I think the XKCD approach is okay if done properly. The linked article assumes that users are thinking up with the words themselves, which is a terrible idea. (First rule of security: you do NOT have a good RNG in your brain.) If the words are *properly* randomly chosen from a list of 10,000 common words, using a computer or something like diceware (in which you roll physical dice to choose a word from a premade numerical list), there are 10^16 possibilities, roughly equal to a 9-character alphanumeric string, such as Gg6sPTrBb. This isn't *great* (I prefer at least 20 characters), but it's still better than Tr0ub4dor&3, let alone password123.
You can improve on this further with a larger word list. For one site, choosing random words from the entire online OED, I used to have a password consisting of a technical legal term followed by three dialectical words that I've never heard in real life. (My account on that site is long since deleted, but it still seems like a good idea not to say exactly what the words were. You'll have to take my word for it that it sounded funny.)
2FA has pitfalls that should be mentioned. For one thing, SMS (text messaging) is NOT secure; it can be intercepted relatively easily via SIM hijacking. A real 2FA app (e.g. Google Authenticator) is better, but my bank, for example, only allows 2FA via SMS and voice calls. That's security theater.
For another thing, there's a real tradeoff between security and accessibility. Phones get lost, or stolen, or broken, or have dead batteries, or don't have service in a particular area, etc. To require 2FA is to allow the possibility that you won't be able to get into your account in some unusual circumstance when you really need to. IMO, this tradeoff should be discussed honestly, and it shouldn't be assumed that everyone has a working phone on them at all times.
As for the system described here, it's impressive, but sounds to me like an insane amount of mental effort, to the degree that the nuisance of creating a new password would discourage me from signing up for any new sites. Personally, I'm very happy with Bitwarden, which, like all reputable password managers, uses end-to-end zero-knowledge encryption, meaning that if even if an attacker was able to exfiltrate data from Bitwarden's servers, they'd be unable to read any of it. Bitwarden does require 2FA when accessed from an unrecognized device, but allows email to be used as the second factor. This means that memorizing two passwords, one for Bitwarden and one for email, allows me to log in without my phone if need be.
I use an authenticator app wherever possible, and certainly it helps to live in a part of the country where lack of cellphone reception (or even wifi) is almost a non-issue. And I manage my battery charge rather obsessively, which should surprise no one! But there’s no eliminating the risk of phones being lost—or stolen. (Suz’s cellphone was stolen while shopping a number of years back. Fortunately the thieves were amateurs, and we were able to track them while sending them threatening text messages, and eventually they ditched the phone and we got it back! This happened on Valentine‘s Day, believe it or not.)
As for the “insane amount of mental effort,” YES I *SAID* I AM INSANE, but also THIS IS *FUN* FOR ME and is part of what makes life worth living! I *enjoy* solving problems this way. I am all for password manager apps for people who want them. I just don’t want one!
I'm laughing at the image of you stalking phone thieves through the mall while sending "I have a very particular set of skills"-type messages. That's a movie (or at least a scene) I'd like to see! (If the reality was more boring than that, I don't want to know.)
The reality was more EXCITING than that! Like, by A LOT. There was a CAR CHASE!
I wasn’t with Suz when the phone was stolen, and when she called me from a stranger’s phone and told me she didn’t have her phone, I found its location and saw that it had left the store where she was. So I went after it!
The problem was that while I was able to track her phone from the computer at home, I didn’t have her location on my mobile phone. Our son David at college was able to track both my phone and hers, so he called me and remotely directed me in my pursuit of the thieves. Eventually I was right behind them, with David telling me where to turn!
He texted them telling them exactly where they were and that we were following them, and said “Just drop the phone ✊.” They finally abandoned it on a street corner, but I couldn’t find it. I walked back and forth, getting “hotter” or “colder” (again, David remotely directing me all the time, tracking both phones). Eventually I thought they might have dropped it into a waste container that turned out to be a solar-powered trash compactor—so I had David make the phone make a sound, and sure enough, that’s where it was.
So then we had to get local authorities to open the thing for us! We were by a public library, and I went in and asked them to call the police. The police came and called the fire department. The fire department opened it and got the phone, and they were like, “How do we know it’s your phone?” So I activated the screen—the battery was almost dead—and there was my photo on Suz’s lock screen.
