In late 2020 AgileBits, the folks behind 1Password, published a blog post entitled Randomness (or things humans do poorly). It’s a fascinating article on randomness in computers, but near the beginning is this paragraph.
As I’ve alluded to with the title of this post, humans are notoriously terrible at creating randomness.
You’ll doubtless have heard this concept before. Indeed Allison mentioned it in her recent, and excellent, rundown of everything a password manager can do for you. But… while we are naturally poor at randomness, we can learn!
A lot of years ago I was visiting a company office in another city when the manager, Denis, called me into his office. These were the days of dumb terminals connected to a central, large computer. That large computer was my area of responsibility and he was trying to log in but could not remember his password. The passwords on this system were short – between six and ten characters – but did require the use of at least one digit.
It was at this time I developed a simple method of coming up with new passwords I would be able to remember, as we had to change them every 60 days. Think of a topical word, between six and ten characters in length, that has at least one letter ‘i’ or ‘o’ in it. Your password would be that word with any ‘i’s replaced with ones and ‘o’s replaced with zeroes. An example might be “h0sp1tal” if you’d recently had the misfortune to visit one, or “h0l1day” if you were looking forward to one. I had taught this approach to Denis on a previous visit and had suggested he look around his office for inspiration. I asked him if he had followed my advice last time he changed it and he confirmed he had, so I told him to look around the room and see if he could spot what it was. It was then he told me that the source of his randomness had been a truck driving past his window!
Coming forward to today, ten character passwords are not good enough, but memorable passwords are still a good idea and can be very secure. I’ve been a long-time user of Bart’s XKPasswd.net web site and even built automated actions so I could generate new passwords right on my Mac with my favourite recipes. If you can’t access XKPasswd you can likely use your password manager to generate memorable passwords, and hopefully it’s on your phone which you always have with you. But sometimes you might not have access to a suitable generator, or, like me, you prefer the XKPasswd recipes and your password manager can’t produce them like that. For most use cases, any password will do, but there are some places I know I will log in a lot from different places and I would like it to be super easy for me to remember the password. At times like these, I generate them in my head.
Let’s do this as an exercise. I’m going to help you generate a suitably random password that would be difficult for anyone to guess. A quick note here that this process does require that you be sighted, though I imagine folks with vision impairment could come up with a variation that works for them.
Look around the room you are in. It helps a lot if you are an untidy person like me. Look for an interesting word that is printed on some object. When I say interesting, I mean don’t settle on things like “the” or “this”. Also, try to avoid words you’d expect to see often like “Apple” or any word on your keyboard. Looking around me right now I can see the following things.
- A packet of photo prints for “New Zealand’s Leading Photostores” – the word leading is great.
- A mug with a cute message “You are my otter half” – the word otter is great.
- A membership card for a society that has the several good candidates including treasurer.
That last one is one where you can apply an additional technique. If the word is too long or too short, adapt it to another form, such as treasure in this case. Continuing on…
- A package with a label saying “accepted” – I’d go with accept.
- A letter from an optometrist has plenty but I’d choose regular.
- A (sadly empty) chocolate box that gives me ginger.
I could go on. The trick is to look and quickly choose the words to avoid bringing in biases but also spend enough time to eliminate the obvious and ideally avoiding anything permanent or semi-permanent in your environment. Let’s look at the words we gleaned.
leading, otter, treasure, accept, regular, ginger
If you were in my study today you might have some success at guessing these words, but it’s still a very hard problem to solve. Now let’s take a similar approach to get some numbers. I’m going to make sure I use different objects to further randomise, and again avoid obvious numbers like dates and round numbers.
- A kitset box shows 260 pieces
- A battery charger has a product code of 185
- An invoice number is 1075
You get the idea. So now we have six words and three numbers, let’s pick a separator. I tend to stick to one of a handful of easy to type separators rather than trying to use my environment to randomise, but you could look around for inspiration even for that. I’m going to choose a comma this time and then I will choose three words and two numbers. I will make sure the words don’t “make sense” together, for example avoiding “ginger otter”. I will also avoid gravitating to the shortest words to keep the total length reasonable.
You may notice that I’ve arranged the words in a ‘sentence-like’ order so they are easier to remember, but the sentence is completely nonsensical. So there you have it. A 100% human generated, random, secure, and memorable password.
However, just because you cleverly devised your password without the aid of technology, don’t think that this is memorable enough to not have to store it in your password manager! If you don’t have access to that at the time you create the password, write it on a piece of paper and put it somewhere safe until you can record it properly, then destroy the paper. note that you shouldn’t write the name of the site or service on the paper, just in case.
I’ve used this technique probably half a dozen times and usually I will continue my hunt for words until I find some that particularly appeal to me, especially if I know I will use the password often without recourse to a password manager. I can even now imagine random passwords without referencing my environment based on making short, nonsense sentences like squishy-purple-delivery, but that requires a LOT more concentration to avoid obviousness.