The first step to making sure our passwords are their best is to leave the 'password' mentality behind. We need to create 'passphrases' instead. A passphrase is like a password but longer, using several words together. The longer the passphrase is, the better off we will be. But there is a point of diminishing returns in the length versus security trade-off.
In Edward Snowden's original email to the journalist he said:
Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase. Assume your adversary is capable of one trillion guesses per second.
That is a lot of guesses per second! Granted, that journalist most likely had a much larger target than we do on their back, but this is still a great threshold to measure how effective our passphrases are. If we only use a password that is five characters long, even if it is full of symbols, it will be guessed in minutes not days.
We should always assume there is an attacker with enough incentive to run a trillion guesses per second against our accounts. By doing so we raise the unlikeliness of a attack against us succeeding.
The majority of people will choose a password from the culture around them. This is often a line from their favor book, song, or movie. Once the quote is selected they then mess around with in by adding capitalization, numbers, and symbols that are easy for them to remember. Let's take a look at the following password from a classic Shakespearian work.
Even though we have more of a passphrase than a password here, there is a high provability that we were not the first to use this passphrase. By using a line from a work of art we place our accounts at more risk than we should. For all we know there is a computer program out there that takes popular phrases and mixes around variations to find a match.
The reason passwords and phrases like the one above are a poor choice is something called entropy. At a basic level and in relation to passwords, entropy is how random a passphrase is in its final state. Unfortunately, we humans love patterns and are extremely terrible at creating randomness.
What if we don's use a line from culture but instead just pick random words? Even when we do this it is still far from being truly random. This is due to how ingrained our native language has become and all languages are predictable. Our brains love using idioms and rules of grammar, both of which kill entropy.
Yes, dice. It is the best way to allow for the randomness of nature to create a ton of entropy. First we need to grab a Diceware Word List off the internet. The one linked in from the Electronic Frontier Foundation and is on optimized version of previous word lists.
These word lists contain 7,776 words or 37 PDF pages of words for your passphrase-making pleasure. Next to each word is a five-digit number each between one and six. Now we need our dice. Real dice are always better than using a program because we can not be one hundred percent certain the program is truly random.
Roll the dice until you have five numbers ranging between one and six. Write down the five numbers as they appear on a piece of paper. The five-digit number that is on the paper corresponds to a word on the list linked above. Congratulations, you have you first random word! Once you are done you will end up with a passphrase that looks like the following.
acorn overstate ferris outlet mosaic laurel
We can then add capitalization, numbers, and symbols as we wish. However, the entropy comes from how many words we generate using the dice and word list. The longer the passphrase the more entropy we gain and the harder our passphrase will be to guess.
As mentioned, the strength of any password or phrase is determined by how many words we roll. If we only choose one word from the list, an attacker will have a one in 7,776 chance for guessing our word. The attacker may guess it on the first attempt or the 7,776th attempt with the average number of guesses being 3,888.
So what if we roll our dice for two words? It does not simply double but there are now 77,762 possible combinations increasing the total possible phrases to 60,466,176! On average it will take 30 million tries to guess a two-word passphrase. Bump it up to five words and we get 14 quintilian tries! (That is with the attacker knowing that we used a word list and which one.)
But how long will it take to guess these at one trillion guesses per second as Edward Snowden says we should assume? This is also exponential. If we were to use five words it would take an average of 165 days to crack. At six words it jumps to 3,505 years and seven words puts us at 27,256 millenia!
I always recommend people use a service like Bitwarden for their online passwords. It will generate a random password for you and no two will be the same. This is very important to keep your accounts safe. There is no need to use a diceware passphrase on each site you sign up for since that would require us to memorize too many six- or seven-word strings.
The reason for this is because after we submit our password to a site it has to connect to a server and send back the results. It is not possible for an attacker to send a trillion requests to a web-sever without clogging its network. We are more likely to have our passwords stolen by a fake version of our favorite site. In that event, no level of entropy will help.
However, we must use a diceware passphrase for our Bitwarden master password and nowhere else! Every time we use the same passphrase on a different site we increase the chance of it getting stolen. This, in turn, kills the entropy we created with our dice.
Updated March 2020: Check out the password generator I'm working on at git.swab.dev/passgen... It has a passphrase generator built in.