Opinions on Generating Problematic Passwords


For the security-aware (or “paranoid”) there are two types of passwords which are problematic.

High Risk

These are for important services that do not offer strong two-factor authentication where a compromise would be very expensive or inconvenient, such as a bank, but which are normally used when your password manager is available.

To protect against the very small risk of the password manager being compromised (either a design flaw or mistake by the provider or because your phone or computer is compromised or stolen), generate random passwords in the normal way and save in your password manager. Choose a short extra password and append that to the saved password and always enter it manually after the password manager has auto-filled the random portion. If there are multiple services like this it is probably safe to use the same extra password.

The extra password portion will give you sufficient time to change your passwords after a compromise.

Must Be Typed

Entered when your password manager is not available, for example, the master password for the password manager itself, or the password to log in to your computer or phone. You want a password that is hard to crack with automated guessing tools, but easy to remember and not too hard to type.

I suggest three elements:

  • some random words (perhaps chosen using Diceware)
  • a word mangling rule
  • a padding rule (based on Steve Gibson’s password haystacks idea)

Don’t waste time capitalizing passwords.

Choosing Words

The words could be any number of preferably random words (ideally at least 3) but for the examples below we’ll choose one, two and three.

Word Mangling Rules

The mangling rule changes the word letter order or spacing. Examples could be:

  • reverse every second word: one owt three
  • split words in the middle, rounding left: on e tw o thr ee
  • sort the letters: eno otw eehrt
  • if a word has an even number of vowels, reverse it, for example: enotwoeerht

Padding Rules

The padding rule puts characters around the three words, possibly based on the words themselves. Examples could be:

  • pad and separate each word with some random character; for example using the character = and using 2 each time: ==one==two==three==
  • prefix or suffix each word with its initial letter, so that there are the same number of initial letters as the length of each word, for example we’d get ooonetttwottttthree
  • based on each word length add that number of extra letters after each word, each one the next one in alphabetical order: onefghtwopqrthreefghij
  • similar but use digits, starting with the length of the word: one345two345three56789

Putting It All Together

There are many other possible rules, just pick some rules you’ll remember and don’t use any rules mentioned here (or double-bluff the attackers and use them anyway). For example combining the first of each rule type example above would give: ==one==owt==three==. Combining the last of each would give eno345two345eerht56789.

See also