Correct Horse Battery Staple

The EFF is on a campaign to get everyone to use better passphrases.  The best passphrases are unique for every site and unguessable, because they look like this:


Ideally, we'd all enroll in something like LastPass or 1Password, or we would start using KeePass or similar.  Then we'd all have a different passphrase, on the model you see above, one for every site.  All brute-force and rainbow-table attacks would be useless.  But we know, for a lot of people, it's a big adjustment to make.

A simpler approach than converting all logins to the use of a password manager is, making it a practice to build strong memorable passphrases out of a handful of common words.  This was made famous by an xkcd cartoon:

Correct Horse Battery Staple
xkcd August 10, 2011

So famous, in fact, that if you try to register "CorrectHorseBatteryStaple" as a new password on DropBox, you will get an error message telling you not to get your passphrases from webcomics.

The EFF Dice campaign advocates this type of strategy, using actual physical dice and a selection of word lists you can take as the source.  You look up the dice rolls in those lists to select the component words.  The advantage of physical dice and manual lookup is, you are protected in case the computer where you select the passphrase has already been compromised.

But I have some questions for those who insist on this level of isolation for the selection process of a new passphrase:

  1. If my computer is compromised and I know it, I'm not going to engage in setting a sensitive passphrase from it anyway.  So I can generate a passphrase using offline methods but I still need to get to a clean machine to install it.
  2. If my computer is compromised but I don't know it, I'm going to install the new passphrase from it.  Then I'm pwned, anyway.  So I lose nothing by generating the passphrase on it as well.  (I suppose if I am going to generate a passphrase from one machine and install it on another, I'm doubling the risk of being pwned if either machine is compromised.)
  3. If my computer is clean, using it to generate and install the passphrase is a negligible incremental risk from just using it to install the passphrase.

I get that the EFF is making an important point about randomness and about taking care of the entire chain of custody for high-stakes passphrases and keys.  I love the EFF, and I sent them a few bucks to support this campaign, and I got a cute T-shirt and set of dice in return.  But just for the convenience, I make my passphrases on a computer that I reasonably believe to be clean.

A while back, I scraped several overlapping online lists of the body of words known as SOWPODS, and put it in the back end of a simple spreadsheet tool that I share with you below.  Look at the grid that comes up and mentally select at least four words.  If you don't like the 25 you have to choose from at first, refresh for 25 more.

Finally: these multi-word passphrases are a great improvement over "Tr0ub4dor&3".  But are you really going to memorize 100 of them?  Or even 25?  No you most certainly are not.

So go get a f*ing password manager and then make yourself a good six-word passphrase!  Let THAT be the only passphrase you have to remember, forever more!

This article was updated on May 9, 2023

David F