Pass phrases, not pass words

People choose outrageously simple passwords for their web mail. Perhaps because they don’t care about the accounts these passwords protect, or because a standard from 1985 has conditioned us to use bad passwords. Yet a better way has existed for just as long.

According to research by typhoidisbad, these are the most used passwords:


Research by typhoidisbad based on analysis of this data set.

The one thing these passwords all have in common is that they are all easy to remember, but provide bad security.

It seems that they have been generated by people used to the established rules:

  • a minimum of 8 characters, selected from an alphabet of 94 printable characters, and;
  • required to include at least one upper case letter, one lower case letter, one number, and one special character, and;
  • checked against a dictionary to prevent users from including common words, and;
  • disallows permutations of the username as a password.

These recommendations that seem to have become the universal standard were written by Bill Burr in the NIST Special Publication 800-63 (original version). Bill says he was inspired by a 1980 whitepaper (WSJ article behind a paywall, or see a rewrite on Gizmodo) – perhaps the Department of Defense Password Management Guideline CSC-STD-002-85 (original version). It contains “Worked Examples” of calculating the minimum length to be 8 characters, but with some assumptions:

The network to which this is applied supports both a 300-baud and a 1200-baud service. Experiments on the network have determined that it is possible to make about 8.5 guesses per minute on the 300-baud service and 14, guesses per minute on the 1200-baud service.

Bill Burr also said:

It will be very hard to impose dictionary rules on longer passwords, and many people may prefer to memorize a relatively long “pass-phrases” of words, rather than a shorter, more arbitrary password. An example might be: “IamtheCapitanofthePina4”.

Just like CSC-STD-002-85, which says:

A “passphrase” is a concatenation of words drawn from a dictionary. The dictionary is merely the collection of symbols making up the “alphabet” from which the password is generated. As an example, suppose the passphrase is made up of words drawn from a dictionary of 4, 5 and 6 letter words. There are approximately 3,780 4-letter words, 7,500 5-letter words and 12,000 6-letter words in English. The “alphabet size” for generating passphrases is approximately 23,300. … Thus, for the passphrase algorithm described, namely selection at random from a dictionary of 23,300 words, only 3 words are needed in a passphrase to obtain the desired resistance to exhaustive enumeration.

XKCD summarizes this nicely: we’ve forced users to using hard to remember passwords that are not sufficiently secure.

XKCD on Password Strength

The Intercept introduces here what they consider a good, manual, method for generating pass-phrases.