Most people rely on passwords that are unsafe, easily guessable and just plain lazy — but it doesn't have to be this way. Generating a secure password to hide your life behind is so simple, even a child can do it.
Scratch that: A child is doing it, and getting paid while she's at it.
Meet Mira Modi, the 11-year-old daughter of ProPublica journalist Julia Angwin. The New York City-based sixth grader started an online business generating cryptographically secure passwords by hand and mailing the only existing copies via U.S. postage. Each password costs $2.
"People are worried that I will take your passwords, but in reality I won't be able to remember them," Modi told Ars Technica. "But I don't store them on any computer anywhere. As far as I know there is only one copy of your password."
Modi opened for business after selling passwords in person at her mother's book events and speaking engagements, where sales were low. "This is my first business (other than occasional lemonade stands!)" she writes in her site's About page.
Modi is using a system called "Diceware." Many people think that adding chaotic punctuation and off-beat spelling — as is often required for creating new passwords — creates a password that's difficult to guess. But many hackers will use software that uses brute force to guess a password by simply guessing thousands of them every second. From the comic xkcd:
But with a system of Diceware, there are so many characters and elements of entropy that even if a hacker is using software to guess trillions of passwords every second, it would take tens of millions of years to guess your password.
Each password is made up of six words, and each word is generated by rolling a six-sided dice six times. The result is a string of random words from an established list to make a password like "joule winter grave chide chief range."
"Using physical dice will give you a much stronger guarantee that nothing went wrong," Micah Lee writes in the Intercept. "But it's time-consuming and tedious, and using a computer to generate these random numbers is almost always good enough."
What not to do when you create a password for yourself: However you design a password, avoid a string of numbers like "123456123456." Ditto the name of your favorite sports team or an easy mash of characters like "asdfjkl." Sounds obvious, right? You'd be amazed how many people are breaking these rules.