So I brought the phone in triumph to Suz, her knight in shining armor. And we went out for Valentine’s Day dinner with my dad and his lady friend. And my dad proposed, and she accepted, and they danced right there in the restaurant to “Love is a Rose,” and the restaurant owner took their picture and put it up on the wall.
(In the end, they didn’t get married, but it was okay.)
Okay, that's the most incredible Valentine's Day story I've ever heard. (Now we can have an endless Die Hard-like argument about whether it qualifies as such...) I hope it was as much fun as it sounds like!
That incident happened how many years ago and you're just now telling us? How many more exciting stories do you have? Please share them all in an upcoming post called "Greydanus Adventures."
My suggestion: name this story "Raiders of the Cell Phone" and "embellish" it by saying you used your whip to snatch the phone out of the thief's hand just before he dropped it in the compactor. 😆
I built a custom “module” approach that essentially hybridizes 3 (the XKCD approach) with 2 = building out a “security alphabet” of 26+ unique words that I can quickly associate with each letter of the alphabet, then string those words together (e.g. for CVS, spell out CabbageVacationSushi) and THEN tack on some slightly more default characters and numbers, etc.
My wife got me into using the first letters of song lyrics, with some substitutions for symbols or numbers. For instance, if I had an Ancestry.com account, I might think that it's associated with the past, and so use the Beatles' Yesterday:
Yesterday love was such @n easy game 2 play-now I need somewhere 2 hide @way
becomes:
Ylws@eg2p-nIns2h@
There's nothing easier to remember than song lyrics, and it generates something that doesn't resemble natural language. Of course, sometimes I forget the exact translation--should it be "EZ" for easy?--so I still have them all written down somewhere.
That’s epic, John! I love it! So you also use a system of free association, relying on fixed landmarks in your mind, but relating to song lyrics rather than book or movies quotations.
But you also have to be sure to get the quotation right! It’s “a place to hide away,” not “somewhere to hide away.” A mistake like that could be disastrous!
I do something similar, if a bit less complex, involving books. I also for the sake of my sanity reuse passwords for similar sites; not a unique one every time, but not the sane one everywhere.
My memory doesn't work in such a way that a system like this would work. :-) Glad it works for you. I've about 90% moved to a password manager, which generates new passwords as needed. And 2FA. The remaining 10% are old passwords that, for one reason or another, haven't been converted yet. A few are irritating cases where the password can't be stored in a manager, including a couple that are required to be short and simple, because they have dumb interfaces (looking at you, office exercise bike!).
It's certainly better than my old system, which for years was based on math-and-symbol variations on someone else's pet's name from decades ago.
What I’m learning, Brian, is that my approach is not unique, but certainly it’s not for everyone. Some people take it even further than I do! Mostly I prefer to do it this way because it’s fun! It makes a routine part of modern life like playing a game.
The King James Version? I was raised Catholic so I am not even going to try. My password method involves my two favorite things: Catholicism and Star Wars. I will say no more.
I know you like puzzles, Christopher, so I’ll give you two clues that should help:
1. The capital “G” in “SyftkoGahraattwbauy” is not a new sentence or a random capitalization. It’s a very common word that is always capitalized. It’s the end of a clause, not the beginning of one.
2. The first “y” is for the word ”ye,” and it‘s used in a way that drops out in modern English, like “Go ye to the ant, thou sluggard” becomes “Go to the ant, you slacker” (Proverbs 6:6).
So the first clause, expressed in modern English, is “SftkoG.” It’s a familiar phrase from the Bible, and it’s an answer to the question “What matters most?” Think about it!
I like certain brain teasers, but I have my limits and I'm certainly no genius. I was going to unintentionally mimic one of my favorite characters and tell you that I was going to try, but that immediately called to mind a famous phrase by a wise, uh... being that both of us greatly admire: "Do or do not. There is no try." Coincidentally, I will be posting about that scene tomorrow. Thank you for the additional hints. I will get back to it later.
