How I Do Passwords

A missive on making strong, memorable passwords, both when a password manager is and is not available.

By: TheHans255

12/28/2024

My very first article on this blog was an article about how I come up with passwords, with an explanation of how that method works and a brief discussion of password security and entropy. It was partially an excuse to publish my password applet to this site, but also an opportunity to talk about password security, something that's fundamental to how the Internet operates. Now that I've had a few more years of experience under my belt writing articles, I thought I would take a stab at rewriting that first article, explaining more clearly what I know and providing more up-to-date security information.

So, without further ado: how does TheHans255 do passwords?

Using A Password Manager

I probably have over a hundred accounts on the Internet, ranging from core services, such as email, that I use every day to novelty accounts I maybe use once a year. For all of these, I have a tool that allows me to both generate incredibly strong passwords and bypass the need to ever remember them: a password manager.

Most password managers work the same way:

You begin by first opening your password vault with a "master password", or a single, well-thought-out password that you do have to remember. Once you enter this password, the vault will open, allowing you to browse through your list of passwords. This master password must be entered every time you wish to open the vault - closing the password manager program recloses the vault.
When you create a new account, or enter a username and password on a site you don't already have a password for, your password manager will give you the option to save it. This will create a new entry in your password vault, saving together the website URL, username/email address, and password. (You can also save an entry manually).
- When creating an entry, you also have the option to generate a new password out of whole cloth. The password manager will randomly generate a sequence of 12-20 letters, numbers, and symbols, and can be configured to follow whatever rules are set by the website (such as excluding certain characters).
- You can also simply enter a password you come up with yourself, such as if you have already created the password before and you want to add it to your vault.
- Entries do not have to have a username and URL - they can just have a name and a password if you'd like. This allows you to use a password manager to store other kinds of data, such as the seed phrase for a cryptocurrency wallet.
Later, when you go back to that website, you can pull up the entry again (either manually or at the password manager's suggestion) to copy and paste the username and password into the username and password text boxes.
- Many password managers also have browser extensions that can do this part for you.
Finally, if you have more than one device (such as a laptop and a phone), the password manager will have some sort of sync mechanism that will copy your passwords between all of them, allowing you to use a password created on one device on another device. The password manager will also have some option to print out your passwords, or save them to a file that can be opened in a spreadsheet program like Excel, so that you can use a different password manager if you wish.

The specific password manager I like to use is KeePassXC, a program that keeps passwords stored on an encrypted file in my Documents folder (which I then keep synced with Syncthing, though Dropbox and OneDrive would also work). Whenever I need to access my vault, I run KeePassXC on my desktop, then enter my master password, which is used as a decoder key for the vault (meaning that anyone who does not know the master password cannot read the vault, even if they have the file). KeePassXC also has a browser extension that performs autofill, and there are many other programs that can read the KeePass file format, such as the Keepass2Android app I use on my phone. I personally recommend it over programs like LastPass and NordPass because those programs are cloud services, and there have been problems with those vaults being breached and the passwords cracked by hackers.

When You Don't Have a Password Manager: My Creative Process

Of course, there are a handful of situations where you need to use a password, but you can't rely on being able to access your password manager. In particular, this includes the situation where you need to choose your password for the password manager in the first place, but it also includes situations such as the logon screen for your computer, where all you get is the password box and you can't rely on your browser extensions and the like. Another good example is a shared WiFi password - your friends likely do not have a password manager available when you tell them how to connect.

In those cases, you need a password that you can type by hand. Contrary to popular belief, it is safe to write down this password somewhere as long as you keep it in a place very secure where no one else will see, such as in a notebook in a locked drawer in your home. But if you want to keep that password in that safe spot as much as possible (as opposed to getting it out every time you need it, with the risk of it being seen by a guest or other onlooker; to say nothing of carrying it on your person and risk having it stolen from you if you get mugged), you're going to need to memorize it, which means it's going to need to be a password you can remember.

In these situations, I have come up with a two-step method to generate a long, secure password that I can still easily memorize and type:

Step 1: Generate Random Letters

First, I use a true random source to generate a sequence of 6-10 letters in the English alphabet. I've written an applet on my website to facilitate this - it uses the random numbers that naturally arise as you use your computer, such as natural variations in typing speed or network access, to draw a few random numbers and get some letters. There are other options for this too - for instance, the website RANDOM.ORG provides numbers based on atmospheric noise. You can also roll dice for a purely analog solution - the game Scattergories comes with a 20-sided die that excludes the least common letters, and you can also buy a 30-sided die that has every letter of the alphabet plus 4 "wild" spaces (though in those cases, I would advise you just re-roll, or have one less letter).

