Password randomness and the UX of passwords

I’ve been having a look at passwords again as the WooCommerce/WordPress password strength meter has been causing problems.

The password meter actually likes the method popularised by XKCD – which assuming random words seems to have had it’s maths checked and re-checked and is based on a lower bound assumption (worst case scenario) that someone knows that you are using that method – is still a very good method.

i.e. ‘correct horse battery staple’ (550 years to crack) vs ‘Tr0ub4dor&3’ (3 days to crack).

It’s just the random bit in the XKCD definition which needs to be repeated to people again and again.

Also don’t forget the spaces – as even Bruce Schneier and an Ars article on password cracking ignore this. You can use dashes/underscores instead as some places (I’m looking at you Microsoft) refuse spaces. They’re handy extra bits of entropy for no extra (human) memory. We’re talking about exponentially increasing the length of time with each bit of entropy.


One of the attacks mentioned in the Ars article talks about specifically targetting the XKCD method where two random long strings from two dictionaries are put together.

“Steube was able to crack “momof3g8kids” because he had “momof3g” in his 111 million dict and “8kids” in a smaller dict.”

The problems you hit are if someone else has used the same four words and their password gets hacked. Or if two halves of the password you select are commonly used.

The problem comes that people pick their own words and don’t generate random ones. And humans are more likely to pick words that other humans pick.

So what can be done for people to select random easily remembered words?

The simplest way is to add a suggestion of randomly created words as their password, using for example I’ve had a look at the source code to it and it the randomness of the selection seems to be pretty comprehensive, but I’m not a security expert.

However what I like about passphrase is that you can just use the example as a ‘seed’ for your password. Then you can tailor it slightly from the output to more relevant words for you.

How important is randomness?

What I see the point of the XKCD method being is to raise the bar that the weakest people choose.

We’re not talking about the passwords that security experts should use, we’re talking about regular people who don’t care about security.

I think even the inbuilt Firefox/Chrome password manager locked with an xkcd password is great for normal users based on this Super User answer. Even if they don’t have a password to lock the password manager – it’s still better that they’re using more secure passwords, it moves the point of weakness to their password manager which requires much more personal attacks.

Possible unproven minor improvements

To try and work with the kind of passwords that the weakest people will use. As per the XKCD, we want to produce passwords that are hard for computers to guess but easy for people to remember.

Here I’m assuming that someone doesn’t want to choose a properly random set of words. Are there words that people can think of that will be inherently more random?

I think that local slang is a good way of choosing words. Every community will have their own words – often unwritten, so no common spelling. Anyone who’s read an Irving Welsh novel (Train Spotting) will know some of the glorious Scottish slang that he writes. This means your source material gets more obscure, so less and less likely that it’s in a dictionary somewhere.

But obviously those examples are still written down and can be included into dictionaries.

What about the rather silly porn star names? e.g. first pet + street you grew up on / middle name.

You need words that are definitely obscure, but relevant to you.

Changing your password

Also what I like about the XKCD method is that for those who are force to change their work password every 90 days you can change one of the middle words (to another randomly chosen one). This only makes a minor change to the remembering but avoids the trick that the password crackers use here which is to cut off the last 4 characters and try all possible random sequences.

Keep it simple

I’ve also seen people suggesting that you should combine upper and lower and symbols with the XKCD passwords. But from what I understand that’s missing the point. Security minded developers keep wanting to make the words more complex – but that always makes it harder to remember. The point of lower case with spaces is that it looks completely natural and there is nothing else to remember. You just hold the image of what the four random words are in your head. You don’t have to remember the four words and then try thinking what kind of substitution did you do to those words. XKCD picks up on this from the hover text of the cartoon:

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.