Building Password Lists

A little while ago Ars Technica published an interesting article on how password crackers build their lists of trial passwords. The TL;DR is that they scan Wikipedia, Project Gutenberg, news websites, song lyrics, IRC logs, Twitter, and other sources of text that show how people put words together. Then they apply the usual mangling rules to the resulting phrases to generate lists of trial passwords.

Read the article for more details but note that the technique discovered the 51 character password Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1 (it’s from H. P. Lovecraft’s The Call of Cthulhu). The take away from the article is that it is absolutely critical that your passwords be chosen randomly. The best way to do that is to use a password manager that will generate long random passwords for you. That leaves only your master password which must also be random. The problem is that something like b2qJ)spbgT4LxTtE+piK, while secure, is impossible to remember. The solution is to use something like Diceware to choose 5 or 6 random words (like the famous correct horse battery staple from XKCD). I wrote about a Lisp implementation of Diceware if you want to automate the process but all you really need is a die as explained on the Diceware page.

Note that you can’t just choose any 6 words. The choice has to be random. That’s why you roll dice to choose them. The Lisp program I mentioned above gets cryptographically strong random numbers from /dev/random to choose words from the Diceware list. One thing for sure, passwords or passphrases that appear anywhere on the Web will not be secure.

This entry was posted in General and tagged . Bookmark the permalink.