Should dictionary words be used in passwords?

It is commonly advised that dictionary words should not be used when forming passwords. We would like to make the case that dictionary words can be used as long as the words are randomly chosen. This post illustrates how this may be done.

We pick 5 words at random from the following dictionary.

The idea is to choose 5 pages at random. Then choose a word at random from each page. There are 1,317 pages. We calculate the Excel function =RANDBETWEEN(1, 1317) 5 times to generate the following random numbers, each of which is considered a page number in the dictionary.

    562, 1292, 397, 857, 1171

Assuming that there are around 50 words in a page, calculate the Excel function =RANDBETWEEN(1, 50) and generate the following random numbers.

    40, 8, 19, 13, 29

Thus the first random word is the 40th word in the 562nd page in the dictionary, the second word is the 8th word in the 1292nd page in the dictionary and so on. The 5 random words are:

    idiotic, wideopen, evulsion, pinhead, theodolite

Putting these 5 words in a string produces the following password, which is 41-character long.


How secure is this password? The 5 words are selected at random from a fairly large dictionary. It has 1317 pages. Assuming 50 words per page, the dictionary would have around 65,000 words. According to the multiplication principle, there would be 65000^5=1.16 \times 10^{24} many ways to choose 5 words from this dictionary. This is 1 followed by 24 zeros, which is 1 septillion. When 1 is followed by 12 zeros, the result is 1 trillion. So 1 followed by 24 zeros is the same as 1 trillion times 1 trillion.

So a brute force dictionary attack would have to cover the universe of these 1 septillion 5-word strings. To get a sense of how big 1 septillion is, try this scenario. For a computer than can check 1,000 5-word strings per second, it will take over 1 million years to exhaust all the 1 septillion 5-word strings. Such a brute force attack may be more suitable for a parallel computing project that involves a massive number of computers than for a cyber criminal who has only a limited number of computers. Examples of parallel computing projects include the ones for searching for the largest known prime number (one example is GIMPS – Great Internet Mersenne Prime Search).

The words have to be chosen at random for this approach to work. If the words are based on movie titles, sport team names, names of celebrities and other types of familiar proper nouns as well as idiomatic phrases, then the universe of the word strings would be much smaller, maybe 20,00 or 30,000. In relation 1 septillion, 30,000 is in effect zero. The word strings from this tiny universe would be vulnerable to brute force attack.

Of course, the security of the random 5-word strings can be further enhanced. Use more random words, for example. Another possibility is to make them case sensitive. The above 41-character string can become the following:


Another possibility is to add numeric characters and special characters ($, *, # etc).

Of course, the password will be harder to remember if it is made case sensitive (especially if the upper cases letters are chosen at random). So a possible compromise is to make the first letter of a word upper case just to satisfy the case sensitivity requirement of many systems and websites along with throwing in some numbers and special characters. Simply add more random words for enhanced security.

In general, the approach of using multi-word phrase should be taken with care. The 5-word string that is demonstrated above requires some effort to produce – randomly selecting pages in the dictionary and randomly selecting one word from each selected page. I actually use a function in Excel to generate the random numbers to locate the pages. Instead, I can randomly flip through the pages. For some, that may still be too much effort. The danger is that someone may get lazy and simply use familiar proper nouns like favorite movies and sport teams such as the following:


Instead, the following is a better alternative.


The above string is taken from the first letters of the sentence “My favorite movie is Pirate of the Caribbean and I am a die hard LA Lakers fan”. It is an 18-character password that is taken from a memorable phrase. The resulting password is definitely much more secure than stringing the movie title and the basket team name together. See here for information on the approach of using a memorable phrase or several phrases.

\text{ }

\text{ }

\text{ }

Dan Ma math
Daniel Ma math

Dan Ma mathematics
Daniel Ma mathematics

\copyright 2017 – Dan Ma