Passwords are the greatest vulnerability in cyber security. We reuse with other websites, we do not alter, and in many cases we do these things because to remember a password that passes the strength test is hard enough to remember, much less all the other accounts we use.
Passphrases are typically better than passwords simply because of length. A passphrase is simply multiple words strung together and can be easier to memorize than a heavily altered word (that computers can still guess easily), shown well in an XKCD comic. If you continue with the instructable I will show you my word list source, show the combinations of the word list, show how to enhance entropy, and finally put it in a spreadsheet to get it done sooner.
Step 1: Supplies
I used the Electronic Frontier Foundation long word list (here). This list was written to be used to create a passphrase, each word has an average of 7 characters in length, is memorable, not a homophone, non vulgar, and relatively easy to spell.
To use, roll 5 dice, read each face of the die, and concatenate the die, and lookup the word on the list. EG, if I roll a 1,5,2,1,and 6 I would look up word 15216 and come up with "catchy". I then repeat to however many words I want.
Step 2: But the Word List Is Known...
How secure is it if the word list is known?
True, less secure; but still secure.
The EFF long word list is 7,776 words long. If we use three words that would be 7,776 raised (to the power) of 3 or 7,776^3= 470,184,984,576 combinations! This grows exponentially
4 words= 3.66x10^15
5 words= 2.84x10^19
6 words= 2.21x10^23
10 words= 8.08x10^38
Step 3: Make It Even More Secure
Passwords/passphrases are measured in entropy. Character variance and length are the best ways to enhance password/passphrase security.
Rather than substituting letters for other characters or choosing random letters to capitalize I like to make mine into a pattern. But within that pattern there is room for randomness. For example, word one, four digits, word 2, special character, word 3, first letter capitalize. For longer passphrases I like to just extend that pattern out, two words, then 2 characters, then 2 words first word capitalize. It has a pattern, but it makes it so that having just the word list alone is not enough to (eventually) break the password.
Step 4: So Slow Process
Rolling dice is fun for the first word.
But then we need to get a lot more words for security. I created a spreadsheet that uses the long word list and will roll dice, creating a line of up to ten words. Then next to that I add special characters and capital letters increasing the entropy.
I did NOT add macros so that you don't need to worry about invasive code. Just refresh in your preferred program and it will generate new passphrases. Note about spreadsheet, I use VLOOKUP to a second sheet that only has the wordlist. I then string the words together.
Note, the numbers are created pseudorandomly. A computer can only create a mostly random list. Computers run algorithms (as simple as that). We, humans, are not very good at creating random information either (source).
Finally, random characters will be more secure than a passphrase, but also harder to type correctly and harder to remember.
Step 5: Create Your Own Spreadsheet
The DIY spreadsheet
I downloaded the list (provide earlier) and then imported in a spreadsheet in two columns.
I created another tab to be the front end of the program.
Using the randbetween function I specified =randbetween(1,6)
- I use 1-6 because that is the faces of the die, as related to the list
- If we do randbetween(1,7776) there will be numbers we cannot use
- I then concatenate these by using the & symbol to "roll 5 die at a time"
- I then do that on 10 lines
I then use VLOOKUP so that I can still see the numbers and the words instead of one or the other. The VLOOKUP, "looks up" the word that the 5 dice roll creates.
- VLOOKUP([rand string], [spreadsheet with wordlist], [column 2], false [for exact match])
- do not type what is in the brackets [ ], this is to illustrate what to go for on your sheet
I then use concatenate to created words into a string.
- [vlookup-ed word]&[vlookup-ed word] etc
I then add next to the string the same string but inserted with special charactors
- Proper() command will make anything inside the () in "proper" capitalization, first letter capitalized
- Randbetween(1,9999) will create a probably and possibly less, 4 digit number
- You could also do randbetween(1,999999) or randbetween(1,9)&randbetween(0,9) etc.
- ASCII is the characters of the computer, some of the special characters [ !@#$%^&*() ] (etc) are numbered 33-47. Using randbetween you can insert between words using the char
Use any and all of these to your own pleasure