In Episode 5 of the Your Secure Life Podcast, Garrett shares tips on how to create a strong and safe password that you can remember.
Hello and welcome to the Your Secure Life podcast.
My name is Garrett. I am the host.
This is the first episode of 2020. It's episode five total, and today we are going to talk about passwords.
In episode one we talked about password managers, which are pretty much like the bare minimum that you should be doing for privacy and security.
And the general idea was that you should be randomly generating every single password. You should not know a single one of your passwords except for one. And that password is the one that you use to get into the password manager.
So it's kind of a lot to expect somebody to remember a randomly generated password.
So unless you have a photographic memory of some sort, it's unlikely that you could remember a randomly generated password for your password to get into your password manager.
That means we need to come up with a password that is something that you can remember but is also difficult for both a computer or a person to guess.
So there's this web comic called XKCD and they did a comic about how to come up with a good password to remember. I'll link it in the show notes at YourSecure.Life/5. That's the number five, not the word spelled out.
XKCD talks about how some people will come up with a password that is a word or a couple of words that they know, but then they replace some of the letters with numbers or symbols.
And that's easy to remember, but it's pretty easy to figure out.
Not only is it easy to figure out for a computer, but it's also easy to figure out for a person, especially if they know something about you.
So what should you do? Well, you should come up with a pass phrase, not a password, but a pass phrase.
It's generally recommended that you come up with six random words and make that your pass phrase, and then you can memorize them through various means of memorization, such as a fun sentence or a little song, which we'll talk about later.
The tricky part is the randomness of the words, because it turns out humans are not good at random.
Luckily there's a system called Diceware, and that exists to help us come up with an actually random passphrase.
In fact, even computers aren't really that good at coming up with randomness, and that is way beyond my knowledge to explain, but I'm sure if you just looked up why computers aren't random, you'll find plenty of people that are happy to tell you about it.
I was just recently watching the movie Catch Me If You Can, with Leonardo DiCaprio and Tom Hanks and Leo's character, Frank Abignale, which is based on a real person, has a sort of tell that Tom Hanks' character, which is an FBI agent tracking him down, and it helps him and it's that all of Frank's fake identities or characters from Flash comics.
This is because humans just aren't really good at being random. We tend to pick things that are related to us or things that we think about and we just are not ever random.
Everything is always related to something that we've already thought about or something that's near us.
As I said, computers aren't very random, but something that is random are real world, meatspace dice. Physical dice from a board game or a casino, and that's where Diceware comes in.
So Diceware is a list of words with corresponding numbers. You'll roll a single die, or a set of dice, look at the numbers you get, and then find the corresponding word on the list.
They have several lists you can choose from, which helps a little bit more with the security.
But the list that I'm going to go with for the example is just going to be the default list.
I'll link to all of the lists in the show notes again at YourSecure.Life/5, the number.
You could also generate your own lists if you know how to do that sort of thing. I'm sure that it wouldn't be a very complicated Python script, but I'm assuming that you, like me, would rather just use the simple already created, tried and true list from Diceware.
You only need one single six-sided die, but it's easier if you have five, which you can probably scrounge up from board games in your house.
It's recommended to use a minimum of five words in your passphrase. But preferably six, and if you're dealing with something that's extremely high priority such as disc encryption, you'll want even more.
For the sake of this podcast, we're just going to go with six since that's the recommended.
I was able to find five dice in my house so I rolled them and the numbers I got were three, five, four, three, four, five, six, six, three, one, two, five, two, two, one, six, five, two, four, six, three, three, six, three, one, three, two, five, three and five.
And each word on the list has five numbers next to it, so that was 30 dice rolls.
And so each of those need to be broken down into six groups of five numbers, and then each of those five numbers corresponds with the word on the list.
So we got three, five, four, three, four, which is knauer, K. N. A. U. E. R.
I don't know what that means, so I'll have to look it up.
Next number is five, six, six, three, one which is tepee, like the thing Native Americans live in.
