Salt Your Passphrase


  • Passphrase length is greatest contributor to strength, with memorability is preferable to complexity, but predictability is greatest detractor to strength.
  • Dictionary-based attacks use whole words to reduce cycles needed for brute force attacks.
  • Add punctuation to turn words into non-words (eg salting) to vault your passphrase to the next level.


We have seen that Cloud-backed Password Vaults such as 1Password , LastPass, Dashlane, etc make it easy to store all of our passwords in a single, secure, wallet that is automatically synchronized across all your devices. With these tools we have a method to keep all our passwords in a single place that is secure. The very definition of a High Value Target. Something we must be very diligent in protecting. Where 1Password, et al allow us to use non-predictable, unique, long, and complex passwords in our everyday lives by removing the memorable requirement, the master password for the wallet itself must be memorable.

Let’s review what makes a good master password for your password wallet.

  1. It must be memorable so we don’t have to write it down for daily use.
  2. It must be easy to type, since keyboards on mobile devices are harder to use.
  3. It must be long so that it takes a very, very, very, long time to crack.
  4. It must be non-predictable so a lucky guess can’t undo all of our hard work.

My own password for my password vault is not a password at all, but an 8-word phrase. It measures between 45 and 60 characters long (I won’t tell you the actual length of course), it is very memorable to me (something I memorized during my elementary school age) so I will never have to write it down.  By some measures it’ll take more than one hundred thousand trillion trillion trillion trillion trillion trillion centuries to crack my passphrase. This is all before I applied the technique that I will cover in this blog.


For teaching this technique of salting your passwords, and observe its benefits I will use the cracking algorithm that the site uses to estimate password strength. When I visited their site, they suggested 4 simple words chosen at random; shaw outlet fence butler. I suggest that you use more than just 4 words for your master passphrase, but let’s step through this simpler phrase.

Our baseline is thus a 4-word passphrase, with spaces, totaling 24 characters in length which is estimated to require 664 centuries to crack. That’s no slouch.


Let’s see what happens if we add a bit of complexity, just a bit. Can we get outsize returns? If we add a capital letter we increase Crack Time by 6x to about 3,900 centuries. Nice.


Okay this is fun. Let’s play with it a bit. What if we swap in a special character?


We get 3.1 million centuries, or 4,674x increase. Awwright! We are starting to get someplace. But maybe we’re getting too carried away. It is harder to crack but not very memorable, so let’s take a step back. Our primary goal for the master password is that it be memorable first, non-predictable and long.

Let’s choose to put the special character at the end.  Remembering add a dash at the end can’t be too hard to remember. Does it do anything for us?


That’s not bad return for a single character. From 664 to 39,230 centuries is a 59x increase in entropy. But moving the special character around doesn’t yield any more entropy gains, as we can easily see below.


That is until we make one of these words, NOT BE A WORD anymore.


Breaking up the word gives you 66 million centuries or 99460x added entropy over the original length or 1683x over the longer phrase. BINGO! I think we might be onto something.  What if make the word into a non-word by deliberate misspelling?


Even if you take back the dash, which reduces both the length and number of dictionaries needed to include in the cracking algorithm but preserve the not a word feature in your passphrase you still get significantly added entropy. 5.2 BILLION centuries or 7,868,692x added entropy on top of passphrase that is considered somewhat strong to begin with.


In short, use words for your memorable passphrases, but if you want to be super-duper extra mega, you will salt your password by throwing a mispelling [sic] in for good measure. The passphrase you would remember is shaw misspelled outlet fence and butler which is not all that much more to remember for a ciritical [sic] password as the password for all the others

When Marketing and Techies don’t speak

Time and again …

And so it goes that people talk past each other and they don’t even realize it. In my view this is what happened to Lumber 84 during their SuperBowl LI’s campaign. They drove traffic to a website that was ill equipped to handle the influx.

It takes a certain design to survive a flash mob’s interest. Ever wondered why the bathrooms at the stadium or the theater are significantly larger than those of in a train station, say Grand Central? Both facilities are design to handle lots and lots of people. The hallways are spacious, the materials used are hard/durable materials. So why would the bathrooms be so different? In two words, arrival rate. The arrival rate is what drives the design.

Simply put processing 100 widgets that arrive in a trickle means one or two processors would likely be sufficient. In contrast if those 100 widgets show up at once, the last widget processed will necessarily have a long wait time while all the previous 99 widgets are processed. For every one second of additional processing time, the 100th widget will spend an additional 99 seconds in queue, assuming only one processor. Open a second processor and the wait and delay are halved.


The site was not designed like a stadium or a theater, to handle a timed event, instead it was designed like a regular site. Consequently it is not surprising that when a flash mob showed up, it failed. Let’s take a look at this transaction below.

> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host:
> Accept: */*
< HTTP/1.1 200 OK
< Cache-Control: private
< Content-Length: 20263
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/8.0
< X-AspNetMvc-Version: 5.2
< X-AspNet-Version: 4.0.30319
< X-Powered-By: ASP.NET
< Set-Cookie: ARRAffinity=e1c140a4aab77c745107aadc5e7989608b845ae8bef3dccacc8aa1d26a8caebe;Path=/;
< Date: Mon, 06 Feb 2017 01:40:56 GMT

Cache-Control: private

The server is saying that the home page for the website should not be cached by so-called public proxies. Only end-browsers should cache the page. The server is saying only I can give the page to the browser. Helpful proxies need not apply. Consequently all browser’s request will come to the server.

Set-Cookie: ARRAffinity

The Azure Request Router Affinity cookie is enabled. Why would you do that? What is so special about this particular website that requires session affinity to the server? This feature should have been disabled.

In the end…

…the result was easily predictable and what most people saw was this


Hardly a compelling marketing campaign.