Passphrases That You Can Memorize — But That Even the NSA Can’t Guess

Maybe I have to apologize, I said that only because your scheme separate each char category i.e. symbols|small letters|numbers|large letters. Now that I see your scheme, it will be even more random than mine as it uses real (pseudo-)random while mine is deterministic. Your logic is solid, only possible problem will be, same as Diceware, you need pwdmgr or encrypted text (or even a paper in strongbox) if you want to save many passwords.

 

@142395 - thanks, I understand what you mean by root password. I think the only thing that would bother me about that is if the root was exposed, for example because of KSL on a weaker device. That then leaves the other derivatives weakened.

As with any security measure, it's what you actually use consistently that matters!

 

That is why I recommend to make more than 1 root passwords for different purposes as well as complex decoration, I actually care about the case where many of my passwords are stolen and adversary may guess the rule behind it.
I even sometimes (when I have enough time) change some password logic (especially important ones) completely.

Completely agreed!
Strong but unusable technique makes no sense.

 

A friend of mine told me he wrote his hard to remember root password on a wall slightly obfuscated and took a picture of his dog so the wall was somewhere in the background you had to zoom in on the wall to read it ...

 

Brilliant! A form of steganography where a machine (hopefully) couldn't read it, and a human would rather read Vogon poetry. Pictures of the kiddies would do as well....!

 

I swear by the gods that if I ever move to the UK you should drop me via PM the name of that private school you went to for my kiddies to attend. And I mean that in the sincerest of compliments. Both you and the other UK poster "pegr" should be published already. "That which we call a rose..."

 

@StillBorn - dashed good show that an expensive classical eddication has not come to naught - you'd be welcome!

 

This is important for Newbies.

I invite Wroll, (and anyone who read your post, please type into Google search box the following 2 words:- we will

*3 "l"s* at the end of "will", just as in your "very secure" passphrase.

Please note that the results result in displaying the words:- we will rock you

Everyone should note that Google is a web search engine, not a password Deep-Cracker.
Yet Google, a mere search engine, can "crack" your "very secure" passphrase effortlessly, and instantaneously.
Google serves up this result instantaneously, without even trying to crack passphrases.

Newbies, please note this; don't be lulled into a false sense of security into thinking that you can just "tweak" common phrases or words in order to gain iron-clad secuuuuuuuuuuurity. (sic)

"D33P Cr@ck" (Deep Crack) style software on "pisswurd-Kraking mashines" will NO AWL the trixx....will have the 1st part of this sentence translated to English before you can blink.

Wroll, what you say matches what my IT Department recommended years ago, and while your trick does vastly increase the password strength, and while it will offer good protection against your granny or your 6 year old cousin, or a weak hacker,......some Newbes will need a lot more.....

Newbies please note, if you can remember a 7 digit phone number, then, really, you will have similar (minor) difficulty in remembering a randomly-generated password by Lastpass or Keepass, say, O4*rVMe, and adding that to the end of, or in the middle of, or at the start of, a mangled passphrase like "To HoneyBee or not to Wasp, Swat is the question".

 

I am probably not making what I mean to say clear enough.

What I wish to do is give confidence to people, especially Newbies, who feel "I could never memorise a random password like, say "y!sG6YK".

If you can memorise 3 or 4 people's telephone numbers, then you should be able to memorise 3 or 4 seven digit random character strings.

A 21 or 28 character random password looks far more daunting than it actually is.

Have confidence!

 

Yeah, you give them confidence, until they'll find that it was all useless because some idiot was keeping the password in plain text or unsalted. So many brute/dictionary attacks last decade I've lost count of them.