Secure Passwords

Recently, tech news site Ars Technica did an article on a sixth grader selling passwords to people. Not selling people’s passwords for various illicit purposes, but rather generating secure passwords and selling the dice-rolled results. This method of generation, known as Diceware, combines rolling a die with matching the rolled results to words. Similar to webcomic XKCD’s famous “correct horse battery staple” password, these Diceware passwords are both secure and easy to remember. While it helps that said sixth grader is the daughter of the privacy-minded author of Dragnet Nation, Julia Angwin, the fact that an eleven year old is not only generating, but also successfully selling secure passwords brings to mind a bigger issue: password security.

When typing “most commonly used passwords” into Google, the results are rather disappointing. Simple, easily guessed, unoriginal, and ridiculously insecure passwords dominate the list, such as the ever creative “123456” and “password.”  While passwords such as these may seem creative to an elementary schooler (indeed, acquaintances in my 4^th grade class thought it was clever), they are insecure. Yet people use them, in spite of having multiple random password generators freely available with another easy Google search. So why is it that people continue to use bad passwords? Well, there are several causes. Poor corporate policy forcing users to change passwords frequently leads to a multitude of bad passwords as users struggle remember the correct one for the week, for one. The effort involved in making up a new password being difficult is another. Other causes include people being predictable and/or lazy, passwords being too complicated, and people being outright ignorant.

So how does one creating and remembering a secure password, then? The above mentioned Diceware method is one way, taking advantage of entropy to get random numbers, and thus words, with the result being an easily memorized phrase. Rather than paying a rather clever 6^th grader to make and mail one to you (which could be duplicated or intercepted, just because it’s illegal to do so won’t stop someone dedicated), simply break out 5D6 and roll them physically (as some dice rollers aren’t so random) to get your words.

Another way to get a secure password would be to use a random password generator. This, however, results in the generated passwords being rather difficult to remember. Fortunately, several of these random generators are attached to password storage services such as LastPass, KeePass, and Norton Identity Safe (although that last one is Norton…), which handle generation, storage, and retrieval of all one’s passwords. While arguments could be made against giving all of one’s passwords to a paid service, it is still a valid option, one that enables use of complicated strings of characters instead of only using phrases. Of course, variations on these this particular method also works, such as simply memorizing an entire string of random characters (I can still recite the WEP key for my first router) or thinking of a mnemonic.

There are, of course, other methods to generate passwords, such as grabbing words from a book, making some sort of cipher, and so forth. With all these different methods to do so, there is no reason not to use secure passwords. Remember: a 6^th grader does it and even monetized it, so even you can create and use a good password.