How to create a strong,memorable master password

[Deleted User]
[Deleted User]
Community Member

Hi everyone,

I was just wondering if you guys could give me any tips on how to create a stronger,memorable master password.

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • I used the 'words' option in the 1Password password generator to generate my Master Password, but if you don't have a vault created yet you can use something like diceware to achieve a similar effect:

    http://world.std.com/~reinhold/diceware.html

    I hope that helps. Should you have any other questions or concerns, please feel free to ask.

    Ben

  • rlh
    rlh
    Community Member

    Since I like to type fewer characters, I go with the "acronym" approach. Pick a favorite quote, line from a movie, refrain from a song, etc. and then use the first letter from each word. Assuming you pick a long enough quote you can easily get 10-12 characters. Be sure to mix some capitalization (easy if the quote has any proper nouns), some punctuation, and if you are lucky use '2' or '4' instead of 't' or 'f' for the words "to" or "for" in your quote. Bonus points if your quote has the words "at", "dollar", "and", or "star" where you can use the top row of the keyboard as substitutions. Example,

    A horse, a horse! My kingdom for a horse!

    becomes

    Ah,ah!Mk4ah!

    If you use an iPhone, watch out on the special characters such as '*' or '+' which are buried deep on the screen keyboard.

    Whatever you do, don't pick an ear-worm like "T!T!Ilyt!Yaada" Unless you really love the song. :)

    Robert

  • I'd suggest adding some true randomization to that. Roll a die and add the number in there somewhere. :+1:

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    Thanks guys for the great advice, really appreciate it.

  • No problem. :)

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    @Ben Appreciate all the work you and the team do to make 1Password amazing.

  • Thanks for saying so. 😁

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    Anytime Ben. How often does everyone change your passwords/master password?

  • Almost never. Pick a good (unique, random, long) one and stick with it unless there is reason to believe it is compromised. :+1: Much of the reason companies require password changes periodically is due to recommendations NIST made quite some time ago. They've since reversed that recommendation. There is really little or no merit to changing passwords unless you're going from a weak(er) or compromised one to a strong not compromised one.

    "Change a weak Master Password, otherwise leave it be"

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    @ben Yes I agree, although for things that I use a lot like my banks, I tend to change the passwords frequently, which 1Password makes so easy to do and not even have to remember what 1Password, generated for me.

  • although for things that I use a lot like my banks, I tend to change the passwords frequently

    What is the reasoning behind that? Do the banks you use mandate it?

    which 1Password makes so easy to do and not even have to remember what 1Password, generated for me.

    Glad to hear it. :)

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    Yes one of my banks requires me to change it every six months. I just change the other ones to follow suit. Yes absolutely, that's why I don't mind changing the passwords, because the password generator is such an amazing tool.

  • :+1:

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    @Ben Was just curious, how'd you get started with 1Password/ wanting to work with the company?

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @Tomatoshadow2,

    I very strongly recommend that you read an old1 blog post: Toward Better Master Passwords. It shows how "clever schemes" often create weaker passwords. The goal is not to have letters, digits, symbols, and mixed case. The goal is to create a password that is hard to guess particularly by people who have a very good understanding of how people create passwords.

    People are terrible at being random, and they are particularly bad at it when they are trying to be random. So please take a look at that article, and just use our word list generator.

    xkcd comic: I'm so random
    Source: https://xkcd.com/1210/


    1. It was revised a bit this past year, but the bulk of it was written in 2011. ↩︎

  • [Deleted User]
    [Deleted User]
    Community Member

    @jpgoldberg Yes I did, thanks for the link to this very informative article.

  • @Ben Was just curious, how'd you get started with 1Password/ wanting to work with the company?

    I converted from Windows to Mac in/about 2007. On Windows I was using Keepass or a derivative and when I switched to Mac I really wasn't satisfied with the solution available on that platform. When I started looking for alternatives 1Password (which was called 1Passwd at the time) looked like the most polished solution. I started asking and answering some questions in this forum. My posts caught Dave's eye and he reached out to see if I would be interested in getting paid to help out. Because I was just starting college at the time I told him I would only be able to help on a "very" part-time basis. My involvement slowly grew over time and when I graduated college I had a full time offer waiting for me here.

