for you to remember. Password managers like LastPass can keep track of them and, if you’re lucky, plug them in to all the apps you have on your smart devices. If you aren’t lucky, you can still copy and paste the password from the password manager, usually, but there are times when an app won’t allow you to paste a password, and other times when you’re setting up a new device and the password manager isn’t installed on it, so you bring it up on one device and type it in.

Anyway, Bill, who’s now retired and has had time to think about it, gave The Wall Street Journal an interview and said that the rules he set down in that document were too complex and that the benefit of having a long password of random characters came at the cost of a user not being able to remember it. (The full article is hidden behind the WSJ‘s paywall; if you don’t subscribe, there’s a good summary here.)

Instead, Bill now suggests that users use a passphrase made up of random words, such as serious milly hiding thursday or ceiling kitten watching purple monster, something that would be easier to remember and which still provides the security that the long strings of random characters would. You can throw in numbers, uppercase letters, punctuation, and symbols, like television Headphone hi62823 zipper, honestly as well. Mark, my friend from high school who comments here frequently, says it also helps to use jargon from your job or hobbies, like lydian dominant stratocaster piobaireachd or upper sideband kilocycle WWV delano. I’ll occasionally use a line from a prayer, such as The angel of the Lord declared unto Mary or tantum ergo sacramentum veneremur cernui.

There’s a website called Use A Passphrase that will generate a passphrase for you of four, five, or twelve words (it gave me the passphrase burnham clayton square special a minute ago). He also says that it’s not necessary to change your passphrase every 90 days, and in fact you need only change it if a website says you should.

One other thing: a lot of websites have you enter answers to challenge questions, like “In what city were you born?” or “The name of your first pet.” No reason you can’t use a random phrase as the answer. You just have to remember what it is. That’s where LastPass comes in handy.


Stream of Consciousness Saturday is brought to you each week by Linda Hill and this station. Now, a word from our sponsor.