{"id":52427,"date":"2017-04-09T21:44:22","date_gmt":"2017-04-10T02:44:22","guid":{"rendered":"http:\/\/www.kateva.org\/sh\/?p=52427"},"modified":"2017-04-09T22:07:12","modified_gmt":"2017-04-10T03:07:12","slug":"password-generators-suck","status":"publish","type":"post","link":"http:\/\/www.kateva.org\/sh\/?p=52427","title":{"rendered":"Password generators suck"},"content":{"rendered":"<p>For a book project I had to review the current state of password generators, including the <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2014\/03\/choosing_secure_1.html\">Schneier<\/a> vs. <a href=\"https:\/\/www.grc.com\/passwords.htm\">GRC<\/a> vs. <a href=\"https:\/\/xkcd.com\/936\/\">XKCD<\/a>\/<a href=\"https:\/\/www.rempe.us\/diceware\">diceware<\/a> wars.<\/p>\n<p>Bah. Humbug. The memorable vs. random debate is obsolete. The real criteria is <strong>tappable<\/strong>. A password needs to be tappable on a twee iPhone virtual keyboard that shows only one character at time (Yes, I use 1Password. I still find lots of times I have to type and tap.) I can&#8217;t tap a long random string. I even have a hard time tapping an 8 word string &#8212; and I don&#8217;t have the patience for it.<\/p>\n<p>I think the obscure and much maligned Apple keychain\u00a0&#8216;Memorable&#8217; password generator strikes the right balance. A mixture of (pseudo) randomly (I hope) selected pronounceable strings with some extra characters. I usually tweak the words to be less English (but still memorable) and I toss in &#8220;extra characters&#8221; that don&#8217;t require too much keyboard shift\/swap. I generally stop at around 16 characters.<\/p>\n<p>It&#8217;s too bad Apple&#8217;s password generator is so hard to access. On OS X I use an ancient and now vanished app called &#8220;Password Assistant&#8221; (2006, codepoetry &#8211; don&#8217;t try the domain, it was lost long ago) that invokes it. I can&#8217;t believe nobody has put something like this on the Mac App store. On iOS there&#8217;s no easy way to access it, you only see it when entering a password on a web form (again, why no app to invoke it? Too bad Siri can&#8217;t access it.)<\/p>\n<p>Sure, the NSA could crack these too short and too englishy passwords in a few hours. But a serious hacker team wants my stuff, much less US border security, I&#8217;m screwed anyway. For most criminals I just need to be have something well above average. That&#8217;s not hard &#8230;<\/p>\n<p>PS. I think Atwood came close to me in his <a href=\"https:\/\/blog.codinghorror.com\/your-password-is-too-damn-short\/\">2015 essay<\/a>: &#8220;passphrases &#8230; are exceptionally painful to enter via touchscreen in our brave new world of mobile \u2013 and that is an increasingly critical flaw.&#8221; Alas, he seemed to have forgotten this in his <a href=\"https:\/\/blog.codinghorror.com\/password-rules-are-bullshit\/\">2017 essay<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For a book project I had to review the current state of password generators, including the Schneier vs. GRC vs. XKCD\/diceware wars. Bah. Humbug. The memorable vs. random debate is obsolete. The real criteria is tappable. A password needs to &hellip; <a href=\"http:\/\/www.kateva.org\/sh\/?p=52427\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[],"class_list":["post-52427","post","type-post","status-publish","format-standard","hentry","category-t"],"_links":{"self":[{"href":"http:\/\/www.kateva.org\/sh\/index.php?rest_route=\/wp\/v2\/posts\/52427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.kateva.org\/sh\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.kateva.org\/sh\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.kateva.org\/sh\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.kateva.org\/sh\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=52427"}],"version-history":[{"count":8,"href":"http:\/\/www.kateva.org\/sh\/index.php?rest_route=\/wp\/v2\/posts\/52427\/revisions"}],"predecessor-version":[{"id":52435,"href":"http:\/\/www.kateva.org\/sh\/index.php?rest_route=\/wp\/v2\/posts\/52427\/revisions\/52435"}],"wp:attachment":[{"href":"http:\/\/www.kateva.org\/sh\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=52427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.kateva.org\/sh\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=52427"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.kateva.org\/sh\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=52427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}