    Ben

  • I have done some preliminary work on a system for creating diceware-type passwords that should be easier to remember. My idea is to use different word lists for different parts of speech, rather than a single word list. In other words, I would use one list of nouns, one for verbs, one for adjectives, et cetera. This would allow me to create entirely random passwords that have the same structure as a natural phrase, which should be far easier to memorize than a random list of words.

    Thus, the template:

    adjective adjective noun verb adverb
    

    …would result in passwords like "colorless green ideas sleep furiously" — nonsensical, but very easy to remember.

    These word lists would be (I'm pretty sure) shorter than the ~18,000 items on the current 1Password word list, so the resulting passphrases would need to be longer to encode the same number of bits The tradeoff is the same as that between character-based and word-based passwords, but on a smaller scale.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'd have to run some numbers, since having a template like that would inherently have a negative impact on the entropy (you would not be putting an adverb in the other four spots). But that's an interesting idea. :)

  • The different word lists would not all be the same length. There are many more nouns than other types in English, for example. But as far as entropy goes, if all the word lists were the same length, it wouldn't matter if each word comes from a different list — even if those lists are chosen in advance, in a specified order. The total number of outcomes is still simply the total for each word's list multiplied together.

    If you did allow the lists to be ordered randomly, or chosen randomly, then you'd get more entropy, but that would defeat the purpose of using them to generate a passphrase with a memorable structure. On the other hand, one could first randomly choose from a list of structural templates to increase the entropy, but not all templates would produce the same amount of entropy (noun-heavy ones would have more, verb-heavy ones would have less).

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2019

    If you did allow the lists to be ordered randomly, or chosen randomly, then you'd get more entropy,

    Yeah, that's what I meant. With the "words" password generation we have now, entropy is maximized* because each position -- each word -- can be any of those in the Wordlist.

    *log2(18000) = 14.135709286 <- bits of entropy per word
    14.135709286(5) <- length of password (words)
    = 70.67854643 <- bits of entropy total
    (for a five-word password -- replace "(5)" with a different length to adjust; you'll get different results when specific positions are restricted to fewer words)

    but that would defeat the purpose of using them to generate a passphrase with a memorable structure

    Agreed. Just pointing out that it's a tradeoff. :)

    On the other hand, one could first randomly choose from a list of structural templates to increase the entropy, but not all templates would produce the same amount of entropy (noun-heavy ones would have more, verb-heavy ones would have less).

    Another interesting idea...but I would not want to be the one to try to calculate entropy for all of those. Cheers! :lol:

  • Another interesting idea...but I would not want to be the one to try to calculate entropy for all of those. Cheers! :lol:

    Well, there realistically wouldn't be that many templates to choose from, so it wouldn't add very much. Each one would be straightforward to calculate, but it would only make sense to use ones above a certain amount.

    The other key thing with these passwords (and random passwords in general), is that they're not completely random if the user picks and chooses which "random" passwords to accept. If I reject one, perhaps because it was difficult for me to memorize, how many others would I reject for the same reason? For passwords that must be memorized, it really helps to make that memorization as easy as possible, so that people won't reject the tricky ones.

  • AGAlumB
    AGAlumB
    1Password Alumni

    All really good points. :)

  • [Deleted User]
    [Deleted User]
    Community Member

    @Ben Great story indeed and an amazing journey with 1Password. What's your one favorite thing about the years you've been with the company? @gedankenexperimenter I prefer more complex passwords myself, everyone should. 1Password makes me never worry about making a strong password for any website, ever again. Also great points you covered.

  • What's your one favorite thing about the years you've been with the company?

    From an employment perspective... flexibility and empowerment. There are a lot of companies out there that don't empower their customer service folks to actually help customers. Rarely do I feel that decisions/policies made by AgileBits are preventing me from helping.

    Ben

  • [Deleted User]
    [Deleted User]
    Community Member

    @Ben Very nice answer, I like your passion for the company and helping people.

  • :+1:

    Ben

This discussion has been closed.