NSA-proof passwords


1 Like

It’s impossible to memorize a different passphrase for every service you use, and i assume they aren’t recommending using the same passphrase for every service. You have no control over how the passphrase is stored, if it is done so insecurely, as many hacked sites seem to have done, then a leak at one would still reveal your password at other sites.

I see this as a good method for generating the passwords you can’t keep in a password manager (login to computer, the passphrase for the password manager itself, etc…) but not a replacement for a password manager.

I probably wouldn’t use it on a mobile device either as it seems like it would take forever to type in. I guess that’s partially the point but it sure makes the phone pointless to even use. more secure to not have the phone at all at that point.

1 Like

XKCD on password strength


And this is why the NSA simply has back doors all over the place.


This information is one of the most valuable things I’ve ever read on BoingBoing – and that’s not a back-handed complement or joke.

If this technique was publicized – published as a lead in every newspaper, highlighted by every ISP, bank, etc. – we would all be safer, and the NSA would be throwing conniption fits.

This is a public service in the truest sense of the phrase.


I do like this in theory, but it’s got a bunch of weaknesses in practice, not least of which is that very few of us are going to actually be subject to a massively parallel brute-force crack. Also, while a diceware passphrase might be far more secure, most systems will demand caps, digits and symbols, so as to make it harder to remember your pass. That way you write it down on a stickie, and who needs a supercomputer?

I have used systems that actually require a password of 6-8 characters. No more, no less. Don’t want too many bits of information, I suppose. If IT guys are so smart, why are these systems so dumb?


This article is a disgrace… I had hoped that after reading this site’s article that Abby Martin linked that this place would have quality reporting.

We already have steady access to encryption methods involving keys of long enough length that NO ONE not even the NSA can crack through raw computing power. So in other words the method described in this article is a hilarious joke. If you don’t think that your information on the cloud is encrypted with adequate strength, then either you’re using a poor cloud service or you’re delusional.

The problem comes with the fact that the NSA doesn’t even need to crack these keys to get your data. I think just leaving the issue at that is the best way to end this post, given the topic of the article.

1 Like

please read my post below, because you are very much mistaken and I would like if you informed your friends of this common misconception as well :smiley:

I used to use the longest password possible, but now that most of the stuff I work with takes 64+ characters, I stay down around 30 or 40.

There’s a million good ways. Like, just use the first letter of each word from a song you have memorized, with the appropriate case, and put $1$ in front of it and another $ sign after the 11th character. So,


Trivially easy to remember, because I already memorized the song. Music makes it easy.

That $1$ stuff is to break the minds of knowledgeable criminals, BTW, so if you don’t know from crypt() don’t worry about it. It’s not really necessary, it’s just cruel, like the way we used to put strings in mail headers that were toxic to Microsoft Outlook users and didn’t bother anyone else.


The good news is that you don’t have to worry about trillion-guess/second attempts on your passwords for the services you use, like Gmail, because the services themselves …

…pass your data directly to the NSA.


Well, sure, but typically passwords are still involved at some stage to secure (or generate) the keys.

And even if you assume that the NSA has backdoored every service, unfortunately they are far from the only enemy.


So how do you pick your passwords?


The technique described in the article is not that “NSA proof”. Passwords using strings of known words are vulnerable to creative dictionary attacks. They may offer more “entropy” in the number of characters passwords end up with, but the sequences of characters that are stringed together are utterly predictable.

If a hacker or the NSA gets hold of a database with hashed passwords, the most likely way to retrieve passwords from it is to generate a “rainbow table” of hash results made with stringed together words and known often used combinations than to brute force it. Most people don’t use completely random passwords but (multiple) simple words, predictable character substitutions etc.

Also read: https://nakedsecurity.sophos.com/2012/03/19/multi-word-passphrases/

1 Like

Mmm. The advice is good, but there’s not a great deal in the article that’s not also on the Diceware site it links to, including the importance of using real dice and the figures on bits-of-entropy per word. So I’m not clear why they don’t just say “hey, use Diceware, read all about it at its site here, it’ll tell you everything you need to know”.

The article doesn’t goes as far as to imply its author came up with Diceware, but an explicit credit to its actual creator (Arnold Reinhold) would have been nice.

1 Like

Which is more secure: a seven-word passphrase chosen using the method described in the Intercept article, or a 13-character password chosen at random from the 95 printable ASCII characters (including space)?

[EDIT: s/chosed/chosen/]


The great strength of Diceware and similar methods is that they establish a rock solid minimum entropy transparently. That’s more than can be said of most other methods.

For example, what is the actual entropy of the initial letters of the words in a made-up ten word English sentence? Made up how exactly? Have fun finding solid numbers.

(The entropy per character is pretty crappy though. Of course you could generate strings of characters with the same method to change that, but those are hard to remember. Personally I think phonotactically plausible syllables seem like a promising compromise.)


(post must be > 6 characters)

The key to security is to change the “o” to a zero and make your password “passw0rd.”

You’re welcome.


I was so completely on board with this. Then, I thought: Well, most sites limit password length to 8-20 characters. Maybe this would work for Last Pass or something. And most sites require at least 3 of the following: upper, lower, number, symbol.

So, can someone give a real life usage example?


Most sites are just insecure. Good communications software or secure storage should be able to handle much longer passwords.