Passphrases That You Can Memorize — But That Even The NSA Can’t Guess

[Suzanimal]

...
For example, when you encrypt your hard drive, a USB stick, or a document on your computer, the disk encryption is often only as strong as your passphrase. If you use a password database, or the password-saving feature in your web browser, you’ll want to set a strong master passphrase to protect them. If you want to encrypt your email with PGP, you protect your private key with a passphrase. In his first email to Laura Poitras, Edward Snowden wrote, “Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase. Assume your adversary is capable of one trillion guesses per second.”

In this post, I outline a simple way to come up with easy-to-memorize but very secure passphrases. It’s the latest entry in an ongoing series of stories offering solutions — partial and imperfect but useful solutions — to the many surveillance-related problems we aggressively report about here at The Intercept.

It turns out, coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. If you use an entirely random sequence of characters it might be very secure, but it’s also agonizing to memorize (and honestly, a waste of brain power).

But luckily this usability/security trade-off doesn’t have to exist. There is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. The method is called Diceware, and it’s based on some simple math.

Your secret password trick probably isn’t very clever

People often pick some phrase from pop culture—favorite lyrics from a song or a favorite line from a movie or book—and slightly mangle it by changing some capitalization or adding some punctuation, or use the first letter of each word from this phrase. Some of these passphrases might seem good and entirely unguessable, but it’s easy to underestimate the capabilities of those invested in guessing passphrases.

...

https://firstlook.org/theintercept/2...rs-cant-guess/

[TheTexan]

Is there a password generator I can use that will allow NSA easy access to my accounts, but won't let hackers in?

[GunnyFreedom]

https://firstlook.org/theintercept/2...rs-cant-guess/

Your secret password trick probably isn’t very clever

Micah Lee would lose that bet.

And no, I'm not describing my process here lol

[Suzanimal]

Micah Lee would lose that bet.

And no, I'm not describing my process here lol

I was using the same lame password everywhere until my email got hacked. I changed them all but I bet they're still pretty easy for the NSA or a half wit 14 year old.

[GunnyFreedom]

I was using the same lame password everywhere until my email got hacked. I changed them all but I bet they're still pretty easy for the NSA or a half wit 14 year old.

Well, I'll share my former method for passWORDS (rather than passpharases) since I am no longer using it. Each unique site that I logged into had one 8 to 10 letter word I associated with THAT site, and I would type it over and over until I got the pattern down, then shift two keys to the left or right and peck out the same pattern (in different letters) add come capitalization followed by a short series of numbers, punctuation, and then characters that are neither letters, numbers, nor punctuation.

So if I were logging onto a 'war' site, for example, my unique identifier might be "blitzkrieg" so my base would be "n;oyxltorg" which becomes "N;oyxltorG" and then finally "N;oyxltorG7,$"

So then I have this password, "N;oyxltorG7,$" which I don't even really know myself, I just know how to TYPE it. Even if I were to get waterboarded, I don't even know it myself so I couldn't actually say what my password was. Put me in front of the keyboard and all I have to remember is "blitzkrieg, one right, seven comma dollars" and that gives me "N;oyxltorG7,$"

I use a much better system for my passwords now, I don't really do this anymore, so I don't mind sharing this one.

[GunnyFreedom]

If a login allows 'any ascii' there are other things you can do, too. For example, if I hold down the option key and type 'ronpaulforums' I get the following:

®ø˜π娬ƒø®¨µß

Now, I don't actually recommend using ®ø˜π娬ƒø®¨µß as your password for RPF's because I am sure that key modifiers are on the list of stuff that No Such Agency tries. However, adding a bit of high ASCII to a password will make it exponentially harder to guess, because the character palette to choose from is tenfold larger than just your 'standard' keyboard keys.

So, if I followed the above method for my RPF password, say base of "liberty" two left "jycqwer" caps "JycqweR" characters "JycqweR3/@" now, "JycqweR3/@" is already a decent password, but maybe I want to make it REALLY difficult to brute-force by adding high ASCII to the end of it I might add "RPFs" to the end, option-shift 'RPF' and just option 's' would give me this: "JycqweR3/@‰∏Ïß"

Good luck guessing my easily-derived and easily remembered password for RPF's as "JycqweR3/@‰∏Ïß"

(No, that is NOT my password lol)

[Suzanimal]

My password was gerbil for everything. That's not it anymore but your method sounds a little complicated for me. I'm thinking of using an obscure word that means something only to me and the phone # from that Jenny song.

[GunnyFreedom]

My password was gerbil for everything. That's not it anymore but your method sounds a little complicated for me. I'm thinking of using an obscure word that means something only to me and the phone # from that Jenny song.

