More and more we are being told to make our passwords secure. I work at a bank where I am required to have a password over a certain length and to change it regularly. That makes coming up with a secure, easy to remember password becomes a task.
Well, I wouldn’t be a decent hacker if I didn’t come up with a way of solving that problem. Xkcd tells us that four common random words would qualify as secure and easy to remember. That means we just have to generate them.
Did you know your Mac has a list of over 200,000 English words and names?
/usr/share/dict/words is the complete ‘Webster’s Second International Dictionary`. Published in 1934, the copyright has lapsed so it became part of FreeBSD and then macOS.
So we just need to randomly pick four words from the list. This shouldn’t be hard.
cat /usr/share/dict/words | sort -R | tail -4 would do the job. Give it a try.
OK, I see a problem here. Some of those words are far from common. I ran it twice and among my eight words were ‘impositional’, ‘histographical’, and ‘Cagayan’. I even tried changing it to
tail -10 to see if that gave me four “common” words in the list but that failed most of the time.
Most of those uncommon words are long. What if we extracted the long words before picking ten?
cat /usr/share/dict/words | grep -v '^……*' | sort -R | tail -10 will do the job. That gives me a better result but it still sucks for usability. We really do need a list of common words.
I easily found one online. A search for “common english words list” in DuckDuckGo (my favourite search engine) quickly did it – 3000 most common words in English. I then copied and pasted the list of several thousand common words in a file as
/usr/local/share/dict/common. I could then go back to
sort -R /usr/local/share/dict/common | tail -4 to get a list.
Now I just added the alias
alias passphrase='sort -R /usr/local/share/dict/common | tail -4' to the bottom of my
.zshrc file and generating a safe secure password is trivial.
If we are to believe The Diceware Passphrase FAQ then four words isn’t really enough, “four words only provide 51.6 bits, about the same as an 8 character password made up of random ASCII characters. Both are breakable in less than a day with two dozen graphics processors” so feel free to change that ‘4’ to a larger number according to your level of paranoia. Note that the Diceware calculations are based on someone knowing your passphrase is a number of words. If they don’t know that then it becomes much harder. If the cracker knows you are using the 3000 word list then there is about 11.5 bits of entropy per word in your phrase. On the other hand, if they only know it is random, lower case letters it is around 4.7 bits per letter – if we average six letters per word that’s 28.2 bits per word. Diceware recommend over 100 bits of entropy so that would require a five word phrase.
Diceware also recommend inserting a space between each word. So my current passphrase is ‘rain bone conflict stone mind’. Not really, but that’s what I just generated.
So you can easily make your passwords secure.