I have not lost a password in decades. And I don’t use a password manager like LastPass. At $12 the price is not the problem. The problem is I don’t like the idea of trusting a third party with passwords.
My passwords are created with a unix utility called pwgen. With all the security issues in the last few years I’ve started making passwords for each particular site. Long ones made of 15 to 25 characters with the command “pwgen -Bsy 15 1”. However entering these on the android is difficult. Finding special characters, numbers, even mixed case, is difficult. So I started thinking about using only the letters that are visible from the main input window on the phone. Basically the 26 letters a-z in lower case. Versus a-z, A-Z, 0-9, and about 33 strange looking characters for a total of about 95.
So putting it into a spreadsheet I see that 95**5 is roughly equal to 26**7. Meaning to brute force bust a 5 character password where each char could be 1 of 95 is the same as cracking a 7 character password of lower case letters. So now I do something like “pwgen -0AB 21 1”.
Entering in six more characters may seem like more work but in reality it is less. Keep in mind you have to make modal switches requiring one or two additional key strokes to get to the next character. So entering five characters from the pool of 95 or so takes about 10 keystrokes. So as many as 45 keystrokes for a 15 alpha-numeric random password versus a constant 21 keystrokes for an equally hard to break password consisting of only lowercase letters. Averaging that out to 1 extra modal switch results in 30 keystrokes versus 21 for only a-z. So my passwords are all of one particular case now.
Another way to look at it is via typing speed. My hunt and peck speed for special characters is slow. Frightfully slow.
Ivor O'Connor 
Leave a comment