Tag Archives: xkcd

WordSequence For KeePass 2 = XKCD Passwords

If you’re not familiar at all with the title, click here to check out the fabulous comic in question.

“Lolz” right? Well I completely agree with it – and I’m finding that my passwords are getting longer and longer and you really have no hope of remembering them. Take at look at this monster: !J$?e04uGh=eDP (89 Bits) You have no choice but to store this in a program like KeePass, never actually look at it, and hope that your password database stays backed up. 🙁

Password enforcement has gotten better, and worse at exactly the same rate. Here’s an example excerpt from Cal Poly’s password document. (This was discovered when my sister in-law tried 15 times to make a password that she could actually remember for her access):

Passwords must contain at least one character from three of the following lists:
1. Uppercase Alphabetic (A‐Z) 2. Numbers (0‐9) 3. Lower case Alphabetic (a‐z) 4. These Special Characters are allowed: ! $ % & , ( ) * + ‐ . / ; : < = > ? [ \ ] ^ _ { | } ~ These special characters are not permitted: # " @ and the space character

Passwords must not contain any of the following:
1. Your previous passwords used within the last two (2) years 2. Passwords less than 16 characters must not contain any of the following: a. Any words of three or more characters, including non‐English words b. Any groups of three or more characters of the same character type c. Any names, person, places, or things found in a common dictionary d. Any of your names (first, middle, last), any current Cal Poly username e. Repetitive characters (sequences)

The second part ensures that no password can be easily memorized. This string has to be written down. Once it’s written down, the whole reason for having passwords fails everyone, and after staring at the logic for 5 minutes I came up with something like this: 50Fu40Yo (42 Bits)

If you network admins are listening, you need to get over trying to corner users into crazy strings of letters and numbers. Dictionary words are easy to guess, but strings of dictionary words with random characters in there are just as good, if not infinitely better for users to actually remember. Lets look at this example: Wool+BladeFriction5 (105 Bits) A brute force attack is just going to go through every possible character in every possible position, and there’s 19 of them. Now for our ‘easy to remember’ Cal Poly password, the length is only 8 because I would never actually want to make it more then the minimum. Do you want a short useless password that gets written down? Or a long somewhat complex one that is memorized?

The challenge is to make a complex password that is easy to remember. The password should also satisfy usual requirements for length, capitalization, and numbers or uncommon characters. Here’s what I use:
KeePass 2 & WordSequence

Search the web and drop a couple thousand words (I used nouns and prepositions) into the window. I came up with some common substitutions (like @ for a, etc. – ‘b@ke m0re p1e’) and created complex easier to remember passwords like: Cheese4TigerDinner! (88 Bits) Most normal websites would accept this as a excellent password for the length and the special characters, and most humans could remember the phrase: Cheese for tiger dinner!