A few examples of letter sequences you will come up with:

L, M, E, I, Q, Q
N, E, F, G, E, Y
D, P, V, R, W, Y
I, P, S, N, I, A, X, R
B, J, D, Y, U, J, Y, T

These letters will be the main source of your password's strength. Password strength is measured in entropy, which indicates the total number of possibilities the password can have provided you know how it was generated. Each letter you generate provides 4.7 bits of entropy (which is a fancy way of saying that it multiplies the number of possibilities by 2^4.7, or 26), meaning that a sequence of 8 letters has 37.6 bits of entropy, and a sequence of 10 letters has 47.0 bits of entropy.

For reference, if someone ends up with a hash of your password and can guess 1,000,000 passwords per second (which can be done with the kind of hardware needed to run a Bitcoin node), it would take 2.5 days to crack the 8 letter password and 4.5 years to crack the 10 letter password. In a more typical situation where you can only get 1,000 guesses per second, it would take 6.6 years to crack the 8 letter password and 4,400 years to crack the 10 letter password.

I will note that you should not just come up with these letters off the top of your head. The fact of the matter is that humans are remarkably bad at coming up with random numbers entirely from their own imagination - in particular, they tend to fall to the gambler's fallacy and make the sequence of numbers more or less related, rather than allow clusters or long sequences as happens in nature. If using a computer program, you should also be careful about how it generates its random numbers - most of them only use a pseudorandom number generator, which is not actually random and is usually drawn from a relatively small "seed" value.

Step 2: Turn The Letters Into a Full Sentence

Once I have my sequence of letters, I then come up with a full English sentence or phrase that incorporates those letters in that order. This full English sentence, complete with punctuation, capitalization, spaces, extra words, and other accoutrements, becomes my password.

For example, from the letter sequence "I, P, S, N, I, A, X, R", I can write:

In peace, snicker and explain relativity.
Snips and snails and axolotl tails, randomly assorted.
Ivo Peterson says no ideas exist remotely.
Snip from the snide axle return.

And from "B, J, D, Y, U, J, Y, T", I can write:

Bluejays don't yell unless Jim yells too.
BJ the Dinosaur yodels under the bridge and jumps on the yellow trusses.
Bus, Jam, Den, Yes, Urn, Jam, Yes, Too
<censored> daily?! You jest! You tease!

(DISCLAIMER: Of course, don't use any of these as your exact password! Since this is text plainly readable on the Internet suggested as an example password, password crackers will store this text and use it as one of their guesses. Just look at the number of people who literally use correct horse battery staple as their password.)

If you're sufficiently creative, this does, in practice, add at least a few bits of entropy to your password, since an attacker will not only have to guess the 8-to-10-letter seed you used, but also what whims and fancies your mind had on that particular day - and each bit of entropy doubles the amount of time that any attacker will need to crack your password.

However, because we already have the majority of our entropy from the sequence of letters, we don't really need to worry about making our password any harder to guess here - the main idea is instead to fully focus on making something memorable that matches how your brain works and that it can be proud of. Maybe it's a little song, maybe it's a short story. Maybe it's just a list. Maybe it's an inside joke. Maybe it's people in your life that you love. Whatever it is, make it yours.

There's a long history of using these sorts of mnemonics to remember codes, such as combinations for combination locks. In the old days, you'd just have to enter the sequence of letters and use the mnemonic to remember them, but with modern password storage practices, where the password is actually stored as a binary hash that is always the same length and uses a very limited set of characters regardless of the input string, there's no reason that you can't enter the whole mnemonic sentence, complete with spaces and punctuation, as your password.

Two-Factor Authentication and the Yubikey

Fortunately for those of us that have trouble coming up with passwords, passwords themselves are becoming less important as they become paired with, or are even entirely replaced by, the concept of hardware keys. The very short way to explain this concept is that this is exactly the difference between using a combination lock or keypad to get into your house and using a mechanical key - in the former situation, an intruder would need to guess the code, while in the latter situation, an intruder would need to steal your key. The concept of two-factor authentication combines the two - imagine having both a combination lock and a mechanical lock operating two separate deadbolts on your door.

There are multiple ways of doing this, with some of the most popular methods being SMS authentication and TOTP authentication, both of which typically rely on your cell phone as your physical device. However, a method that is growing in popularity, and one that I would recommend using whenever possible, is using a FIDO2 device such as a Yubico Yubikey or most other things on this list. Using a Yubikey for authentication on the web looks like this:

When logged into your account, if a service supports it, you can go into your account's Security settings and add a two-factor authentication method. Click on the option for a FIDO2 key or security key.
Your browser will then prompt you to plug in and touch your Yubikey. This will go into one of your device's USB ports - plug it in there and touch the golden disk. If your device supports NFC (such as for touch pay), you can hold the Yubikey to the NFC point instead.
Your Yubikey will then introduce itself to the service by sharing a public key with it. Yubikeys maintain a pair of two digital keycodes: a private key, which never leaves the device, and a public key, which can safely be shared with anyone. The public key is not enough to actually log anyone into a service, but can be used by the service to prove that the same Yubikey has come back later - and that's exactly what the service will do.
Later, when you log back into your account, you will be prompted to insert and touch your Yubikey again, as before. Once you do this, the Yubikey and your service will perform a little song and dance (more technically referred to as a "challenge response exchange") to verify that the same Yubikey has indeed come back - and if it has, you will have access to the service.

