Master Password security: 12 random lower-case letters vs. 4 random words

MerryBit
MerryBit
Community Member
in Lounge

So I have a weird memory... :)

I find it easier to remember and type 12 random lower-case letters than 4 (more or less obscure) words chosen by the 1P password generator.

But is the security of a password consisting of 12 lower-case letters chosen at random equivalent to 4 random words chosen at random out of 18,000?

My math goes like this:

Entropy of 12 random lower-case letters: log(26^12)/log(2) = 56 bits

Entropy of 4 random words chosen from a list of 18,000: log(18,000^4)/log(2) = 56 bits

So a password like "anyz-wosz-ccau" should be as secure as "driven-aboard-midland-hound", or am I missing something?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @MerryBit!

    Sorry for the delay in the reply here, I wanted to tell you that I have sent your question directly to our security team. We will post back here as soon as we have an update :+1:

  • MerryBit
    MerryBit
    Community Member

    No rush--I'm just being curious. :)

  • ag_ana
    ag_ana
    1Password Alumni

    That's good @MerryBit :)

  • Lars
    Lars
    1Password Alumni

    @MerryBit - sorry for the wait. 18,000 words (our wordlist is slightly longer than that - around 18250 now, I think - but good enough for estimation's sake) works out to be 56.5 bits (OK, 56.5428, and more like 56.624 if you use 18,250 as the starting number of words, but close enough), and log2(26^12) for twelve random lower-case letters would work out to...yep, 56.4 bits. So if it's easier for you to remember 12 random letters than it is four real words, you're in very similar ballparks. And if you make it 13 letters, you'll be up in the 61.1-bit territory, which is obviously far stronger.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Interestingly the research on the memorability and usability of these things is mixed. When we first introduced the wordlist, there was no relevant research. (There was some much longer longer passwords using much shorter word lists.)

    It now appears that there may be more people like @MerryBit than we'd initially imagined. There still isn't enough solid research to really base design choices on, but the memorability advantage of word lists is not as great as we'd initially thought.

  • MerryBit
    MerryBit
    Community Member

    Aw, and here I thought I was sooo special. 8-)

    I can't fully explain why I find random strings of letters easier to memorize than random sequences of words. For a long time, I thought words would be easier to remember, but one day when I had to type in my Secret Key and realized I was able to remember half of it without even trying (and still struggling to remember my 4-word master password), the thought occurred to me that maybe random words weren't that easy to remember after all.

    The only explanation I can think of is that it's easier for me to remember a jumbled 12-character alphabet because the individual parts (the letters) are so ingrained in my brain while a 4-word pass phrase is more difficult because the words (in a foreign language at that) are inherently more difficult to remember.

    I never thought I'd end up with a Master Password consisting of 32 random lower-case letters, but after discovering that it's not that hard (for me) to remember if I just break it up into 4-letter chunks, that's what I have today. :)

This discussion has been closed.