The weakest link in IT security is usually users. Their biggest weak spot is passwords. Users want passwords that are easy to remember – which means easy to figure out. The solution is something that’s easy to remember and hard to crack.
Thanks to a site called Diceware the solution is also free.
What Diceware does is replace passwords with passphrases. The reason this is better for both users and security is elegantly explained by XKCD.
Cartoon courtesy of xkcd
In short, most human generated passwords don’t contain enough entropy (uncertainty, for us lay folks). The more uncertainty involved in the password the better. Diceware takes care of that.
It is a simple, free system created by Arnold Reinhold, who has written books for Wiley and on cryptography. The system only requires you know how to read and have access to a plain old six-sided die. (So there might be one expense: A big box of dice.)
Roll the die five times and write down each result in order. That will give you a five digit number like 33152. Go to the Diceware Word List – which contains 7776 short English words, abbreviations and easy to remember groups of letters. Find the word that matches your number. Repeat three (or more) times.
Here’s what I got:
- 33152 = Hobbs
- 54336 = slave
- 34362 = Jason
- 34345 = jam
You can alter that in any way that makes it easier to remember. I would change jam to jams to make a complete sentence out of it: Hobbs slave Jason jams. You get the idea. Even better its so simple even the folks in marketing should be able to use it. Hopefully.
It doesn’t have to be four words, of course. Use more if you want to make it harder to crack. If you don’t want to use the Diceware list you are free to generate your own. The system is clearly adaptable.
Of course another free way to make your security even better is to have users change their catchphrases on a regular basis. Good luck on that.