Jeff Duntemann's Contrapositive Diary Rotating Header Image

June 25th, 2014:

Stapling the Correct Battery to a Dead Horse

In the wake of Heartbleed there’s a whole lotta password changin’ going on, reawakening the always-lively discussion of what constitutes a strong password. Xkcd has a legendary answer to that as well: Correct horse battery staple. In other words, four randomly chosen words beats g0B!deEG00kk. The information theory explanation is that there is more entropy in those four random words than in a quirky misspelling of “gobbledegook.” Xkcd reminds us that if you can picture a horse asking if that’s a battery staple, those four words are also hugely easier to remember.

Bruce Schneier disagrees, and (as always) he lays out a good case. His password-generation scheme is certainly harder to crack than choosing four shortish random words. However, some scorch spot in my genes makes it hard to use a mnemonic like that. Remembering passwords is key, since a password that’s miserably difficult to remember simply won’t be used. Nonetheless, if you can do it, it’s golden. There are traps, however. Some years ago, when I first had an account that allowed (almost) arbitrarily long passwords, I used a favorite line from Tennyson:

Down along the beach I wandered, cherishing a youth sublime

That was in fact an excellent passphrase for a couple of reasons, one of which was unintentional. (Can you guess? Answer below.) Using Bruce’s method combining the initials of this line and the one that follows gives us:


I’ll bet that’s damned hard to crack. However, it took a lot of work to extract that from the text, given that I had to extract it every time I typed it in. I could actually type both lines in full twice in the time it took me to extract the initials once. So as password generators go, it’s not my favorite. Furthermore, I intuit that automating initial-extraction from passphrases findable online (like lines from famous poems) would be trivial.

Once I learned a little more about dictionary-driven password cracking, I stopped using lines memorized out of famous poems. Given the size of modern hard drives, and the boggling number of offline hashes that modern GPUs can calculate per second, having a dictionary of all lines from virtually all famous poems, plays, and novels would be a computational blip. (Text is small.)

That said, the passphrase above is actually stronger than you’d think, because, well…it’s wrong. That’s not how the line goes in Tennyson’s “Locksley Hall.” The correct line is:

Here about the beach I wander’d, nourishing a youth sublime

Assuming I hadn’t spilled the beans here, I might actually have gone back to using it, because, having used it for a couple of years, it got pretty well set in my memory. Alas, consistent misremembrances of this quality are scarce. Poetry can work, however, since structures of rhyme and meter make poems easier to remember. It can work if you write the poems yourself. Your mileage will vary. I’m oddly good at both writing poetry (which doesn’t mean that it’s good poetry) and then remembering it. In fact, bad poetry is lots easier to remember. Just now, this line popped out of nowhere:

“Piffle!” said the Golmodox. “His niffled head is all but rocks.”

This is actually two reasonably strong passwords, or one if you’re paranoid. What makes them strong? Two of the words are made up. Words that don’t actually exist make cracking miserable. Poetry makes phrases easy to memorize. So sit yourself down, my writer friend, read some Lewis Carroll to get your brain revving in the right direction, and write a nonense poem. Read it several times until you can recite it out loud without hesitation, and then encrypt it (strongly). Choose a line from the poem and make it a password. As you need passwords, choose other lines from the poem. When you run out of lines, write a new poem.

Nothing is uncrackable…but when you’re the highest fruit on the tree, you’re not going to get picked any time soon.