20 Password strength: Generating a secure and memorable password

 

It’s not easy to create passwords that are both difficult to guess and easy to remember. An XKCD comic describes an algorithm that provides both security and recall by suggesting that a password be composed of “four random common words” (https://xkcd.com/936/). For instance, the comic suggests that the password composed of the words “correct,” “horse,” “battery,” and “staple” would provide “~44 bits of entropy” which would require around 550 years for a computer to guess, given 1,000 guesses per second.

We’re going to write a program called password.py that will create passwords by randomly combining words from some input files. Many computers have a file that lists thousands of English words, each on a separate line. On most of my systems, I can find this at /usr/share/dict/words, and it contains over 235,000 words! As the file can vary by system, I’ve added a version to the repo so that we can use the same file. This file is a little large, so I’ve compressed to inputs/words.txt.zip. You should unzip it before using it:

$ unzip inputs/words.txt.zip

Now we should both have the same inputs/words.txt file so that this is reproducible for you:

$ ./password.py ../inputs/words.txt --seed 14
CrotalLeavesMeeredLogy
NatalBurrelTizzyOddman
UnbornSignerShodDehort

20.1 Writing password.py

20.1.1 Creating a unique list of words

20.1.2 Cleaning the text

20.1.3 Using a set

20.1.4 Filtering the words

20.1.5 Titlecasing the words

20.1.6 Sampling and making a password

20.1.7 l33t-ify

20.1.8 Putting it all together

20.2 Solution

20.3 Discussion

20.3.1 Cleaning the text

20.3.2 A king’s ransom

20.3.3 How to l33t()

20.3.4 Processing the files