I think the XKCD approach is okay if done properly. The linked article assumes that users are thinking up with the words themselves, which is a terrible idea. (First rule of security: you do NOT have a good RNG in your brain.) If the words are *properly* randomly chosen from a list of 10,000 common words, using a computer or something like diceware (in which you roll physical dice to choose a word from a premade numerical list), there are 10^16 possibilities, roughly equal to a 9-character alphanumeric string, such as Gg6sPTrBb. This isn't *great* (I prefer at least 20 characters), but it's still better than Tr0ub4dor&3, let alone password123.
You can improve on this further with a larger word list. For one site, choosing random words from the entire online OED, I used to have a password consisting of a technical legal term followed by three dialectical words that I've never heard in real life. (My account on that site is long since deleted, but it still seems like a good idea not to say exactly what the words were. You'll have to take my word for it that it sounded funny.)
2FA has pitfalls that should be mentioned. For one thing, SMS (text messaging) is NOT secure; it can be intercepted relatively easily via SIM hijacking. A real 2FA app (e.g. Google Authenticator) is better, but my bank, for example, only allows 2FA via SMS and voice calls. That's security theater.
For another thing, there's a real tradeoff between security and accessibility. Phones get lost, or stolen, or broken, or have dead batteries, or don't have service in a particular area, etc. To require 2FA is to allow the possibility that you won't be able to get into your account in some unusual circumstance when you really need to. IMO, this tradeoff should be discussed honestly, and it shouldn't be assumed that everyone has a working phone on them at all times.
As for the system described here, it's impressive, but sounds to me like an insane amount of mental effort, to the degree that the nuisance of creating a new password would discourage me from signing up for any new sites. Personally, I'm very happy with Bitwarden, which, like all reputable password managers, uses end-to-end zero-knowledge encryption, meaning that if even if an attacker was able to exfiltrate data from Bitwarden's servers, they'd be unable to read any of it. Bitwarden does require 2FA when accessed from an unrecognized device, but allows email to be used as the second factor. This means that memorizing two passwords, one for Bitwarden and one for email, allows me to log in without my phone if need be.
Good points all around, P!
I use an authenticator app wherever possible, and certainly it helps to live in a part of the country where lack of cellphone reception (or even wifi) is almost a non-issue. And I manage my battery charge rather obsessively, which should surprise no one! But there’s no eliminating the risk of phones being lost—or stolen. (Suz’s cellphone was stolen while shopping a number of years back. Fortunately the thieves were amateurs, and we were able to track them while sending them threatening text messages, and eventually they ditched the phone and we got it back! This happened on Valentine‘s Day, believe it or not.)
As for the “insane amount of mental effort,” YES I *SAID* I AM INSANE, but also THIS IS *FUN* FOR ME and is part of what makes life worth living! I *enjoy* solving problems this way. I am all for password manager apps for people who want them. I just don’t want one!
I'm laughing at the image of you stalking phone thieves through the mall while sending "I have a very particular set of skills"-type messages. That's a movie (or at least a scene) I'd like to see! (If the reality was more boring than that, I don't want to know.)
The reality was more EXCITING than that! Like, by A LOT. There was a CAR CHASE!
I wasn’t with Suz when the phone was stolen, and when she called me from a stranger’s phone and told me she didn’t have her phone, I found its location and saw that it had left the store where she was. So I went after it!
The problem was that while I was able to track her phone from the computer at home, I didn’t have her location on my mobile phone. Our son David at college was able to track both my phone and hers, so he called me and remotely directed me in my pursuit of the thieves. Eventually I was right behind them, with David telling me where to turn!
He texted them telling them exactly where they were and that we were following them, and said “Just drop the phone ✊.” They finally abandoned it on a street corner, but I couldn’t find it. I walked back and forth, getting “hotter” or “colder” (again, David remotely directing me all the time, tracking both phones). Eventually I thought they might have dropped it into a waste container that turned out to be a solar-powered trash compactor—so I had David make the phone make a sound, and sure enough, that’s where it was.
So then we had to get local authorities to open the thing for us! We were by a public library, and I went in and asked them to call the police. The police came and called the fire department. The fire department opened it and got the phone, and they were like, “How do we know it’s your phone?” So I activated the screen—the battery was almost dead—and there was my photo on Suz’s lock screen.
So I brought the phone in triumph to Suz, her knight in shining armor. And we went out for Valentine’s Day dinner with my dad and his lady friend. And my dad proposed, and she accepted, and they danced right there in the restaurant to “Love is a Rose,” and the restaurant owner took their picture and put it up on the wall.
