Easy To Remember, Hard To Guess #socs

Guess what I learned this week?

Back in 2003, a manager for the National Institute for Science and Technology (NIST) named Bill Burr wrote a document on password complexity, and how an ideal password was twelve characters or longer and consisted of random combinations of upper- and lowercase letters, numbers, and symbols. In other words, a password like E51p”oDsf;r+Dy6s was ideal, because it was longer than twelve characters and contained a mix of all four of the things you can find on a keyboard. That’s a secure password, because it would take years for a hacker to figure it out, somewhere in the neighborhood of 150,000 centuries. Problem is, it’s also difficult for you to remember. Password managers like LastPass can keep track of them and, if you’re lucky, plug them in to all the apps you have on your smart devices. If you aren’t lucky, you can still copy and paste the password from the password manager, usually, but there are times when an app won’t allow you to paste a password, and other times when you’re setting up a new device and the password manager isn’t installed on it, so you bring it up on one device and type it in.

Anyway, Bill, who’s now retired and has had time to think about it, gave The Wall Street Journal an interview and said that the rules he set down in that document were too complex and that the benefit of having a long password of random characters came at the cost of a user not being able to remember it. (The full article is hidden behind the WSJ‘s paywall; if you don’t subscribe, there’s a good summary here.)

Instead, Bill now suggests that users use a passphrase made up of random words, such as serious milly hiding thursday or ceiling kitten watching purple monster, something that would be easier to remember and which still provides the security that the long strings of random characters would. You can throw in numbers, uppercase letters, punctuation, and symbols, like television Headphone hi62823 zipper, honestly as well. Mark, my friend from high school who comments here frequently, says it also helps to use jargon from your job or hobbies, like lydian dominant stratocaster piobaireachd or upper sideband kilocycle WWV delano. I’ll occasionally use a line from a prayer, such as The angel of the Lord declared unto Mary or tantum ergo sacramentum veneremur cernui.

There’s a website called Use A Passphrase that will generate a passphrase for you of four, five, or twelve words (it gave me the passphrase burnham clayton square special a minute ago). He also says that it’s not necessary to change your passphrase every 90 days, and in fact you need only change it if a website says you should.

One other thing: a lot of websites have you enter answers to challenge questions, like “In what city were you born?” or “The name of your first pet.” No reason you can’t use a random phrase as the answer. You just have to remember what it is. That’s where LastPass comes in handy.


Stream of Consciousness Saturday is brought to you each week by Linda Hill and this station. Now, a word from our sponsor.


Author: John Holton

I'm a writer and blogger who writes and blogs about things that interest me.

16 thoughts on “Easy To Remember, Hard To Guess #socs”

  1. Interesting. I have to keep my passwords in a special address book or I never remember them. Glad to hear it is not necessary to change them every 90 days. Thanks for the info, John!


    1. I use LastPass to keep track of my passwords, because I have so many (half of which are for sites that no longer exist or I haven’t been to in years). Nice thing about it is it’ll plug in my user ID and password when I go to a site, and there’s a place to keep notes for challenge questions. Plus, I can get at it from all my devices, so I rarely have to type in a password. There’s a free version, but I don’t think you can get at it from places besides a browser, so I have the premium version, which is only a couple bucks a month.

      Liked by 1 person

  2. I read that article this week and hope businesses will change their criterion. I am SICK of two types of letters, numbers, symbols. I use words and numbers that have no relationship to me. I have never honestly answered a single security question honestly. Not even for the bank. Those are dumb. Anyone who really knows me can answer all of those!


    1. It happened a couple of years ago, as a matter of fact:


      Evidently, they encrypt the passwords (including master passwords) using a powerful algorithm that makes it less likely anyone who gets the information can actually use it, and they also recommend using two-factor authentication, where logging in with a password is the first step and responding to an email or text message is the second. They did recommend that users change their master passwords when it happened, which rehashed everyone’s data.

      Liked by 1 person

  3. I’m often changing mine because I forget them! I’m wary of storing them digitally because of hacking and I don’t write them anywhere. Hubby has his written down in a coded format that only he can work out but sometimes he forgets the code! In answer to your question of course I do Sudoku plus lots of other Japanese puzzles – one of my favourite sites is: http://www.brainbashers.com/logicpuzzles.asp


  4. Just wanted to let you know that I mentioned you and this post in my most recent post. You are always so good about mentioning me, I wanted to return the love. Thanks!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s