So, They’re Making You Change Your Password?
Some of you might be coming up to mandatory password change time for one of the very few passwords you have to remember – for example your Windows domain password at work.
Unlike for all your other passwords, which should be long random nonsense made by your password manager, your Windows domain password (the one you use to login at work each day) is one of the handful of passwords you will need to remember and type out almost every day.
5 or More Random Words
Assuming your organization doesn’t have additional silly complexity rules like “passwords must contain 2 emojis and at least one gif of a kitten”, I suggest using 5 or more random words for these passwords that are easy for you to remember and type. See the Diceware and Passphrases section near the end of my Password Complexity for Non-Technical Consumers article if you want to know more about why I recommend this approach. Even if your organization requires additional complexity, you can start from the 5 random words and change a few places to meet the arbitrary rules – add a capital letter, add a number, add a symbol.
Let me talk for a second to the security people who are maybe squinting at me sideways for all the bad words I have for mandatory password changes and silly password complexity requirements. These policies are often driven by outdated certification requirements, certifications that are often required for business reasons rather than for security reasons. Outdated? See for example the NIST Digital Identity Guidelines from June 2017:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Yes, if people really did make a new complex password from their password manager each time we asked them to change their password, and memorize it, it would be better than what I’m recommending here. Yet we all know that is a fantasy and our job in cyber security is to deal with the world as it is, and with people as they are. If we make people change their passwords too much, and add in complexity requirements, we all know the result: it’s seeing lots of “MyPassword2022!” and similar in every new breach. This is not serving security, this is not serving our organizations, and it is not serving the poor put-upon humans we are supposed to be protecting.
Choosing Random Words
Ok, back to talking to the “normal people”.
In my password complexity article above, I explained how to choose random words using dice, the “diceware” method. That way is a lot of work and not practical unless you are a rare person who is lucky enough to enjoy that kind of tedious exercise. So how can everyone else do this? Here’s one simple way.
First download a list of words in your native language. The words_alpha.txt file here is one big list of words for English. You can find similar lists in other languages by using your favourite search engine with queries like, “French word list text file”. You can search in your own language of course, although often searching in English can weirdly give you more results.
Note that if your language uses accents or non-Latin characters, you will be safest transliterating the words you choose into Latin script (for example “koshka” instead of “кошка”), because unfortunately many software systems have been designed assuming only English-speaking Americans will ever use them. A password using your native characters can often result in things breaking.
With this wordlist, you can open it in Notepad++, Excel, or any similar program for looking at text files that shows you the line numbers.
Now go to your favourite search engine again and search for “random number”. Often the search engine is clever enough to give you an example you can use. For example DuckDuckGo gives me this right at the top before the search results:
0.417315204468653
Random number between 0 – 1
I can take those first 5 numbers 41731 and look for that line in the file and I have a word: “brujo”. Refresh the search page and I have another number and another word.
This Is Still Too Hard !
While this is certainly less tedious than rolling lots of dice to look up words, it’s still a lot of not particular fun work. We can do better!
One of the simplest ways is to use Excel – copy this formula into one of the cells:
=RAND() * 370103
This gives you a random number between 0 and 1 multiplied by the number of lines in the example word list file above. You can change the number in the formula to match your word list’s length. Then copy this formula to more cells to get more random numbers.
Easy, right?
By the way, if you want to, you can deliberately misspell some of the words – it makes it just a bit harder for someone who knows you do this to try every possible set of words from your list.
Why Do I Have Look Up Everything Myself ?
This way with Excel is definitely easier. And still it’s lots of tedious searching for rows to find the words. What if I want to just press a button and have my words already done for me?
If that’s the kind of question you have, you are going to love programming! Please don’t run away, I promise this is going to be super easy. 😂 We’re going to learn a tiny tiny bit of Python programming!
Python is a brilliantly accessible programming language, especially for beginners. And it is used everywhere people are playing with lots of data.
To get started, we need to install Python on our computer. By far the easiest way to get started is by downloading and installing the Anaconda distribution. I’m assuming Windows people here – if you have a Mac or Linux, you already have Python installed by default, and you probably know where to find things already.
Anaconda included absolutely everything you need for Python and data science. It’s like any other program, you download and run the simple installer. Done that? Great!
As part of Anaconda, you now have what’s called an Integrated Development Environment (IDE) called Spyder. Search your start bar and run Spyder. You’ll see, it is a super easy program that makes doing Python child’s play:
That big area on the right is where you put the Python code. The green play button on the top bar is where you run you code. And the Console area at the bottom left is where the results appear.
Your First Python Script !
Copy this code to replace what’s in the code area:
import pandas import random iWordsNeeded = 5 dfWords = pandas.read_csv( filepath_or_buffer='.\words_alpha.txt' ) iWords = len(dfWords) lstWords = [] for iPassCount in range(iWordsNeeded) : iRandomRow = random.randint(0, iWords - 1) lstWords.append(dfWords.iloc[iRandomRow, 0]) print(lstWords)
Some of those lines (7, 8, 14, and 15) are indented with the tab key – it’s important, without the indents, Python won’t understand. Add the tabs so the script looks like this in Spyder:
And Save the file with a name like random_words.py in the same place you saved the word list above.
Now press the green play button and watch the console. Do it again. Did you see something like this?
['unpardonable', 'sideboard', 'homunculi', 'ripperman', 'uncatholic'] ['yamaskite', 'inturned', 'reggie', 'stereotypical', 'sacramentally']
Just press a button and you have 5 random words.