FIDO2 is both incredibly easy to use and highly secure compared to other two-factor authentication methods, since not only is there not enough information stored on the server to actually log you in (unlike SMS and TOTP, which rely on a shared secret instead of a private/public key), all you have to do is plug it in and press a button. There are, however a few caveats to be aware of:

Since the FIDO2 key keeps the necessary login information to itself, you can't really back it up if it gets lost. Because of that, you're probably going to want two keys, one of which stays at home - most Web services worth their salt will allow you to set up multiple FIDO2 keys.
Not everyone supports FIDO2 authentication - the best you can hope for on a lot of websites is TOTP (the six-digit timed codes), and some even only support SMS (being texted or called with a code). So you'll still want a phone for those cases. However, the Yubikey does have the Yubico Authenticator app, which supports TOTP.
If you're like me and have a bunch of heavy keys on your keychain, it's probably a bit awkward to lug out that keychain and plug in your key. If you use your key often, you will probably want some kind of lanyard or retractable badge holder to carry it on instead.
- If you don't mind leaving a USB port occupied, you can also buy extremely tiny keys such as the Yubikey 5C Nano that are intended to just stay plugged in. (This, BTW, is why you are also required to touch the Yubikey, so that you can safely leave it plugged in without it authenticating stuff behind your back).

Miscellaneous Questions

Isn't there an XKCD comic that talks about this?

Indeed there is! XKCD 936 demonstrates the difference between common password generation methods (using a single word with number and symbol substitutions) and using a "passphrase", or several perfectly normal words chosen randomly from a dictionary, pointing out that the former method is not only harder for users to remember but easier for computers to guess.

The main difference between Randall's method and the method I propose here is that I give room for the user to seed the words they want to use, and to put them together in a complete sentence. Randall's method draws from a 2,000 word dictionary, producing 11 bits of entropy per word, and thus likely beats my proposed method strictly in terms of entropy, but since my method has the password be directly equal to the story the user creates to memorize the password, it is easier to remember.

I suppose if you wanted a bit more entropy while maintaining a complete sentence, you could use some sort of Mad Libs-style generator, where the program starts with a sentence template and pulls out words from a dictionary separated by parts of speech. You could also go with a hybrid method - once you have created a passphrase sentence using my 2-step method, use a random dictionary to replace one or two nouns or verbs in the sentence with fully random word, removing the 4.7 bits of entropy brought in by each letter with 11 or 12 bits of entropy in the new word.

What if I don't have a creative bone in my body?

And thus can't be bothered to come up with a sentence to match the generated letters? In that case, I would probably just recommend using Randall Munroe's passphrase generation method of drawing words from a dictionary. The KeePassXC password manager has direct support for generating a passphrase like this.

Should I use the mnemoic process method for all my passwords?

I would recommend against it for two reasons:

If you have a good password manager, there is simply no need to remember all your passwords. You should remember the ones that you use most often, to log into your computer and password manager, but anything beyond that can simply be copied and pasted and can thus be as crazy and random as you possibly get away with.
Passwords for the general Internet tend to be stored less securely than passwords for your local home computer or password manager. For instance, a fair amount of services still use MD5, which can be calculated so quickly that a cracker who obtains the hash can guess billions of passwords per second, giving our 47-bits-of-entropy password only 1.6 days of respite and cracking our 37.6-bits-of-entropy password in a matter of minutes. In these situations, you need all the entropy you can get, and password managers can easily generate passwords with 100 bits of entropy or more.

Does the mnemoic method work for other languages?

Of course! As long as the language has a written form that you can express in Unicode, you can use it to generate a password using this method. Languages with alphabetic writing systems will want to substitute the English alphabet with their own alphabet. If you're expressing your password in something like Chinese, you will either want to select elements from a phonetic transliteration system (e.g. pinyin) or choose elements of your language's characters (e.g. radicals).

This YubiKey thing sounds cool, but I don't want to spend $60 USD just to try it out.

It's quite possible that you have a device that can do this already. Android phones with a fingerprint reader, or Apple phones with Face ID, are already using FIDO2 in those workflows to authenticate you and skip/supplement passwords. Most web browsers that support FIDO2, in addition to letting you insert a FIDO2 USB key, will also show you a QR code that you can scan with your phone, which will then prompt you to use the fingerprint reader or Face ID.

If you're deep enough in the world of cryptocurrency to have a hardware wallet, you're likely also set, because most legit hardware wallets also have FIDO2 functionality built-in.

Copyright © 2022-2024, TheHans255. This work is licensed under the CA BY 4.0 license - permission is granted to share and adapt this content for personal and commercial use as long as credit is given to the creator.