Apparently, the first Thursday in May is World Password Day. I'm not sure how I missed it as arbitrary holidays have been somewhat of a hot topic on my team of late. It's one way to pass the time in our collective quarantine.
But if we're being honest, every day should be World Password Day! Practicing password hygiene is a worthy endeavor indeed. This is especially true as more of our lives are being lived online during the COVID-19 crisis. Reusing passwords is an especially risky, though widely used practice that makes you susceptible to breaches. When's the last time you checked to see if you'd been Pwned? If your guard wasn't already up, there's no time like the present to start taking your passwords more seriously.
This post is for people who want to secure their personal identities. Companies should help keep their customers secure by offering 2FA and creating sensible password policies. I am especially passionate about strong password practices because it's one of the easiest ways to defend your digital identity.
So, what makes a good password? There are many factors to consider but, for the average individual, focusing on using a unique password of a certain length is a great place to start. Password managers are of course a useful tool to help solve this problem.
I presented the following idea for a poster topic at Pycon 2018 to explore creating a password management system - which I am by no means endorsing as there are plenty of good ones on the market - to generate strong passwords using a technique called Diceware and Twilio SMS to send and receive data.
Python for Riddikulus Passwords
Thanks to a mild Harry Potter obsession and a designer at my disposal, I explored the topic of passwords through a literary lens before digging into the science and math. I was surprised to find the extensive and important role that passwords played in the harrowing adventures of our favorite young wizards against certain evil forces.
I studied the general password practices displayed by each of the four Hogwarts houses throughout the duration of the series. I am particularly proud that my own house of Hufflepuff uses physical gesture rather than the incredulous same simple password used by Slytherin.
As it turns out, we "Muggles" are not as random as we think. The ways in which we've often been told to create passwords makes them kind of predictable and even harder to remember. All of those capital letters, numbers, and special characters are not actually making your passwords as strong as you think.
Take the following password for example. Was it diagonally? No, Diagon Alley. But substitute a one and zero. And there was a symbol...at the beginning or the end? Was it before or after the number? Admit that you've made similar substitutions to make your passwords more "secure".
I set out to solve the problem of our lack of creative, secure passwords with a little help from the Diceware method for generating passwords and Python. You can learn more about the Diceware method from this website, but it is described as:
A method for picking passphrases that uses ordinary dice to select words at random from a special list called the Diceware Word List. Each word in the list is preceded by a five digit number. All the digits are between one and six, allowing you to use the outcomes of five dice rolls to select a word from the list.
There's a lot of discussion around what makes this effective and if you're interested, I suggest you dig into the research. But for our purposes, it is enough to know that dice are non-deterministic and considered random so they deliver a result that one could not have guessed. Entropy is a measure (in bits) of uncertainty or randomness within a system and this increases with every additional word we add to our passphrase with the Diceware method. There are of course systems that are built to hack even this and so this chart suggests an Ordinary Wizarding Level or O.W.L. score for passwords of varying lengths. Seven words, for example, has approximately 90 bits of entropy, and is considered to be "unbreakable with any known technology, but may be within the range of large organizations by around 2030."
There's a popular meme in the security and programming community where the resulting passphrase is "correct horse battery staple", which, now because of its infamy, would be a terrible passphrase despite reasonable length given it's ubiquity. But the point is to emphasize how easily one can visualize a passphrase to remember it. I reimagined this within the context of The Boy Who Lived performing the Riddikulus charm against Boggarts in his Defense Against the Dark Arts class. Too much? Anyway, I came up with "impossible skate spider moon balloon box clown"!
Are you ready to cast the spell?
Dedicated witches and wizards with some dice on hand can cast rolls in multiples of 5 (e.g. 52621) and let the magic lookup and return a passphrase. The more rolls (e.g. 52621 16326 14443 62226 13431), the more secure your passphrase will be.
You may find that this is impractical for every single password you need, but it is often suggested to follow this stringent method of physically rolling the dice for those "keys to the castle" scenarios like password to your password manager or your computer for example.
The lazy among us may instead send the word "riddikulus" and let the pseudo-random magic of the Python Diceware Library generate an amusing passphrase.
Text (216) 208-5958 yourself to try it out!
Go ahead, roll the dice.
Questions about making the magic happen? Feel free to leave comments and issues on the Github repo or find me on Twitter.
Questions about Twilio? Sign up for an account to build for yourself!
About the Author:
Top comments (4)
the better thing would be to get rid of passwords over the wire altogether, lousy or otherwise. with webauthn for using crypto dongles, and webcrypto when not using them, we can use public key cryptography to enroll our devices and use a very small number of really good, strong passwords to unlock credential stores, etc. best of all those passwords would be free from corporate security theater with respect to password expiration which has been shown to actually decrease security.
i have open source running code that does exactly this, and was surprised at how easy it was to get it up and running using webcrypto and the server backend.
"corporate security theater" - love that phrase. Never suggesting this is the best or most secure solution, I just think it is one that makes talking about it fun when you are trying to convince older parents for example, about why it matters.
that's the thing though: it's a failure of engineering that they need to care, not grandma's. it's on us that we put out this notion that people should use good passwords for every site and not reuse them. that is physically impossible unless you just use one or two sites. we have the ability to make this a lot better nowadays yet nobody seems to be talking about it as if it were as inevitable as death and taxes.
Totally agreed on the failure of engineering that they need to care.