The//Intercept has an excellent article on how to choose secure passwords that are (relatively) easy to remember. The problem with passwords is that they are almost never secure. Most people choose stupid ones (password
, 123456
, \(\dots\)) and even those of us with a bit more of a clue can almost never choose a good one. The reasons for that are psychological but the TL;DR is that humans appear to be preprogrammed to prefer patterns even when they’re trying not to.
Because of this, the only secure passwords are randomly chosen ones where the human proclivity to impose order and pattern on them can not come into play. That’s why secure password management requires a password manager such as 1password, KeePassX, or similar program. These programs choose long random sequences of characters that are very secure for passwords and then store them in an encrypted database.
The only remaining problem is choosing a password for the password manager. It holds the crown jewels so passwords like password
are non-starters. The//Intercept’s recommendation is one that I’ve given here many times: Diceware. The idea is that you roll 5 dice to randomly choose a word from the Diceware list. Do that 5, 6, or 7 times and you have 5, 6, or 7 random words that together have enough entropy to resist even NSA brute forcing. This, of course, is the idea behind the famous XKCD Correct Horse Battery Staple cartoon. The big advantage of a sequence of random words like this is that while they have the same or more entropy than a long random sequence of characters, they are relatively easy to memorize.
I previously posted a Lisp implementation of Diceware that uses a cryptographically secure random number generator and is therefore very secure. There is also C version that’s a bit has a tiny bit of bias and is therefore slightly less secure. It would be easy to make it completely secure by using the 8K Diceware list that the Lisp version uses.
UPDATE: Intercepts → Intercept’s