Next, we got two, five, two, two, one which is fame. That's easy. Okay.
Six, five, two, four, six, which is the word Y. X. I don't know what that is.
Three, three, six, three, one, which is ilium. I know that's a body part, but I don't know which one.
Three, two, five, three, five is Heinz like the ketchup.
So looking up those words. Uh, Knauer is a knot in wood. I couldn't find anything for Yx. Ilium is the lower part of the small intestines.
While researching for this episode, I also found that the Electronic Frontier Foundation or EFF, which I'm a member of, has created a newer updated list with what appears to be much better words. I will put a link in the show notes at YourSecure.Life/5.
And in retrospect, I should have used those, but I have been sick and I just want to get this episode done and out.
Some sites and software required to use at least one capital letter and one lowercase letter, one number and one symbol. As you can see in our passphrase, there are not really any of those things.
Adding capital letters is pretty easy, but complicates the memorization. Most people would probably capitalize the first or last letter of every word, so try to be different and don't let it get too complicated so that you can't remember it.
For numbers and symbols, the Diceware page has a little table and some instructions on how you can generate random numbers and symbols as well as where to place them in your passphrase.
Again, that is at the show notes.
All right, so coming up with the passphrase is the easy part because we just use the system that someone else already put together.
Now we need to memorize the passphrase and that's the hard part because our brains suck at remembering things.
It's really bad. We're... Our brains are not meant for storage. They're meant for processing. That's what I always say. Our brains are more like RAM than they are hard drives.
In my research, the most recommended way was to come up with a sentence and a mental image to go with it. This is also what XKCD comic recommended.
I've also read that the stranger the image, the easier it'll be for you to remember. Then you just need to repeat your passphrase while picturing the image until it sticks.
Because I have terrible words in my example, I do not have a good sentence for that, especially considering I don't even know what YX means, and I'm pretty sure it's not even a word.
If this is the case for you, you need to repeat the whole process of creating a passphrase from start to finish. And so you come up with a set of words that you can make a good mental image and phrase out of.
It's important that you start the entire process over. Don't roll the dice and keep some words and then replace others.
Do the whole thing from start to finish. It doesn't really take that long and it's worth it for the randomization.
Then just come up with your fun sentence or sing a little song to yourself as many times as it takes to remember it and you're done.
You've got a solid password that not only will people not be able to guess because it has nothing to do with any of your interests, but also computers won't be able to guess it because it's going to be so freaking long that computers would take decades to try and figure it out.
And nobody's got time for that, so, they'll probably just give up.
That's the end of this episode.
Next episode is going to be a news episode and we're going to cover quite a few things. The last news episode was in October.
Of course, this year we're going to have much more frequent news episodes, but since October has been a lot. There's... A lot has happened, so hopefully it won't be too long of an episode.
I'll try to make sure to keep it what's important to you and not go off on any tangents, but I'm not gonna make any promises.
So I will see you next week.
Don't forget that this podcast is not sponsored by anybody, and that is by design. I don't like commercials. So the best you can do is go to YourSecure.Life/apple and leave a review for the iTunes and Apple crowd.
If you don't have an Apple account, then the next best thing you could do is go to YourSecure.Life/guide and download the free guide.
It's five days to clean up your digital footprint, and it also comes with the option to download a PDF so you can actually do all of it in one Saturday or Sunday or any other day off.
It won't even take the whole day. You can pretty much do it in one afternoon.
Or you can do it the way it's designed, which is just a little bit every day for five days. That's how I usually do it because otherwise I get sidetracked, sitting down and trying to knock out something in the afternoon.
Sometimes you just get tired of it, especially when it's not particularly fun, but it is extremely important.
That's all I got for you this week. I will see you next week. Have a great rest of your day.
Sometimes stuff pulls the wool over our eyes and gets us. Sometimes our information gets out there other ways (like through breaches). We can minimize the damage with just a few actions. Get the free 5 step guide to clean up your digital footprint.