Passwords are easy to generate, easy to record.. but still nobody likes 45-character passwords!
I like to use diceware to generate legible, secure passwords. Generally, each word (out of 7,776) will add ~12~13 bits of entropy. This requires 5 six-sided dice to be rolled for each word.
6 words is plenty, good enough for just about anything. 4 words is enough for maybe your Netflix password1.
I’ll use hand-rolled examples to show how weird the words can be. Base64 sprinkled in liberally. Don’t use these passwords, obviously2.
|Pattern||bits of entropy|
|= 2·log2(65) + 3·8||49.85 bits|
|= 4·log2(65)||51.70 bits|
|= 3·log2(65) + 3·8||62.77 bits|
|= 5·log2(65)||64.62 bits|
|= 2·log2(65) + 6·8||73.85 bits|
|= 4·log2(65) + 3·8||75.70 bits|
|= 6·log2(65)||77.55 bits|
|= 3·log2(65) + 6·8||86.77 bits|
|= 3·log2(65) + 9·8 (base64)[^3]||110.77 bits|
So a little base64 goes a long way. Too bad it’s hard to write down accurately, let alone remember.
Some more common styles of passwords, for comparison (in increasing entropy):
|Pattern||equation||bits of entropy|
64 bits indeed seems “long”.
A lot of bad password policies (6 chars only, 8 chars only..) keep you around 30-40 bits.
I like MotocrossVarietyGaveScroll-jj+G (75.70 bits) for long passwords, and MotocrossVariety-jj+G (49.85 bits) for shorter ones. I like to be able to write them down more than I like them super short.
Generating these requires 2-4 dicerolls (& a diceware textfile lookup) and a quick
openssl rand -base64 3.
64 bits is IMO “pretty good”. If you need 256 bits, you’re not really talking about a password any more, but a key. You can generate just lots more bits to come out of openssl, if that’s what you’re after
$ openssl rand -base64 32 bIxkkyQAh3GCxbiWurRpV5DsMdvcTTiTyMBWk2lpGcE=
I don’t use a lot of long passwords, but looking back: MotocrossVarietyGaveScroll-jj+G (75.70 bits) is just super long. 31 characters!? I wouldn’t even try to remember those.
Why not go straight base64 at that point? 21 bytes gets you 28 characters. 18 bytes gets you 24 characters. That’s 144-168 bits of entropy. Way beyond normal stuff. Here’s a better “long” password:
If you can use a 20-character password, use 15 random bytes (120 bits) :
$ openssl rand -base64 15 aT7bubJTM4w2RoyeNPsQ # results should vary..
This is way overkill, but a 20-character password is quite long and might as well be used.
You might need to add a special character (pick your favorite..) and maybe a number. I guess, technically, you might land all
1s or something crazy, so maybe append a
Az1! or something to fulfill all those nice password requirements. You may have to trim some bits to make it fit, if 24 characters is too many.