For a book project I had to review the current state of password generators, including the Schneier vs. GRC vs. XKCD/diceware wars.

Bah. Humbug. The memorable vs. random debate is obsolete. The real criteria is tappable. A password needs to be tappable on a twee iPhone virtual keyboard that shows only one character at time (Yes, I use 1Password. I still find lots of times I have to type and tap.) I can’t tap a long random string. I even have a hard time tapping an 8 word string — and I don’t have the patience for it.

I think the obscure and much maligned Apple keychain ‘Memorable’ password generator strikes the right balance. A mixture of (pseudo) randomly (I hope) selected pronounceable strings with some extra characters. I usually tweak the words to be less English (but still memorable) and I toss in “extra characters” that don’t require too much keyboard shift/swap. I generally stop at around 16 characters.

It’s too bad Apple’s password generator is so hard to access. On OS X I use an ancient and now vanished app called “Password Assistant” (2006, codepoetry – don’t try the domain, it was lost long ago) that invokes it. I can’t believe nobody has put something like this on the Mac App store. On iOS there’s no easy way to access it, you only see it when entering a password on a web form (again, why no app to invoke it? Too bad Siri can’t access it.)

Sure, the NSA could crack these too short and too englishy passwords in a few hours. But a serious hacker team wants my stuff, much less US border security, I’m screwed anyway. For most criminals I just need to be have something well above average. That’s not hard …

PS. I think Atwood came close to me in his 2015 essay: “passphrases … are exceptionally painful to enter via touchscreen in our brave new world of mobile – and that is an increasingly critical flaw.” Alas, he seemed to have forgotten this in his 2017 essay.