Troy Hunt, whose work I admire and have mentioned before (1, 2, 3) has posted about the XKCD password security cartoon that I wrote about in Password Advice From XKCD. It’s easy to misconstrue his post as being critical of the the method of choosing passwords suggested in the cartoon, but I don’t think he is. Rather, his point is that the typical user today has a lot of accounts and therefore a lot of passwords to remember—indeed, he estimates that he has 130—and that that is far too many for anyone other than a savant to memorize. Therefore, he says, you shouldn’t try to memorize your passwords because in order to do so you have to make them too predictable to be secure. Instead, he recommends that you use a password manager to keep track of your passwords so that you need remember only the master password.
My first thought on reading this was that he was being unfair. After all, Munroe didn’t say that you should use the four-random-words method for all your passwords, he said only that the four random words were easier to remember and more secure than the usual types of passwords like Tr0ub4dor&3
. On that, the cartoon is correct as it stands. Even if the choice is between remembering 130 Tr0ub4dor&3
-type passwords and four-random-words passwords, the cartoon is correct.
But Hunt is correct too. You can’t remember 130 passwords of any type; at least not if you want them to be secure and unique. The solution, it seems to me, is to combine the two methods. Use a password manager to store your passwords and a set of random words for your master password. One of the commenters proposed this and Hunt agreed. The advantage of this method is that you can choose a high entropy password because you have only one (or at least a small set) to remember. The password manager will take care of generating high entropy unmemorizable passwords for your accounts.