You might think you have a good password. Well, have I got bad news!
Passwords are Easy to Guess but Hard to Remember
Other people will have a hard time guessing your password. But other people don’t guess passwords. Computers do.
The fastest password-guessing computer that we know of can make about three hundred and fifty billion guesses per second. And that was in 2012. Let’s assume it can make a trillion guesses per second by now.
That means it can guess your password in the blink of an eye.
Making up a password from words and numbers that have meaning to you, perhaps adding some punctuation and scrambling things around, as so many people do, is a really, really bad idea. Please stop doing it.
How to Make a Password Hard to Guess
Guessing passwords is exactly the same thing as guessing numbers.
Don’t believe me? Imagine a list of all possible passwords. Finding your password on the list is the same thing as finding how far through the list it is. Which is a number. QED.
If the list isn’t very long, your password isn’t very strong.
When you choose a bad password, you are effectively choosing a random password from a relatively small list. By which I mean a list with just a few hundred billion different passwords on it, which is teeny-tiny by the standards of a computer that can make a trillion guesses per second.
How long should the list be if we want it to take an average human lifespan for the computer to guess our password?
Step 1: Choose a Large Maximum Number
Let’s take the average human lifespan to be seventy-five years. According to NASA (and they know their stuff), there are 365.2422 days in an average year, and 86,400 seconds in a day.
After seventy-five years, our computer should have managed to try half of the passwords on the list if it is going to take that long to guess your password on average. For a computer that can make a trillion guesses per second, and rounding a little, that gives an impressively large number:
Step 2: Select a Random Number Between 1 and the Maximum
You can choose a random number between 1 and the number above by flipping a coin seventy-two times, so we call it a seventy-two bit number.
Don’t believe me? Set your number to zero. Flip a coin and double your number, then add one only if you got heads. Repeat seventy-one times.
Here’s one I chose earlier: 2,094,332,601,996,363,358,145
That would make for a pretty good password. The only trouble is, there’s no way I’m memorising a 22-digit number. Not happening.
How to Make a Password Easy to Remember
We can make our hard-to-guess random number easy to remember by encoding it with more than just the ten digits.
One way of doing this is by using uppercase and lowercase letters as well as the digits (with a few ambiguous characters like the letter O and the number 0 omitted). Here’s what we get for our random number: 2SpT2paxdqGDE
That’s much shorter; just thirteen characters instead of twenty-two digits long. To a computer, it’s still the same number, and still makes for a pretty good password.
Don’t believe me? Try pasting it in to one of them doohickeys that show you the strength of your password, and it’ll go off the scale. Trust me.
There’s just one catch. It’s still hard to remember. Luckily, there’s another encoding we can try…
Step 3: Encode the Random Number Using Words
I’ve built a list of thousands of simple words, omitting ones that are hard to spell, or which may have several different meanings, or which may be offensive to some people.
We can encode our large random number using just six words from the list.
Here’s our encoded random number: tripod reach rye cure loft cocoa
To a computer, that’s identical to: 2,094,332,601,996,363,358,145
I hope you agree that it’s easier to remember!
Step 4: Commit the Encoded Number to Memory
To remember these six words, start by dividing them into three pairs:
Next, imagine walking through the front door of your home, and make up a funny story that places these three pairs of words in that physical space as you move through it, using a sequence of three sentences. Like this:
“Opening the door I saw a tripod which I had to reach down to pick up. Then I entered the kitchen to pour a glass of rye to cure the pain in my feet. I slumped to the sofa wishing I had a loft so I could hide away with a cup of cocoa instead!”
Do you think you can remember this secret, without writing it down or modifying it in any way (both of which would make it less secure)? Great!
Your New Password is Awesome!
Let’s recap what we’ve learned so far.
- People choose terrible passwords. Really, really bad. Srsly.
- To choose a good password, start with a large random number.
- Then encode that large number as a short sequence of simple words.
- Finally, memorise the words by associating an amusing story with something you remember well; walking through your home. You’re done!
Get a Password Manager
Now that you can memorise a random 72-bit number, you should use it to protect a master list of all of your other passwords and private information.
You can do this with a password manager. I like to use LastPass, but there are several other great solutions, like DashLane and 1Password.
If you’re not sure how to get all this set up, ask someone who is good with computers. You’ll know you’ve asked the right person when their eyes light up when you say “password manager”.
And never, ever tell them your password. It’s your secret. To conclude:
- Use a password manager for choosing and storing your passwords.
- Protect this with an unguessable secret that you’ve memorised.
And, just in case…
Never choose “tripod reach rye cure loft cocoa” as your secret! It’s mine!
(but seriously never choose it; generate your own)