Passing Strange:

digital security for real people

We all know that our passwords are not very secure. Few of us know what to do about it, or how to evaluate security processes. This is an attempt to clarify questions that I have heard and give some tools for non-tech people to go forth with an idea of where to find answers for themselves.

What makes a bad password?

The default; any password you have used elsewhere; your favorite word or an obscure term from your favorite pastime; your kid's or pet's name. Anything ever used as a “security question” whether true or not - your mother's maiden name, birthday, the street where you grew up; etc. Passwords of fewer than ten digits are generally considered insecure.

What makes a good password?

Two things: length and entropy.

With each added character, the number of guesses a miscreant must guess grows by the log base 2 of the number of possibilities for that character. You don't need to know this to have efffective passwords, but suffice to say that it gets harder at a logarithmic rate with each added digit.

Entropy is a measure of randomness: while "aaaaaaaaaaaa" technically has an equal chance of being a randomly generated twelve-character password as any other, it is one of only 40 possibilities a guesser must try if the set of possibilities is 26 letters, 0 – 9 and four punctuation marks.

But memorizing a random string of twelve characters is a pain in the ass, and trying every combination of twelve characters won't take long for a determined digital decipherer.

What shall we do? Where shall we go? What will become of us?

Luckily there is a solution: the passphrase!

What is a passphrase?

Just what it sounds like: a longer string than a password that is composed of multiple words.

How many words?

Four at a minimum; six is better. Use as many as you like to the limit that the system will allow.

When should I use a passphrase rather than password?

      Whenever possible, especially:

           Full-disk or device encryption           

           Encryption keys           

           Password managers (more on that later)

           Atleast one email account (so other passwords can be reset)

           Any device going across an international border

      Like all elegant solutions, the passphrase has been immortalized in art: XKCD Home Page

How to do encryption

Okay, that is funny. But how do I find random words?

      Despite the evidence displayed by some drivers on the road, humans are pretty bad at randomness. The state of the art is a system called diceware, and it uses – ta da! – actual dice! (Seriously, those six-sided ones from board games. DO NOT use a digital random number generator for this.) If you want to support the Electronic Frontier Foundation in all they do to keep us safe and get their set to show off at your next backgammon sesh at the same time, that would be cool of you.

Go here: EFF Password Dice      

You will also need a wordlist. There are other wordlists, but EFF's large list is the gold standard:      

It can be used over and over again, so I favor making a print copy; you may choose to peruse it on the EFF website. Either way, there are a few simple precautions before you begin:

  • If you haven't done it already, cover any laptop cameras or webcams. Put the phone in another room. Don't do it at the library or cafe or anywhere else you may be observed.
  • Do not mark the entries in any way: highlighting or underlining on paper, hovering the cursor over them on the screen.

  • Use a single sheet of paper on a hard surface to take notes. Burn the paper when you are done. EFF recommends flushing the ashes, but I am equanimous with composting.
  • Okay, you've got me paranoid; now how do I do this?

    The wordlist has five-digit numbers on the left; they are arranged in ascending order but each digit is from 1 – 6. This is because they are gauged to go with a set of five six-sided dice (if you want to come up with base-20 version to go with the icosahedron ones used in role playing go for it, but it makes my head hurt already).

    Step 1: Roll the dice

          Arrange them as close to the order, left to right, in which they came to a stop. Write the numbers that appear on some scratch paper.

    Step 2: Roll the dice

          Don't worry about looking at the wordlist yet (though there is nothing wrong with doing so), just note the numbers down.

          Step 3: Roll the dice

          Step 4: Roll the dice

          Step 5: Roll the dice


    Step N: Roll the dice

          Yeah, you get it. Do this for as many words as you want to use in your passphrase.

    Step N+1: Look up the corresponding words, keeping them in order. This is your new passphrase.


               For a six-word passphrase I rolled all five dice six times:

               32514 gracious

               63642 unfixable

               46442 reabsorb

               12314 arguably

               65665 voicing

               56664 subatomic

          So my new passphrase is graciousunfixablereabsorbarguablyvoicingsubatomic.


    That looks pretty unguessable, but also insane.

    There are some mnemonic techniques which help people remember:

          I refer you back to the XKCD panel above. For some people, it helps to draw a picture relating the words together. Guard any such drawing like you would any written password.

          Sometimes the rhythm of the words suggests a song. Lyrics are a great way to remember (just don't sing your passwords in the shower; humming is fine).

          The Method of Loci, also known as the memory palace. This is used by people who compete in memory contests, and consists of creating a mental map, usually of a familiar place that you can remember or imagine vividly. On a path through that space, find the most resonant features and assign each one to the words in your passphrase in sequence. By telling yourself a story in a context that is already familiar, the individual words are more easily adopted into a narrative which keeps them in order and anchors them to your emotions. Pro tip from champions of memory contests (yes, people will compete in anything): the ruder and more shocking, the easier your tale will be to remember.

          Given the previous example, I visualize Daisy from The Great Gatsby, who is graciousi and unfixable (and quite self-absorbed) going back in the door of Beacon Towers, reabsorbed into the mansion while arguably voicing theories on subatomici physics. Okay, it's a clunky sentence, but the picture is in my head is memorable and it should only take a few tries before I remember it easily. Probably could have it done in two, but this is a family show.

    I know I'm not supposed to write passwords down, but there's no way I can remember one of these things for every account I have!

          Password managers are like digital safes that hold all of your passwords and passphrases: you just need one passphrase for everything. That means you only have to memorize one, but it is also a single point of failure – if your password manager passphrase is compromised, everything inside it is. EFF has more information here:

    EFF Password manager page

          Physical pen and paper can be the most secure in some situations; it all depends on whether you are more likely to be surveilled online or in physical space. Just remember to keep your passphrases in a different location than your computer, phone, tablet, etc. A discussion of threat modeling is here: Threat Modeling paper (EFF)


    Two-factor authentication

          This adds a feedback step for extra security. One part is just like normal security; the second step generally uses either something you have like a phone, or something you are, like a retinal scan. It is like a credit card that texts a code to your phone when you swipe it to make a purchase: if you do not input the code, the transaction is not completed; if you get a text while you are not making a purchase, you are alerted to possible fraud. It is a good idea to enable two-factor identification when available.

    Further reading: