The art of the password

Good overview of the state of password creation (and cracking) by William Poundstone.

Though I never bother with such websites, I hadn't realized the following:

Have you ever wasted a few moments with a sketchy website that promises to reveal your Klingon name (wizard name, ghetto name, porn star name, etc.)? Some of these sites are fronts for password-harvesting operations. They’ll ask you for some personal data—mixed in with Trekkie trivia —and prompt you to make up a password. Scammers know that the password you supply is likely to be similar or identical to ones you use elsewhere. They may sell collected passwords on the black market for about $20 each.

A password is like the key to your home. There are weak locks and strong locks, but neither does any good when a pickpocket swipes your key. Security is always about the weakest link.

Poundstone's advice on picking a secure password:

The best way to use the pass-phrase idea is to turn the conventional advice on its head. Instead of thinking of a phrase and converting it to a password (that won’t be all that random), get a truly random password and convert it to an easy‑to-remember phrase.


A password, a pass-phrase, a mnemonic—what’s the big deal? The difference is that a random-character password is the gold standard of security. It’s better than any human-chosen password could be. It will still be good even if everyone in the world adopts this scheme.

A random-character password of reasonable length is, for practical purposes, unguessable with today’s technology. It won’t appear in a list of popular passwords. A mass attacker could guess a random password only in a brute-force search. With upper- and lowercase letters and numbers, there are sixty-two possible characters. (I won’t count punctuation marks, as not all sites allow them.) That means it would take 62^8 guesses to be certain of hitting an eight-character password. That’s over 218 trillion guesses.

That effectively rules out an Internet mass attack and would slow down a targeted attack. Accepting the claim that some forensic software can spit out 2.8 billion guesses a second, it would take about twenty-two hours to make that many guesses. That’s secure enough for most people—should you disagree, you’re welcome to add a few more characters.