Generating Short, Memorable, and Secure Passwords

Passphrases are the state-of-the-art when it comes to generating passwords that are both secure and memorable. But they have a downside: they're annoying to type. If you're going to be entering a password frequently, you may prefer to minimize the number of characters in the password at the cost of taking a little more effort to remember.

It's not that much effort. People regularly memorize dozens or hundreds of digits of pi for fun, and a password is trivial compared to that. To get the optimal balance between entropy and memorizability, we can follow a few rules:

  1. No special characters. Read the letters "CRNFRL" out loud, then close your eyes and repeat them. You're already memorized them! Now try that with "@/^!$&". We just don't use special characters nearly as often as letters, so our brain isn't as used to working with them.
  2. Same problem for uppercase vs. lowercase. While "a" and "A" are totally different characters as far as a computer is concerned, to a human they're variants of the same letter, and it's harder to remember the variation than the base letter. (Plus, sticking to digits and lowercase letters means we only ever have to press one key per character.)
  3. Omit "0", "7", and "w". Not all humans have an internal monologue, but for those of us who do, memorization of a string takes place on a syllable-by-syllable basis, making these three characters particularly annoying.
  4. Lastly, let the user assemble their own passwords from short random chunks. We're pretty good at coming up with stories and patterns to match what we see; a random jumble like "uflaq3b" can be turned into a mental story like "The University of Florida lacks 3 bees". Not to mention that pronouncable jumbles like "dimgu" are better than unpronouncable ones like "ckxky". Rather than try to make the password generator create strings with such properties, we can let the user pick small chunks that they find memorable, and combine them together.

Generator

Click on the chunks that you find memorable until you have a password of sufficient strength.A consumer GPU can crack about 44 bits of entropy per minute with a bad hashing algorithm, so aim for at least that many to be safe from standard non-targeted attacks.It's not worth the effort for a hacker to spend more than a few seconds per user when there are thousands or millions of passwords to attack.

If this password is for a security-focused service that uses slow hashing algorithms and key-stretching, like a master password for a decent password manager, 25 bits is likely sufficient.

If you're paranoid and want to be safe from someone with significant resources who's targeting you personally, you'll need more like 70 or 50, respectivly. If you don't like any of these, you can replace any unselected ones with new ones until you have a password you like.

Your password:

Bits of entropy:

RSS feed