Honestly, if you are having a hard time coming up with a secure password methodology, it may be a good idea to use a password manager that auto-generates absurd passwords and the only thing YOU have to remember is the one password necessary to get into your password manager. The drawback being you could not log into a given website from say a public library or whatever without remembering something insane like %ghHha?/':ja7^64j&H©†Hjakltu&%^haner8^

But from YOUR devices, a proper password manager would auto-generate a unique insane password for any and every login you wanted to use it on. This is really good for such things as online banking, where you want to be super secure. Twenty characters of high ASCII garbage would take a long, long time to break, and if anybody ever stole that one password it would have zero effect on the rest of your logins.

Something like.... (browsing for an example, I do not currently use a password manager...)


https://agilebits.com/onepassword

you can install the same app on your Windows, Mac, Android, and iPhone; so that every device you have you can synch up and log in to whatever and only need to remember the one master password to let you into the password manager.

I'm actually considering going to a password manager next myself, to be honest.

[Natural Citizen]

So, if I followed the above method for my RPF password, say base of "liberty" two left "jycqwer" caps "JycqweR" characters "JycqweR3/@" now, "JycqweR3/@" is already a decent password, but maybe I want to make it REALLY difficult to brute-force by adding high ASCII to the end of it I might add "RPFs" to the end, option-shift 'RPF' and just option 's' would give me this: JycqweR3/@‰∏Ïß

Say that again?

[Danke]

My password was gerbil for everything. That's not it anymore but your method sounds a little complicated for me. I'm thinking of using an obscure word that means something only to me and the phone # from that Jenny song.

Gerbil, really? That will also gain you entry to HB's accounts.

[GunnyFreedom]

Say that again?

The key two spots left of the L is a J. If I wanted to use LibertY, I just shift two keys left and type "JycqweR" instead. Then add a string of non-letters that I remember like 3/@ to come up with "JycqweR3/@"

Now if the login daemon allows high ASCII I can make it even more difficult to crack by adding a few characters of high ASCII at the end. In this case, it's a keyboard modifier for RPFs (on a Mac OS Keyboard).

Option-Shift R ‰
Option-Shift P ∏
Option-Shift F Ï
Option s ß

RPFs = ‰∏Ïß

Just add that to the above and you get

JycqweR3/@‰∏Ïß

Which should be pretty tough to crack. And all I have to remember is "LibertY, two keys left, 3 slash at, and then RPFs in high ASCII."

[GunnyFreedom]

Gerbil, really? That will also gain you entry to HB's accounts.

But gerbils are cute, darn it.

[Suzanimal]

But gerbils are cute, darn it.

They are kind of cute. I still use it on sites I don't really care about but I really do need to secure my banking login. I'm afraid what I'm using now isn't much better. I'll look into that website that changes your password for you.

[GunnyFreedom]

They are kind of cute. I still use it on sites I don't really care about but I really do need to secure my banking login. I'm afraid what I'm using now isn't much better. I'll look into that website that changes your password for you.

Password managers aren't websites, they are actual programs that you install on your home computer, your smartphone etc. That way you don't have to send master passwords over an unsecure internet connection.

[osan]

But gerbils are cute, darn it.

Obama likes the way they feel inside.

[Natural Citizen]

The key two spots left of the L is a J. If I wanted to use LibertY, I just shift two keys left and type "JycqweR" instead. Then add a string of non-letters that I remember like 3/@ to come up with "JycqweR3/@"

Now if the login daemon allows high ASCII I can make it even more difficult to crack by adding a few characters of high ASCII at the end. In this case, it's a keyboard modifier for RPFs (on a Mac OS Keyboard).

Option-Shift R ‰
Option-Shift P ∏
Option-Shift F Ï
Option s ß

RPFs = ‰∏Ïß

Just add that to the above and you get

JycqweR3/@‰∏Ïß

Which should be pretty tough to crack. And all I have to remember is "LibertY, two keys left, 3 slash at, and then RPFs in high ASCII."

Hm. Maybe I can just pay you to make a good password for me. Well...Hm. Of course, then you'd know my password. That won't work.

[CPUd]

https://lastpass.com/

[Spikender]

https://lastpass.com/

What I use for some of my passwords.

[Ronin Truth]

I have found that sentences from Shakespeare's sonnets make for some pretty good pass phrases.

[thoughtomator]

any four unrelated words strung together, other than very short words, will make for a strong password

[jmdrake]

Well, I'll share my former method for passWORDS (rather than passpharases) since I am no longer using it. Each unique site that I logged into had one 8 to 10 letter word I associated with THAT site, and I would type it over and over until I got the pattern down, then shift two keys to the left or right and peck out the same pattern (in different letters) add come capitalization followed by a short series of numbers, punctuation, and then characters that are neither letters, numbers, nor punctuation.

