4

I'm looking to generate some new passwords for myself that are easy to remember, but hard to crack. By choosing a generation algorithm and generating one random password with it, I can be relatively confident of how hard to crack my password is. (I can calculate its entropy.)

If, instead, I keep generating passwords until I see one I like, the security of my password is (significantly?) less. Worse, because I can't analyze my own mind like I could analyze an algorithm, I don't even know how insecure my password might be. It should be better (in terms of security) to control myself and say, before the password is generated, "whatever password is generated is the one I will use". But it might not be as easy a password to remember as "correct horse battery staple". It's hard to predict what will be easy/hard to memorize, and it can vary a lot from person to person.

What about a happy medium, where I decide that I will generate exactly N (for example, 10) random passwords, and choose one of them? Would this be any worse than "1/N times" secure?

Dan Getz
  • 449
  • 3
  • 10
  • This depends on your selection criteria - if for example you pick something that you can type with only your left hand (quite a common choice), it could significantly reduce the strength of a password. For your "happy medium" suggestion, I think your reasoning is correct **on average**, however there could be some significantly less than average passwords chosen like that as well – user2813274 Jul 16 '14 at 19:12
  • True, if I'm generating series of words, and for example a grammatically correct phrase shows up and I choose it, I'm hurting yourself. On the other hand, if I decided on choosing the first password to show up and *it* was grammatically correct, isn't it a similar problem? And pretty unlikely? And in some cases, by generating more than one password, I could *avoid* some obviously insecure passwords in the rare chance that they show up. – Dan Getz Jul 16 '14 at 19:33

1 Answers1

9

one I like

That is the bane of precise entropy calculations: human psychology. It is hard to quantify precisely how much the attacker can model your aesthetic choice. There are two extremes:

  • The attacker may totally fail to guess what kind of password you like or don't like. In that case, your selection cannot be exploited by the attacker, and the entropy computation for the password generator is unchanged.

  • The attacker may have an accurate model of your brain, and precisely know what is a "likable" and an "unlikable". In that case, the attacker will try the most likable passwords first. In that case, the entropy, from the attacker's point of view, will be divided by at most N (if you express entropy as "bits", as is customary, then you will lose log N bits).

The reality will be somewhere between these two extremes. The cautious stance is to assume the worst. Thus, if you generate N = 16 passwords and allow the user the select one, then consider that you just lost 4 bits of entropy (because 16 = 24); in the "correct horse" method with four words from a list of 2048 words, hence 44 bits of entropy, you drop to 40 bits -- which is weaker but still quite decent, as passwords go.

At least it can be mathematically demonstrated that allowing a choice among N random passwords cannot reduce the entropy by more than a factor of N (i.e. you cannot lose more than log N bits that way).

Tom Leek
  • 170,038
  • 29
  • 342
  • 480