The other day, Bruce Schneier posted a note about “Recent Developments in Password Cracking.”  At the end, he mentioned: “Finally, there are two basic schemes for choosing secure passwords: the Schneier scheme and the XKCD scheme.”  The xkcd scheme, as some of you will recall, is laid out in this cartoon:

Much of the discussion on Bruce Schneier’s blog has included expressions of doubt that many users of the xkcd scheme are actually choosing the words randomly.

I use the xkcd scheme sometimes.  Here’s how I try to ensure that I’m picking the words randomly.  I have a telephone directory; fortunately, they still print those where I live.  I go to Wordcount.org, a site which indexes the 86,800 most common words in the British National Corpus in numerical order by frequency.  I close my eyes, open the telephone directory, and put my finger down on the page.  I open my eyes and see the last four digits of the number nearest my finger.  I put that number into Wordcount’s “by rank” search box and find the corresponding word.  I repeat the process to come up with four random words.

So, for example, the number sequence 6841, 1131, 4508, 1967, yields this word sequence in Wordcount:

hatred interested lecture beneath

Say the word “hatred” makes me uncomfortable.  Sometimes you will come up with a word you dislike, such as a curse word or an ethnic slur, or with a word that is too long, or one that is difficult to remember.  Well, there are more numbers on the telephone directory; repeating the process, I come up with 4300.  The 4300th most common word in the British National Corpus is “bench.”  So, the password can be either:

bench interested lecture beneath

or

interested lecture beneath bench

My usual practice when one of the first four words is problematic in some way is to put its replacement at the end, but since “interested lecture beneath bench” sounds like a series of words that might possibly appear in some bit of writing somewhere, I would choose “benchinterestedlecturebeneath.”

There are other ways to have fun with Wordcount.org.  You can look for little bits of unintended poetry in the sequencing.  One of my favorites is the sequence of words from #5595 to #5598, “touching shallow charming fuck.”  That tells the whole story of a bittersweet romance.  Or #44631 to #44634, “uneaten reticulum, oxidative fungicide.”  I can’t say that sounds like an appealing meal. Or #5844 to #5848, “publish solar petitions hurried Gabriel.”  Or #50 through #56, “so no said who more about up.”  Punctuate it as “‘So, no,’ said who?  More about up!”  A familiar story is told succinctly from #85 to #88: “See first!  Well, after.”  Punctuation can make a great deal of #100 through #164: “Got much?  Think, work- between go years; er- many, being those before right, because through- yeah?  Good- three make us such.  Still, year must last, even take own, too.  Off here come both- does say ‘Oh, used, going “‘Erm- use government day, man!'”  Might same, under ‘yes,’ however, put world another want?  Thought, while life again, against Never, need old look home.  Something, Mr Long.”  I grant you, it doesn’t make sense, but it keeps sounding like it is about to mean something.  And several of the sub-sequences in there sound so good that it really is a shame they are gibberish.