# How to choose a master password for LastPass

I like Troy Hunt’s site and I think he has lots of well-researched information on security matters, but on this matter he seems a little paranoid. Unless I’m missing something the logic seems to be:

[ul][li]LogMeIn is bad because scammers somtime use it, and also LogMeIn took away the free version that they said they wouldn’t.[/li][li]LogMeIn have bought LastPass.[/li][li]Therefore LastPass is probably unsafe to use now. Unlike 1-Password which is definitely, 100% safe, yessiree.[/li][/ul]

Or…Batter to duck a bee, then a rabbit.

Here’s some food for thought: Does your phone have a smart keyboard that lets you autocomplete words as you’re typing? Consider how few keystrokes it takes you to type in a typical phrase in a text. A passphrase is no more secure than a random password with that many characters. And probably a lot less, since even the good smart keyboards aren’t all that efficient.

It is the ‘that many characters’ part that is important. The possible permutations quickly become impossible to calculate before the heat death of the universe let alone any reasonable human scale.

Of course you shouldn’t use short but typical phrases as passwords although there is no evidence of anyone cracking any of those a large scale but that also doesn’t mean that special characters or capitalization are that important either.

Here is a mathematical exercise for you if you want a challenge. Calculate how many permutations it would take to break that password by brute force? Now do it again for a pass phrase half as long and then a third as long with no special characters except underscores to string random words together. You are allowed 1 billion guesses per second. How long does it take assuming you have no idea what the general pattern or style is beforehand?

So how long would your word list have to be to include “Chronos”? Maybe 100,000? “is” and “the” are maybe 1 / 100 and the other words 1 / 10,000 so that’s 1 : 10^25. So that would take 10^16 seconds to try at a billion guesses per second = 10^11 days… Yes, you’d be safe.

Of course you’d be just as safe with a password that’s 12 random characters, and that’s only one third of the typing.

If you would just misspell one word (in a non-obvious way) you could add many, many zeros to the cracking time, or use half the length and be just as safe.

But memorability, and ease of entry on a typical device, are important factors in a password that you are going to enter manually, such as the master password for a password manager.

The six-random-words password planbavariaslowambervarycrush is, for me a lot easier to remember, and somewhat easier to type since it consists entirely of lower-case letters, than the twelve-random-character &Sq\O0:Hw!s , that as you have said has roughly similar strength (assuming each element is chosen randomly with equal probability). Word-based passwords are more memorable because they take advantage of the mental associations that our imagination has already imbued the words with.

And by the way, six random words is overkill. Even if you choose from very common words only, that’s something like a 70-bit password. Three or four words is plenty, again assuming they’re randomly chosen.

That depends on the attack vector. If I’m using that password, then “Chronos” should be in even a very short dictionary, because it’s my username (and any reasonable attack scenario includes knowledge of usernames). And “is the” add nearly nothing at all, since they’re an extremely likely pair of words to follow a noun at the start of a sentence. Likewise “true” after “one”.

Which demonstrates that much of this debate hinges on, as the stackoverflow guys said, on the user guessing how smart the attackers’ algorithms are.

If their dictionary attack is just that with no additional smarts, “is” and “the” are as good as two fairly obscure Scrabble words of the same length. If, OTOH, the attack process uses Bayesian prediction over the English language, like a smart keyboard does, then “<noun> is the [<adjective> …] <noun>” will be canned attack pattern.

That’s pretty much what I got out of it. LastPass works great for me and I still see no compelling reason to switch to something else at this time. I have and will continue to regularly check up on any news regarding LastPass, but I’d do that no matter what password manager I was using.

As one of the commenters on that article put it:

“Is the sky falling? No, but keep looking up just in case.”

Now that it has appeared in public, it is compromised, but any silly phrase you won’t forget is a good idea.

I did

Street I grew up on
+
1st College Dorm
+
Fathers birth year