So if I were logging onto a 'war' site, for example, my unique identifier might be "blitzkrieg" so my base would be "n;oyxltorg" which becomes "N;oyxltorG" and then finally "N;oyxltorG7,$"

So then I have this password, "N;oyxltorG7,$" which I don't even really know myself, I just know how to TYPE it. Even if I were to get waterboarded, I don't even know it myself so I couldn't actually say what my password was. Put me in front of the keyboard and all I have to remember is "blitzkrieg, one right, seven comma dollars" and that gives me "N;oyxltorG7,$"

I use a much better system for my passwords now, I don't really do this anymore, so I don't mind sharing this one.

Yeah, I've used that one before. Sucks when logging in via a cell phone though.

[jmdrake]

I have found that sentences from Shakespeare's sonnets make for some pretty good pass phrases.

I think the point of the OP is that anyone with resources trying to hack your password probably has that kind of information in his database.

[GunnyFreedom]

Yeah, I've used that one before. Sucks when logging in via a cell phone though.

Yeah, doing geospatial patterns and key modifiers to generate passwords does tend to suck when trying to do the same in a phone. Even on a QWERTY keypad the numbers and modifiers are all different. :-/

I think the point of the OP is that anyone with resources trying to hack your password probably has that kind of information in his database.

IIRC the rest of the article (the part not quoted) explicitly referenced Shakespeare quotes, even slightly munged Shakespeare quotes, as one of the first to go. Apparently that is an unusually common source for passphrases, such that it is at the top of the brute force dictionaries.

[TheCount]

https://lastpass.com/

This.

[PaulConventionWV]

Very interesting stuff.

I usually just use a password with "random" characters that I try to make as incoherent as possible. For example: 4mL5s4!G2t?r32. I then write it down and store it in a physical location, not on my computer. The article says passwords like these have "slightly less entropy" than the 7 word passphrase, but are harder to memorize. I actually have to say, I don't find it that hard, especially if I use the password regularly. That and writing them down seems to be foolproof enough.

I'm not an encryption expert, though, so I do wonder if someone could shed light on how effective this method is.

[Suzanimal]

Very interesting stuff.

I usually just use a password with "random" characters that I try to make as incoherent as possible. For example: 4mL5s4!G2t?r32. I then write it down and store it in a physical location, not on my computer. The article says passwords like these have "slightly less entropy" than the 7 word passphrase, but are harder to memorize. I actually have to say, I don't find it that hard, especially if I use the password regularly. That and writing them down seems to be foolproof enough.

I'm not an encryption expert, though, so I do wonder if someone could shed light on how effective this method is.

Why wouldn't you store them on your computer?

[PaulConventionWV]

Why wouldn't you store them on your computer?

It seems better to decentralize the info. If someone gets a hold of my computer, everything is there. This reduces the risk.

[Suzanimal]

Okay, that's a bit easier to remember than Gunny's method.

Gerbilsarecute0_o
That's a pretty good passphrase...

Snowden's security tip: ‘Shift your thinking from passwords to passphrases’

It takes a computer less than a second to crack any eight-character password, according to NSA whistleblower Edward Snowden.

He gave some tips on how to make a better password to ‘Last Week Tonight’ host John Oliver. The HBO show released a web video in which the two men discussed password security ‒ footage that didn't make into the episode that aired Sunday.

The comedian met the former National Security Agency contractor in a Moscow hotel opposite the KGB’s former headquarters in a room with all windows covered. During the frank interview, Oliver and Snowden discussed the NSA’s collection of Americans’ X-rated photos.

“The bad news is they are still collecting everyone’s information,” Snowden said, “including your dick pics.”

But an NSA release of a slew of 'dick pics' isn’t the only thing Americans should be worried about when it comes to their privacy and security, Snowden told Oliver in the web extra posted on Thursday.

“Bad passwords are one of the easiest ways to compromise a system,” Snowden told Oliver. “For someone who has a very common, eight-character password, it can literally take less than a second for a computer to go through the possibilities and pull that password out.”

...

Oliver’s password ‒ similar to the Druidia air shield security code on ‘Spaceballs’ ‒ is only five characters.

“That’s really bad,” Snowden told him.

Misspelling a word isn’t a good idea either, as permutations of common words are in the normal password dictionary, according to the NSA leaker.

President Skroob shouldn’t change the combination on his luggage from “1-2-3-4-5” to “onetwothreefourfive,” either ‒ an option Oliver hinted at.

“The best advice here is to shift your thinking from passWORDs to passPHRASES,” Snowden recommended. “Think about a common phrase that works for you. It’s too long to brute force and also make them unlikely to be in the dictionary.”

...

http://rt.com/usa/248401-snowden-oli...ection-advice/

[Suzanimal]

[american.swan]

The Dice Ware method is really good, BUT I would add some special characters between words since some places don't allow spaces. And there's no reason to forget to capitalize some letters and add some numbers.

Also, network / website / Internet passwords shouldn't be the same as local encryption key passwords. Don't reuse passwords online. they probably don't store passwords well.