prognos.is

correcthorsebatterystaple

How I deal with passwords

Inspired by the classic xkcd strip, I threw together a little bash script for generating memorable passwords. At the risk of incurring Bruce Schneier’s opprobrium I use it all the time. (You can output words from a non-English dict by tweaking the LANGUAGE value.)

#!/bin/bash

# for generating xkcd-style passwords

WORDCOUNT=$1

MIN_WORD_LENGTH=4
MAX_WORD_LENGTH=7
LANGUAGE='en'

for i in $(seq 1 ${WORDCOUNT}); do
    echo -n $(aspell -d "${LANGUAGE}" dump master \
        | egrep "^[[:alpha:]]{$MIN_WORD_LENGTH,$MAX_WORD_LENGTH}$" \
        | shuf | tail -n 1 | tr [:upper:] [:lower:])
    echo -n " "
done

I use a password-manager religiously (the multi-platform Keepass in my case but there are other good ones.) Whenever I need to create a new account on a website I’ll populate the details in my password manager and copy them into the account creation form so I’m sure they’re captured. That let’s me use hundreds of different passwords without worrying about forgetting one.

I have three categories of passwords:

  1. passwords I want to be so entropic there’s no way on earth I could ever remember them

    • When it comes to things like banking I want maximum entropy. In those cases, I will generate ridiculously long strings of gibberish (using the built-in Keepass password generator, with maximum entropy) and store them in my password manager. I never interact with these beyond copy-paste.
  2. passwords I definitely want to be able to remember

    • For endpoints or my Keepass database password I absolutely want to remember the password. If I’m dealing with a work account that has mandatory password resets every so often, I’ll run correcthorsebatterystaple.sh multiple times until I have collected a long list of random words from which I can construct a series of mental pictures. Since I’m reducing the overall entropy by not choosing words completely at random I compensate by tossing in some extra non-alphanumerics. This works phenomenally well. For example, right now the password on my work laptop is well over 32 characters long. Using this method I can easily embed a password of similar length in muscle memory whenever policy mandates I reset the bastard again.
  3. passwords I just want to be able to read while I copy them from my password manager into a mobile device

    • Then there’s the squishy middle…Somebody sends me an invite to a new service. I don’t know whether this is a throwaway account or something I’ll come to rely on. Back in the day I had one password I used for throwaway accounts. I realized the error of my ways a long time ago. But then came smartphones. I don’t trust my mobile device enough to interact with my Keepass database on it (although you certainly can, if you want to). I got tired of trying to transcribe complex passwords everytime I needed to setup some stupid app. So now, for this class of quasi-throwaway account, I use dedicated, long, but readable passwords generated something like this: correcthorsebatterystaple.sh 16 | sed -e 's/ //g'

That covers just about everything, except for what happens in case I die or become mentally incapacitated. But that will have to wait for a future post. ;-)