Why keyboard mashing isn't a great idea for password generation

Many people have a funny idea: if you mash keys on your keyboard, you get a strong, random password. I suppose it might be stronger, but it won't be random (and all arguments about random, pseudo-random, true randomness aside...) and it can probably be assaulted by a dictionary attack. Think about it for a second.

Say that I mash the upper left hand quadrant of a regular 104 key US keyboard (qwerty config, although I doubt Dvorak would be any better) and end up with a "random" stream of asdf, qwert, 1234 and maybe - if I'm cool - some zxcv. In total that'd give you a password that would take a brute force attack of at least n^36, where n is the number of characters (as opposed to n^62 if you throw in upper-case letters). This is reasonably secure, in that it'd take a long while to brute force it, but not in terms of dictionary attacks* (it would, however, survive a trigram trial as it's phonetically nonsensical).

It'd be plenty easy for someone to create a dictionary file such that it tests permutations of qwertyasdfgzxcvb12345 (narrowing the search space down to n^20). Realistically, you could narrow your search further to asdfqwer, which is n^8. I think it'd be interesting for someone to go out and use a dictionary implementing this... see how many people have passwords they thought were completely "random" or were somehow strong. People have watched too many movies: who is seriously going to try anniversary dates, birthdates etc? Probably your friends, but the average joe-schmo looking to set up a BNC on your box doesn't know you, and probably wouldn't think you were stupid enough to do that anyway. I somehow doubt that "god," "love," "sex" and "secret" are the top four passwords: but if yours is one of them... instead of mashing keys, go out and find makepasswd or something.

Notes

It can be the case that the person hits the upper right quadrant, only the number pad etc. It doesn't matter - it still narrows the search space and is still not particularly random (people mashing keys tend to repeat themselves... I have no scientific explanation, although I'm sure one exists). Further, even though most people are "right handed" it does appear that most keyboard mashers instinctively go for home-row on a QWERTY layout. Or, so I rationalize why they always seem to gravitate to the left side...

My roommate pointed out that a good password should involve two hands. Personally, I wrote a generator that generates several in one go of different lengths. Whatever works... However! Don't go generate a 30 digit password if you're just going to write it on your whiteboard/on a stickynote on your monitor... Although, they make this cool digi-key that changes every 30 seconds that spits out different length passwords on an LCD screen... I bet it wouldn't be too hard to make.

---

* Consider it an altered dictionary, specifically for the purpose of defeating pseudo-random keyboard mashes. Still a dictionary, but not strictly one of English (or any other natural language) grammar

---

This page is CategorySecurity