Despite many known weaknesses and problems, passwords are ubiquitous. A new service, normally intended for geo-addressing, can be used to generate (reasonable) secure, easy to remember passwords. This article covers the mathematical basics as well as the pros and cons of this approach.
The new service What3Words assigns every 3 by 3 meter square on earth a unique three word “address”. For example, our Oneconsult office address translates to “boater.fund.trooper”. The wordlists to generate these “addresses” have been designed to be easy to remember and are available in different languages. Both properties make them interesting choices for password phrases. Additionally, the phrase is tight to a location, which can be used as a basis for remembering or recreating the passphrase.
But first let’s take a look at the strength of the passwords, which are generated this way. Password strength is best measured by the effort it takes to break them, which it tightly bound to the number of possible combinations. For example:
The wordlist to cover the entire globe consists of 40’000 unique words. Taking three of these gives 40’000^3 = 64’000’000’000’000 (64 trillion) possible combinations, of which only 57 trillion are used for addressing. For easier comparison we calculate how many bits would be required to store a unique number for each combination: log2(57 trillion) = about 46 bits.
For comparison let’s take a look at an eight character randomly chosen alpha-numeric password (26 lower case letters + 26 upper case letters + 10 numbers): log2(62^8) = about 48 bits.
So, a plain What3Words address is almost as strong as an 8 character random password. But, to be realistic most places will be on land and 8 characters length is not really that strong for a password.
The What3Words wordlists for other languages only contain 25’000 words to cover most of the land surface of the earth, so we can use this as an estimate how many combinations there are for places on land: 25’000^3 = 15’625’000’000’000 (15,6 trillion). That gives us only about 44 bits of security.
In order to increase the number of possible combinations there are some easy tricks, which can be used: Vary the casing of the words (e.g. “boat” -> “Boat”) and replace the dots with other special characters (at least 16 should be available) or numbers. This gives log2((25’000 + 25’000)^3*(16+10)^2) = about 56 bits of security, which is more than a random nine character alpha-numeric password (54 bits).
For comparison, what would you rather like to remember: “vkd6Dw1HT” or “boater-Fund7trooper”?
In short, the passphrases created from slightly varied What3Words “addresses” should be sufficient for most day-to-day purposes. Of course if an attacker expects you are using this scheme and use a favourite spot from your last holyday (of which a geo-tagged image is posted on Facebook), this scheme breaks down as any other.
How-to
Guidelines for creating passwords from places:
- Use a place, which is not easily tied to you (e.g. your home or work place)
- If possible choose a remote place, you can relate to or just scroll around until you find an “address” you like
- Vary the casing of the three words
- Replace the dots with other symbols or numbers
- Don’t tell anyone which password scheme you are using
For advanced usage and even stronger passwords you can additionally:
- Use a place on water, which is not covered by the 25’000 land wordlists
- Replace characters in the words with symbols or numbers (e.g. leetspeak)
- Add other words or numbers
- Choose a place to start and take a “walk” from there. Only taking one word from the “addresses” you cross
About Oneconsult
Jan Alsenz is Chief Research Officer at Oneconsult AG.
Oneconsult AG is a renowned Swiss cybersecurity consulting company with approx. 25 employees, offices in Switzerland and Germany, a customer base of 300+ organizations and 1100+ completed security projects worldwide. We are your trustworthy partner for a holistic cybersecurity approach against external and internal threats such as APT, hacker attacks, malware infection, digital fraud and data leakage. Our core services are penetration tests, ISO 27001 security audits and IT forensics. To protect your organization and mitigate specific information security risks, Oneconsult also offers practical security consulting, security training and virtual security officer services. Dedicated IT security researchers and a large team of certified penetration testers (OPST, OSCP, etc.), digital forensics experts (GCFE, GREM) and ISO security auditors (ISO 27001 Lead Auditor) are at your service.