(In the end, they didn’t get married, but it was okay.)
I SWEAR I AM NOT MAKING ANY OF THIS UP.
WHAT
Okay, that's the most incredible Valentine's Day story I've ever heard. (Now we can have an endless Die Hard-like argument about whether it qualifies as such...) I hope it was as much fun as it sounds like!
That incident happened how many years ago and you're just now telling us? How many more exciting stories do you have? Please share them all in an upcoming post called "Greydanus Adventures."
My suggestion: name this story "Raiders of the Cell Phone" and "embellish" it by saying you used your whip to snatch the phone out of the thief's hand just before he dropped it in the compactor. 😆
I built a custom “module” approach that essentially hybridizes 3 (the XKCD approach) with 2 = building out a “security alphabet” of 26+ unique words that I can quickly associate with each letter of the alphabet, then string those words together (e.g. for CVS, spell out CabbageVacationSushi) and THEN tack on some slightly more default characters and numbers, etc.
Another epic approach, Daniel! I love your custom security alphabet idea!
My wife got me into using the first letters of song lyrics, with some substitutions for symbols or numbers. For instance, if I had an Ancestry.com account, I might think that it's associated with the past, and so use the Beatles' Yesterday:
Yesterday love was such @n easy game 2 play-now I need somewhere 2 hide @way
becomes:
Ylws@eg2p-nIns2h@
There's nothing easier to remember than song lyrics, and it generates something that doesn't resemble natural language. Of course, sometimes I forget the exact translation--should it be "EZ" for easy?--so I still have them all written down somewhere.
That’s epic, John! I love it! So you also use a system of free association, relying on fixed landmarks in your mind, but relating to song lyrics rather than book or movies quotations.
But you also have to be sure to get the quotation right! It’s “a place to hide away,” not “somewhere to hide away.” A mistake like that could be disastrous!
I've deciphered your final password, thanks to years of choir-singing. :-)
I know the melody you are thinking of, Kate!
I do something similar, if a bit less complex, involving books. I also for the sake of my sanity reuse passwords for similar sites; not a unique one every time, but not the sane one everywhere.
My memory doesn't work in such a way that a system like this would work. :-) Glad it works for you. I've about 90% moved to a password manager, which generates new passwords as needed. And 2FA. The remaining 10% are old passwords that, for one reason or another, haven't been converted yet. A few are irritating cases where the password can't be stored in a manager, including a couple that are required to be short and simple, because they have dumb interfaces (looking at you, office exercise bike!).
It's certainly better than my old system, which for years was based on math-and-symbol variations on someone else's pet's name from decades ago.
What I’m learning, Brian, is that my approach is not unique, but certainly it’s not for everyone. Some people take it even further than I do! Mostly I prefer to do it this way because it’s fun! It makes a routine part of modern life like playing a game.
The King James Version? I was raised Catholic so I am not even going to try. My password method involves my two favorite things: Catholicism and Star Wars. I will say no more.
I know you like puzzles, Christopher, so I’ll give you two clues that should help:
1. The capital “G” in “SyftkoGahraattwbauy” is not a new sentence or a random capitalization. It’s a very common word that is always capitalized. It’s the end of a clause, not the beginning of one.
2. The first “y” is for the word ”ye,” and it‘s used in a way that drops out in modern English, like “Go ye to the ant, thou sluggard” becomes “Go to the ant, you slacker” (Proverbs 6:6).
So the first clause, expressed in modern English, is “SftkoG.” It’s a familiar phrase from the Bible, and it’s an answer to the question “What matters most?” Think about it!
I like certain brain teasers, but I have my limits and I'm certainly no genius. I was going to unintentionally mimic one of my favorite characters and tell you that I was going to try, but that immediately called to mind a famous phrase by a wise, uh... being that both of us greatly admire: "Do or do not. There is no try." Coincidentally, I will be posting about that scene tomorrow. Thank you for the additional hints. I will get back to it later.
Ok, I got it now. Thank you Bible Gateway for having so many translations.
You left out the part about how frustrated you got with AT&T that you made our username "taking your crap" 😄
THIS IS ABOUT *PASSWORDS* NOT *USERNAMES*