Over the last few months I have had to enter WiFi passwords into smart phones, TVs, printers, etc. None of these have real keyboard and they make it hard to enter long passwords or passwords that constrain symbols etc. Therefore all the normal rules about choosing good passwords seem to be out of date…
(It took ages on the phone for me to explain to someone how to enter their password into a “TV stick” due to these issues and not having the same “TV stick” to try it out on myself.)
Most good password advice (suggesting long passwords with characters randomly selected from a large character pool) will not ever go "out of date", except perhaps with regards to "minimum length" recommendations. (Used to be 8, then 12. Soon enough, if not already, 12 will be too short too. I recommend 15, preferably 20+.)
The problem you have is one that cannot be worked around without weakening the strength of your password, because strong passwords will never be very human-usable regardless of what interface you're using to enter them. The really strong passwords aren't even fun to enter on a full QWERTY desktop keyboard, let alone any of the more limited UIs available on "smart" devices of any sort. The best passwords aren't even human-memorable.
Unfortunately, that's just the nature of the beast. You can have a strong password, or you can have one that's easy to use and remember. Intersecting the two is nigh-impossible.
Some suggestions for your WiFi network:
This was suggested in a comment but isn't an answer yet for some reason.
I suggest using the concept used by diceware and made popular by a certain ubiquitous XKCD comic.
That is, get a word list of a few thousand words, and randomly (i.e. using dice or numbers from random.org or a high-quality PRNG) choose some words from the list. This set of words is your password.
For WiFi passwords I recommend you don't use the standard Diceware list, because it includes a bunch of punctuation and the like which you want to avoid on smartphone keyboards or other places this is hard to enter.
Instead use something like the 5000-word sample list from the Corpus of Contemporary American English or the New General Service List (2000-3000 words) for your source of words.
This should let you choose a WiFi password that's easy to type in since it is all common words which you probably know how to spell, with no punctuation, yet is completely random. Since it's a WiFi password you're probably going to write it down somewhere so generate as many words as you need for the level of security you want. 5-8 words should be plenty, and much easier to tell somebody one word at a time than painstakingly typing one character at a time while switching keyboards back and forth for the usual type of password.
Try a passphrase (this method is also recommended by Snowden. If you do a search on youtube you'll find a few of his related videos). This method allows your password to be extremely long and very easy to remember.
Example:
- Create a phrase such as "thinkingoutloudonasundaymorningat110dbwith4beersinthefridge"
- Swap a few characters with numbers, capitalise some letters, get a bit creative.
This is just a starting point and you can make your key much more complex by adding words from different languages, making your passphrase more illogical, or even making up words. Using your imagination is key here.
If you want security with ease of use, it may be easiest to just randomly generate a long password of nothing but lowercase letters (or numbers if you are using flip phones). The basic point of password security (I'm oversimplifying here) lies in the concept of entropy which in this context means the difficulty in guessing. So what this means for you is that out of x number of possible password combinations, how long would it take an attacker to 'guess' the correct one? The answer is a function of how many guesses the attacker can possibly make and how many guesses the attacker does actually make.
For instance, if you have a 4 digit long password and allow only digits 0-9, you would have 4^10 possible password combinations, this may seem like a high number but consider that an attacker could potentially 'guess' really quickly (depends on the resources thrown at the guessing algorithm).
The bottom line is that if you limit your pool of unique characters (IE just use lowercase letters or digits) then you would need to increase the minimum password length.
For one of the business I work with, they need to allow employee access to their network, as well as various devices that report data back to a central server.
With a key rotation requirement in place, entering a wifi key into every device was pretty time consuming. One of the requirements I imposed was the key had approx 64-bits of entropy, which for a password is quite a bit, but was designed to eliminate brute force attacks within the key rotation schedule.
The key needed to be fairly easy to enter on both a keyboard and a mobile device, and not be unnecessarily large or insecurely small. The solution I came up with is to use groups of lower case letters and numbers, or just a long random number.
anu629brq763pfr = 62.2 bits
5167053194830046378 = 63.1 bits
Obviously, neither of these are very memorable, and they did not need to be because of the environment they are used in, but the grouped method did allow someone to remember it while entering it into half a dozen devices (me). Usually I would make a typing mistake at least once when entering a complex password a bunch of times, but by separation of letters and numbers, I did not mistake an l for a 1 or an O for a 0. Grouping can keep the error rate very low during entry, in fact I did not make any mistakes, every device connected the first time, and that is not typical for me.
The additional advantage to generating the codes in this way is they are very easy to enter on things like mobile phones and television remotes, and contain no spaces, capitalization, or punctuation, but they do need to be long to compensate. Since they are essentially random (within constraints), they do not need to be as long as a password with guessable words or phrases.
I this situation we had a business grade router with the ability to use multiple SSIDs on the same frequency each with separate encryption keys, and could isolate employee access from other devices for security purposes, but for most people this is not necessary, although I would not trust a smart TV to be on the same network as the rest of my devices...
You were right at the beginning. This is a password for a Wifi network. It has some different properties than something for, say, your bank or your company. For one thing, you'll be entering it on a zillion different devices—many of which have terrible user interfaces. (TVs, PS4, printers, mobile phones, etc.) So if you do the usual advice and put in all sorts of symbols and things, you're dooming yourself to a life of misery with these interfaces. I think it is safe to say "longer is stronger". And if you can manage to think of a long phrase that makes sense, just type the whole thing. Remember also that spaces are completely legit in WiFi passwords (though, again, you may find some devices don't do it well).
So a password like "this is a secure network" is perfectly good enough for a WiFi network and is simple enough to type. The password strength estimator zxcvbn is really good. https://dl.dropboxusercontent.com/u/209/zxcvbn/test/index.html
You need to have a long password but you also need to use as many character types as you can and as randomly as possible. The less random you are the weaker you are.
But let's compromise so that security is convenient because we can do good things here still and meet in the middle.
Dispite how it looks this is a very strong password "AAAA 9999 ???? aaaa 0000 !!!!"
You get some subtraction of security from repeated characters and consecutive characters and consecutive types like uppercase or numbers but in a brute force scenario it would take an octillion years because the only way they would crack you is by using lower, upper, number, and symbols on the above 29 character password.
Now the attacker could create dictionaries to help them with this sort of password schema the reason why is it's a pattern and then it would be less good but it only helps the attacker if this pattern was very common and got good success rates which it does not at this time. An attacker wants to crack you very quickly you just need to make him tired of trying before he wins.
But that 29 character password is easy to remember so why not make it a little longer.
"AAAA 9999 ???? aaaa 0000 !!!! zzzz 7777 .... ZZZZ 5555 @@@@"
If you want to take this up a level do mixed characters together instead of repeating the pattern.
"ABCD 9876 .,?! wxyz 1234 '@&$"
Which of the last 2 is harder? Well AAAA is longer but ABCD has a more complex pattern
The answer is ABCD because it is more random If you did AbCd 9$8&7@6' wXyZ that would be even more secure and the pattern harder notice I alternated character's case and numbers and symbols. I also changed the pattern between the spaces etc. so I now have a more random and long password that would be near impossible to both brute force and dictionary attack.
Just make one like that last one that is random but easy to remember and type for your devices and you're good. Also note that length is good but length without complexity could be a risk. Try to make it to about 30+ characters for wifi.
Hope this helps.
