This Welsh password generator might keep you safe from hackers, but definitely from dragons

Originally published at: https://boingboing.net/2019/12/02/this-welsh-password-generator.html

…

I not see a “not” at the top.

You think the Welsh are going to save you from dragons?

Fun fact:
Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch means “correct dragon battery staple”, and is the most commonly used password in Wales.

6861100578_655f227e1a_b.jpg1000×652 385 KB

What about taking a bunch of random words and plugging them into google translate, using a different language for each word? Even better if you choose a little known language.

Awesome! I can’t wait to instantly forget my new Welsh password!

Shit, was that three Ls or nine?

I prefer a Jabberwocky password. 4 or 5 things that look and sound like English words, but aren’t in the dictionary, especially if they are emotionally evocative. Passwords like that are much easier for me to remember than traditional single word with junk added/substituted passwords.

I have two rules for good passwords:

1. If a computer built in my lifetime could guess it within an eon it’s a bad password.
2. If I make the password and then leave it for a month before I use it and can’t remember it that is a bad password. In this case a single word hint is acceptable.

These sound really stringent, but if you choose your passwords wisely and don’t mind typing ~20 characters for each login it’s much easier to achieve than you’d think. I’ve built machines for people and had them come back 6 months later with some issue and remembered the unique admin password I set on their system, and my memory isn’t awesome. Sometimes I can’t remember their name, but I can remember their password. The only downside is that sometimes there are additional password requirements that mess you up, like ones where you can’t put more than 2 characters of the same class together and have to have all 4 classes represented in the password. In cases like this it is effectively impossible to create a good password so your security will suffer.

Another good system is to use a language that has its own alphabet, but transliterate it into Roman alphabet with phonetic spelling.

“Never ask for directions in Erebor, Baldrick. You’ll be washing dragon spit out of your hair for a fortnight.”

FTFY.

Note to self: Add welsh dictionary to my password cracking word database.

Ahh, welsh. A friend of mine is Hakka Chinese, and a smart and funny guy. He joked once that he was tired of all these whiteboy anime nerd types choosing asian words for online handles, so he actually backed up his gag by choosing all Welsh online usernames from then on.

I’d share a few, but I can promise I would spell them completely wrong.

Welsh speaker here and i can assure you the welsh passphrases in the article are as meaningless as the English ones. With the added complication that Welsh words actually change at both the end and the start depending on grammar. So to make them into a grammatically whole sentence would mean they need to be changed a little, unlike English where you can throw most words next to eachother and they pretty much make sense. Having used Google translate to check things a few times in the past i can tell you that they aren’t wasting their best and brightest talent on getting this part of Translate to work properly.

Having said that… AAAAAAAAAAAAAAAAAAAAAHHHHHHHH!!! I have been using Welsh words and phrases as passwords for years assuming nobody would ever even think to look. This article just blew up my whole system. Goodbye bank accounts.

^burner account used for obvious reasons.

And? As long as the algorithm is secure and the wordlist is long enough, that doesn’t really matter. Looking at the source, the wordlist is more than long enough (114,698 words). The algorithm however, is not secure. Change the generator to use secure random numbers and you’d be good. I may play around with this and do a pull request

Yeah I’m an amateur/non-native Gaeilgeoir myself, and I’ve definitely seen the same problems crop up with Google translate. It can be a decent guide when I’m to figure some stuff out, but it’s definitely not reliable, thanks to those … I think they’re called prefix mutations? Something like that? (Irish has a specific name for them that I always forget, too, oops)

This sounds like a really good system. Can you give an example of how it works, or should I just search for “Jabberwocky password”?

I made the term up, but someone else may have thought of it as well. It’s obviously a reference to the Lewis Carroll poem where he made up most of the nouns but still left it readable.

I like to make a scene my head and then describe it. So maybe an angry cat scuba diving to get something like:

Hissteau h8s Airoface!

This is an example of one that includes enough other junk to pass most password checkers while not being too hard to remember or type. A human looking at it might think it’s too easy because it looks so simple, but this is the kind of password that’s really hard for computers to guess. Your hint could be “Jacques”. It’s similar to the system that uses 4 or 5 dictionary words, but greatly increases the search space by using words that don’t actually appear in the dictionary.

Yeah we just call them treigladau (mutations). There are a bunch of different ones but I think they are similar to how you guys do it (based on how my Irish friends names are pronounced vs how they’re spelled).

According to https://howsecureismypassword.net/ (The site you used), the password “passwordpassword” would take 35,000 years to crack, and the password “boingboing.net” would take 111,000 years.

Do you honestly think either of those passwords are even remotely secure?