I use a passphrase, which has higher entropy than a short password and is easier to remember at the same time.
Take a dictionary of 50k words and choose a sequence of 6 words at random. (Use software for this; opening a printed dictionary “at random” won’t produce really random results). This provides log2(50000^6) = 94 bits of entropy. This is a similar amount to choosing 15 characters from an 80-character set (lowercase and uppercase letters, numbers, and 18 other characters) which would produce log2(80^15) = 95 bits.
It’s much easier to remember 6 random words than 15 random characters. You can generate some passphrases here to estimate how difficult they might be to remember. (Of course you wouldn’t generate your real passphrase using an online tool :-)
On my Ubuntu install, /usr/share/dict/words is symlinked to /usr/share/dict/american-english, which has about 100k words. log2(100000^6)=100, which surprised me by being not that much bigger than log2(50000^6) = 94. Bad math intuition on my part.
The word “set” in my dictionary has a definition spanning an entire page. Most other pages have between 20 and 50 words on them. This implies that the word “set” will be chosen about 1 in 1000 times, giving only 10 bits of entropy, whereas choosing completely at random, each word would have about a 1 in 50,000 chance of being chosen, giving about 15 bits of entropy.
In practice, picking 5 random pages of a 1000 page dictionary, then picking your favorite word on each page would still give 50 bits of entropy, which beats the correcthorsebatterystaple standard, and probably a more memorable passphrase.
Take a 100 page book, get 100 random numbers from that, then do an analysis of the numbers.
First of all, how do you decide right page/left? Likely by generating randomity in your head, which may not be so good. First few pages and last few are unlikely. Probably other things also. For one, words with longer definitions are more likely depending on the exact method.
I don’t think using a computer is a very secure solution once your going to that level anyway. Try using dice.
It’s well known in the security industry / compsci that humans are are very bad at generating, and recognizing, random numbers. I can’t recall if there’s a name for this bias; there’s the clustering illusion but that’s about recognizing random numbers, not trying to generate them.
This paper tries to analyze why this is hard for humans to do.
I use a passphrase, which has higher entropy than a short password and is easier to remember at the same time.
Take a dictionary of 50k words and choose a sequence of 6 words at random. (Use software for this; opening a printed dictionary “at random” won’t produce really random results). This provides log2(50000^6) = 94 bits of entropy. This is a similar amount to choosing 15 characters from an 80-character set (lowercase and uppercase letters, numbers, and 18 other characters) which would produce log2(80^15) = 95 bits.
It’s much easier to remember 6 random words than 15 random characters. You can generate some passphrases here to estimate how difficult they might be to remember. (Of course you wouldn’t generate your real passphrase using an online tool :-)
If you often need to generate XKCD-compliant passwords on Linux machines, you may find this command line handy:
(It will work on a Mac if you install coreutils and change shuf to gshuf.)
On my Ubuntu install, /usr/share/dict/words is symlinked to /usr/share/dict/american-english, which has about 100k words. log2(100000^6)=100, which surprised me by being not that much bigger than log2(50000^6) = 94. Bad math intuition on my part.
How is a computer more random than flipping pages?
The word “set” in my dictionary has a definition spanning an entire page. Most other pages have between 20 and 50 words on them. This implies that the word “set” will be chosen about 1 in 1000 times, giving only 10 bits of entropy, whereas choosing completely at random, each word would have about a 1 in 50,000 chance of being chosen, giving about 15 bits of entropy.
In practice, picking 5 random pages of a 1000 page dictionary, then picking your favorite word on each page would still give 50 bits of entropy, which beats the correcthorsebatterystaple standard, and probably a more memorable passphrase.
Take a 100 page book, get 100 random numbers from that, then do an analysis of the numbers.
First of all, how do you decide right page/left? Likely by generating randomity in your head, which may not be so good. First few pages and last few are unlikely. Probably other things also. For one, words with longer definitions are more likely depending on the exact method.
I don’t think using a computer is a very secure solution once your going to that level anyway. Try using dice.
It’s well known in the security industry / compsci that humans are are very bad at generating, and recognizing, random numbers. I can’t recall if there’s a name for this bias; there’s the clustering illusion but that’s about recognizing random numbers, not trying to generate them.
This paper tries to analyze why this is hard for humans to do.