And where would I get a dictionary that only has the words I know? (keep in mind I have the advantage of two languages to choose from making my possible password choice even harder)
See, I’m not questioning the effectiveness of the system you’re proposing. I just question its practicality, that its practically applicable on a wide scale for people who want to make a secure password.
I’m sure we can agree that people who would choose 12345 (Don’t try that on your luggage!) would not be remotely interested in making their password secure, and we aren’t talking about them, but people who would use something like “W3lc0m32dam4chin3” might be willing to upgrade and are probably the ones interested in going the XKCD route. And the plain route, XKCD password on steroids as you (correctly) propose as more secure.
I mean, your method works, but in order to turn it into something viable for most people you’ve made some unrealistic assumptions:
1.- There is no dictionary that contains only the words you know, it would be the most useless dictionary ever, and worse, once it exists in a computer somewhere, you’ve built in a vector of attack for your specific password.
2.- stringing a bunch of commands together to scour a dictionary and output random words from it is beyond many people’s technical expertise, If a script was devised to do this, it could actually be compromised to create weak and/or predictable passwords. (Heck I could do this by just giving you the wrong commands to follow and having that person share the compromised oneliner, or giving you a poisoned dictionary, its not like you are going to read it all are you?).
3.-
Yes it does, the method you choose to encode your passwords puts constraints that might be exploitable. That’s why attackers don’t need to try all the possible variations, just the most likely.
The first link in my previous comment is exactly what we’re talking about - it’s a diceware list 6^5 words specifically selected to be easy to remember, understand, and type, with their corresponding 5-digit base-6 numbers. Grab an ordinary die, roll 5 times, write down the word.
Yes, there are probably a few words in it any given person doesn’t know. Nothing’s perfect.
As to the rest, I can only say: Kerckhoffs’s principle. If the passphrase is just an encoding of a sufficiently large random number then public knowledge of the encoding method does not weaken anything. Correlate: If knowing the encoding method weakens anything then your random number is too small.
You are writing coherent sentences, to be sure, and they are in response to some of the things I wrote, but we are clearly arguing at cross purposes.
You are arguing for a system to create a strong password, (Which I’ve already agreed is sound), I’m arguing that the implementation is unwieldy enough to be impractical for most people, therefore insecure.
You are arguing on how to strengthen the system, I’m arguing on how it would fail in the hands of users.
Well another approach for creating your own passwords is to pick a set of memorable words (yes four words is ok) and then just drop the vowels or consonants. So RideHorsesCrystalRiver would become RdHrssCrystlRvr and you may need to add a number and/or special character so RdHrssCrystlRvr1$AB$ might do it. The idea is easy and modifying an algorithm to crack it might not be too difficult but it could will increase the size of the dictionary needed for a search. And if you mix it up (first two words only use consonants) its RdHrssCrystalRiver1$AB$ yet can still be memorable.
I wonder if this is of any use or would still be too easy to crack.
I’ve got a really simple system - I write my passwords in 1337(ish) speak, using numbers and letters, at least one capital letter, and often a punctuation mark/other.
Since I don’t want my passwords for my various accounts to be the same, I create my passwords along a theme. For example, I’ll use the novel Huckleberry Finn:
One password might be; 5aWy3r (Sawyer)
Another account might have: 4Un7pO11y (Aunt Polly)
or another might have: huck138erRy (Huckleberry)
It makes them easy to remember for me, but all distinct.
The system you describe is generally the third thing password cracking tools do
simple wordlist lookups
wordlist lookups with a short suffix or prefix
wordlist lookups with common 31337 speak substitutions
Your specific example here, characters from a well-known novel, is a terrible starting point, because any reasonably-sized wordlist will contain them. Those passwords would probably fall within a couple of hours to a decent cracking program with access to one or two good video cards.
Surprised no one has mentioned using keyboard patterns.
My most important password is something I could not even tell you because it is just a fast rhythmic pattern of my fingers on the keyboard. Repeated typing it causes it to be committed to muscle memory. If I type it into an editor it looks like total random gibberish.
I currently have 4 such passwords and can invoke the correct one by simply remembering the first letter.
I like the new overall design, peeps, really I do. But green text on black for a serious article? This is a triumph of ‘cleverness’ over content and reminds me of WIRED’s terrible experiments of the 1990s. If you want people to read your stuff, don’t do it.