Best way to make an uncrackable passphrase, using What3words

km1500

using three random.words is secure, but not as secure as you might think...

https://www.pentestpartners.com/security-blog/three-word-passwords/

400ixl

theoldmiser said:

Why not just use my simple method, and write the passwords in a password book that you keep on your desk? The ones you use every day, you will soon learn off by heart. (I have about five I use every day, and they're all really long, but easy to remember after I've typed them in about twenty times.)

Because it is impractical unless you only ever want to access from home. Otherwise you have to take the password book with you and it is vulnerable to loss or theft and it is then an unencrypted list of all your usernames and passwords.

I assume you are using a unique email address as well as unique passwords for every site.

Using a secure encrypted password manager like Bitwarden is far more of a solution. You can still use your three word approach if you so wish (it isn't a bad solution, but there are better) within the password manager.

If you only ever stay at home and your password book never has to leave the home then there it is better than nothing. provided you never get burgled.

You are finding a solution for a problem the world solved without you in a better way.

bob2302

IMO the only merit in using W3W is that it allows you to use the place as a way to regenerate the password. If you pick some featureless point in the sea it's just a low-quality random word generator, using a relatively small set of words.

theoldmiser

Yes, bob2302, the "only" merit in using What3words.com is that it makes it incredibly easy to find a far more secure password than 99% of people currently use. LOL.

theoldmiser

400ixl said:

theoldmiser said:

Why not just use my simple method, and write the passwords in a password book that you keep on your desk? The ones you use every day, you will soon learn off by heart. (I have about five I use every day, and they're all really long, but easy to remember after I've typed them in about twenty times.)

Because it is impractical unless you only ever want to access from home. Otherwise you have to take the password book with you and it is vulnerable to loss or theft and it is then an unencrypted list of all your usernames and passwords.

I assume you are using a unique email address as well as unique passwords for every site.

Using a secure encrypted password manager like Bitwarden is far more of a solution. You can still use your three word approach if you so wish (it isn't a bad solution, but there are better) within the password manager.

If you only ever stay at home and your password book never has to leave the home then there it is better than nothing. provided you never get burgled.

You are finding a solution for a problem the world solved without you in a better way.

"Provided you never get burgled." Show me ONE case of a burglar stealing a password book and using it to defraud the owner. It's never happened. Or it's happened so rarely that you can't find any reference to it on the entire internet.

Secondly, you don't need to take passwords for one hundred websites with you, out of your house. Obviously nobody is using 100 different websites at work for their job. You can easily write the passwords down on a card and keep it in your wallet (which I presume you take great care of anyway) and after time you will easily memorise the passwords. I have very secure passwords for my email account, my Ebay account, and two or three other websites which I use on a daily basis, which I have memorised. 

Didn't it occur to you that you could just COPY the three or four passwords you need to take away from home, onto a card? Or are you just trying anything to tell people that my idea is simply 'wrong', because the geniuses who give out password advice from businesses keep telling you "Don't write your password down", without even understanding WHY they are giving that 'advice'? They are telling you to do that because they read it somewhere else and blindly copied it. 

Unlike them, I've actually thought through everything I suggest. I proved, with numerous password checker websites, how secure my password methods are, yet there were still endless people telling me I was wrong.

theoldmiser

And to top it all, here is the advice from my bank in an email I received from them today, about how to avoid being scammed:

"Never do these 4 things on social media:

Use weak passwords

Mix letters, numbers and symbols for strength."

You literally couldn't make it up. How incredibly unhelpful that 'advice' is, isn't it, and that's why the average person hasn't got a clue how to make a secure passphrase.  No mention of the LENGTH of the password. No mention of how to memorise your useless password which has numbers and symbols mixed into it.

There is another easy way to make a secure passphrase, but it's beyond the intelligence of a lot of people - make up new words from old words.

For example, let's take three simple words:

Truck  Marmalade  Jelly

Change them to:

PruckBarmaladeFelly

Then add a chosen number to the end, just to make it longer. The longer it is, the more secure it is.

PruckBarmaladeFelly556

None of those words are dictionary words. 

When I put it into https://delinea.com/resources/password-strength-checker

It says "It would take a computer

9 sextillion years

to crack this password."

But it also says: 

"Possibly a Word and a NumberYour password looks like it might just be a word and a few digits. This is a very common pattern and would be cracked very quickly.Length: LongYour password is over sixteen characters long.Character Variety: No SymbolsYour password only contains numbers and letters. Adding a symbol can make your password more secure. Don't forget you can often use spaces in passwords."

So, despite the fact that their own system says it is uncrackable, they just HAVE to include the ludicrous advice to add 'symbols' and says "would be cracked very quickly", because they are blindly adhering to 'what somebody else said'.

Or put the password into here:

https://arsen.co/en/resources/password-strength-checker

It says it will take centuries to crack the password.

Still, all of that won't convince half of the people here, because until the TV tells them what to do, they will just blindly carry on doing what they are doing. Which is why so many huge companies get hacked and then held to ransom and lose hundreds of millions of pounds, because their I.T. people don't have a clue what a secure password is either...

flaneurs_lobster

theoldmiser said:

There is another easy way to make a secure passphrase, but it's beyond the intelligence of a lot of people - make up new words from old words.

I stopped reading there because I'm really too stupid to understand all this clever stuff.

 And I've read it all before in the preceding six pages - over, and over, and over again.

 PS You haven't shilled for What3Words for almost two posts.......

RumRat

Not sure what the fuss is about...My password manager dishes out random passwords for new sites and I use Passkeys on the sites supporting them.
Passwords are a necessary evil and no one remembers all their passwords, regardless of how they formed them.
Whichever method people feel safe with is probably the best for them. Even if it's not really the best overall.

JSmithy45AD

There's only 1 way to create a really secure password (spoiler alert: it isn't What3Words):- 

bob2302

https://forums.moneysavingexpert.com/discussion/comment/81855502#Comment_81855502

It's still produces a weaker password than just thinking of three words. In any case few sites will accept three words alone.