In How to Memorize a Random 60-Bit String they line out a quite creative method to overcome the classic paradoxon of passwords: passwords are either safe or easy to remember but never the both together.
The core idea to cut this knot is that a rhyme in the iambic tetrameter like the one above, is sufficiently long (size matters for safety questions) and however relatively easy to remember, even if it has little to no sense at all.
Here are two other examples of the type of passphrases recommended in the article:
Afghanistan and Pakistan.
Close to senseless, right? But if you search for the one super-secret phrase to safely seal away your password-management software, this type of password is promised to do the job.
The specific ones we quote here however should not be used: they are “in the world”. For the real-life struggle in the jungle out there, the two scientists have provided two online-generators:
- one for demo purposes. It provides quite a lot of passphrases to let you get an idea what kind of semi-rubbish the method provides. However: these examples shall not be used either – they are “in the wold” too – like any dictionary.
- one for direct use in real life. The phrases generated by this machine are all promised to be shiny and new. Due to the site’s current high trafficload the response-time might be close to 10 days though.
How can one be sure that “good passphrases”, generated by the big machine, are really new and safe? The number of rhyming verses of the pattern in question here must be somewhat limited, mustn’t it?
Well, you should read at least parts of the article. You will soon realize that there is heavy math involved in its whole theory. And from a math point of view one would answer: limited number of verses? Of course the number ist limited! It cannot be infinite.
But the limit is quite high, namely .
For a short calibration: this number is not so far away anymore from the number of atoms in the universe. It is so large, that the passphrase-generator can select from billions of solutions only the better ones and still provide different passphrases. Current machines are very far from being able to run through all possible solutions with a brute-force method. So yes: these passphrases are safe.
That was the goal of the two scientists: Generate safe and easy to remember 60-Bit passwords. It seems, they have accomplished their mission.