Now try changing that “iWordsNeeded = 5” at the top to 7, and play again:
['hematogenous', 'sanjay', 'shirtdress', 'biblism', 'importing', 'ferrohydrocyanic', 'chlordane']
Yes, it’s really that easy to start doing something sort of useful with Python! ✨💫
And don’t worry if you can’t fully read that script yet – this is exactly how most programmers start. We copy something from a book or course or tutorial, get something that works, and then gradually learn what it means. And then learn how to adapt the program and find and fix problems. Then learn how to build new things from all the tiny pieces we’ve learnt.
Step by step – we don’t need to know everything immediately.
Those Words Are Hard !
The word list we have here includes a lot of very rare words which are probably not the easiest to remember, unless you are philologist (one of those rare words for someone who loves and/or studies words). No problem, we can find another shorter list. Try searches like “simple English wordlist text file”, there are many many lists out there in many languages.
There is also the EFF diceware list referenced in my password complexity article above.
When you get your new list, you will have to adapt the script to use it. The name of the file will be different. Maybe there are more columns or a different format.
For example, the EFF list has 2 columns separated by a tab, so you will have to learn some more syntax to modify my Python script above to import both columns and select the random words from the 2nd column only.
Don’t worry, this is just like when we don’t remember the right formula in Excel or the right setting in Powerpoint, we can search. You see that pandas.read_csv in the script? That’s the magic that’s bringing the text file into the script to do things to it.
So let’s search for: “pandas search column” and “pandas read_csv change separator”, and see what we get. Click some of the results and try to understand a little piece. Test it out on the code. Searching like this takes practice and experience, you will get lots of errors in the console. Don’t worry, that’s normal. You can use the errors you see in the console to search for help to try to fix the mistakes.
As you get more experience, your searches will become more precise, because you learn the right magic words, like “pandas”, to include. Try things, you’ll get there! 💫
You can also search things like “pandas beginner tutorial”. You will have examples, both articles and videos, explaining how different things work in more detail, especially aimed at beginners. Take any tutorial you like the look of. You can then try to adapt the examples they give to your case. When you get stuck, search some more, and try different ideas until you understand what works.
Your 2nd Python Script !
Here’s a tiny bit more sophisticated version of my script above, to allow you change between different word lists whenever you want. You can copy this into a new file in Spyder, or just copy over the old file contents:
import pandas import random iWordsNeeded = 7 strListToUse = 'eff large en' dctAllowedLists = { 'alpha en': { 'path': '.\words_alpha.txt', 'column': 1, 'separator': ',' }, 'eff large en': { 'path': '.\eff_large_wordlist.txt', 'column': 2, 'separator': '\t' } } dfWords = pandas.read_csv( filepath_or_buffer=dctAllowedLists[strListToUse]['path'], sep=dctAllowedLists[strListToUse]['separator'] ) iWords = len(dfWords) lstWords = [] for iPassCount in range(iWordsNeeded) : iRandomRow = random.randint(0, iWords - 1) lstWords.append(dfWords.iloc[ iRandomRow, (dctAllowedLists[strListToUse]['column'] - 1) ]) print(lstWords)
Like before, you will need to add the indents to match the image: 1 tab indent on lines 8, 13, 18, 21, 22, 23, 29, and 30; and 2 tab indents on lines 9, 10, 11, 12, 14, 15, 16, 17, 31, 32, and 33.
Now if you hit play again, you will get some simpler words like this:
['dinghy', 'kabob', 'opt', 'frivolous', 'vicinity', 'impound', 'backlash']
You can change back to the big list by changing the list name at the top in the string variable (“string” and “variable” are another two of those common magic programming keywords to search for) strListToUse.
You can try to add a new file to that dictionary dctAllowedLists for example a French words list you found. “Dictionary” was another of those magic keywords in Python that will help you better search for how to do things. For example, try searching for “python dictionary tutorial”, or “python dictionary examples”, or even “python dictionary syntax”, and see what you find.
This Was Really An Introduction To Python
Confession time – this article grew out of me still procratinating from writing and recording a “Data Analysis With Python” beginner’s training video series that’s been writing itself in my head for a couple of years now. 🙃
Are you hooked on playing with Python yet? Do you want to try some more and become a minor magician, a part-time computer-whisperer?
The scripts above are of course not the only way to do any of this. Part of the fun of programming is finding your own way, and if you’re lucky, finding a way that tickles your brain’s “ooo isn’t this nice?” buzzer. ✨
Another part of learning to do this kind of thing is looking at simple bits of code from other people and trying to understand how they work. That will often involve more searching like above.
Maybe you will see funny looking commands happening in someone’s code which you don’t know at all, and you try to search for them: “iloc”, “python iloc”, “pandas iloc” (this last is the one that’s going to get the best results), until you find an explanation that works for you.
Then maybe you will wonder why it has “-1” in different places in the code, and you will learn about how “indexing” works in most programming languages – we start counting from 0, not from 1, because that makes certain computer things easier.
And maybe you’ll see in the configuration for the big list that the separator is a comma, even though when you look in the text file there are no commas. And you wonder why. So you try removing it, or putting an empty separator there, or maybe some other things, and you see what happens when you run the script.
Congratulations, you just learnt about using default or placeholder values to avoid your scripts dying from “error computer too silly to understand what you mean”. ✨💫 By the way, if you want an example of how absolutely absurdly silly computers are, take a look at my article explaining Spectre & Meltdown for non-computer people.
Now you are familiar with a few basic ideas, know how to run a python script, and you are even starting to be able to understand the code, what do you want the computer to do now? Give it a go!
Categories