Cryptographic Cognition

Alex Stevovich's portrait
By Alex Stevovich

A dear friend of mine is a medical sonographer (ultrasound performer). Over the years he's mentioned to me countless times that yet another patient said the joke:

So, is it a boy or a girl?

The overwhelming majority of his patients are not expecting parents. Ultrasounds are used for all kinds of injuries and medical investigations, yet an uncanny number of people crack that joke. They usually deliver it with a clever grin, as if the thought had just occurred to them. It's so common that he often hears it multiple times in a single day.

From this vantage point, it's not a joke. It is a reflex to stimulus. Each person believes they've arrived at the idea independently, yet the person standing beside the machine has heard the exact same words, delivered with almost the same cadence, hundreds of times before.

Humans are pattern generating machines who believe they are randomness generating machines. That gap, between perceived novelty and actual predictability, isn't just a quirk of small talk. It's one of the oldest and most persistent vulnerabilities in applied cryptography.

Whenever a cryptographic system depends on a human to supply unpredictability (a passphrase, a PIN, an answer to a "security question," even the physical jiggling of a mouse used to seed a random number generator) it inherits the same flaw as the ultrasound room. The human doesn't generate randomness. The human generates the same joke everyone else tells, convinced it's original.

Heuristics

Heuristic is a word that's thrown around constantly in technology. It's surprisingly broad and difficult to pin down. Succinctly, heuristics mean pragmatically but not perfectly solving a problem: a clever trick or shortcut that sometimes solves a problem without taking the long, perfect way. It is also commonly used in software to describe practical strategies for problems where an exhaustive or perfect solution is computationally impractical or simply unknown.

In the context of passwords we are heuristically guessing how humans make passwords. Just like the joke humans have a fundamental weakness of making passwords that they think are clever, but are instead heuristically vulnerable.

Real-world password cracking tools analyze massive collections of leaked passwords, identify recurring patterns, and encode them into algorithms capable of generating vast numbers of likely password candidates. Machine learning and AI have only accelerated this process. These systems allow attackers to efficiently exhaust the low-hanging fruit. Exactly what constitutes low-hanging fruit depends entirely on the sophistication, computational resources, and objectives of the attacker.

Perspective

Before beginning, a brief note on perspective.

I work in software engineering and systems development, where security and cryptographic practices are part of the job. I'm not writing from inside high-stakes cryptographic research — this is systems theory and human cognition applied to a specific problem, which is where my thinking tends to live regardless of domain.

What follows was reasoned out independently, not drawn from the cryptographic literature. Where it overlaps with existing research, I'll note it as it comes up.

These are working notes on a subject I find genuinely interesting — not a proposed standard, not professional guidance.

Glossary

  • Algorithm: A defined sequence of steps used to solve a problem or produce a result.
  • Brute Force: Attempting every possible password until the correct one is found. On average, this takes roughly half the total keyspace in attempts.
  • Heuristic: A pragmatic but not perfect solution to a problem. An easy shortcut that works sometimes but not everytime, or works well enough but not perfectly.
  • Entropy: A measure of how unpredictable a password is, typically calculated from how many possible characters it could contain and how long it is. Higher entropy is generally assumed to mean greater resistance to guessing.
  • LLM (Large Language Model): An artificial intelligence system trained to understand and generate human language.
  • String: Programming jargon for any text. A string might be one letter, a word, a sentence, or thousands of pages.

The Challenge

This paper is a thought experiment into cryptographic cognition: the intersection between cryptography and human thought. While many of the ideas explored throughout are broader than passwords alone, the central challenge motivating this work is a practical one. Can a human reliably remember a password that is genuinely secure against a sufficiently capable attacker?

Modern authentication systems do an excellent job of moving cryptographic burden away from human memory. Password managers, passkeys, hardware security keys, and other technologies exist precisely because they allow machines to generate, store, and manage secrets that people could never remember themselves. Yet every one of these systems ultimately depends on a final point of trust: a master password, recovery phrase, emergency PIN, or some equivalent credential. Somewhere, the chain has to terminate in something a human being can actually remember.

And that is the challenge.

The human mind cannot reliably store a truly high-entropy password, one long and random enough to resist brute force, in a form it can consistently recall on demand. Random strings of sufficient length are, for almost everyone, simply not memorable. If the theoretical ideal of password security lies beyond the practical limits of human cognition, then perhaps the problem itself deserves to be reconsidered. Rather than asking how close human memory can come to maximum entropy, this paper asks whether there exist other cognitive strategies that remain practical for people while still presenting formidable obstacles to an attacker.

Lock Out

An attacker is not the only threat a password has to survive. A second, threat is self-lockout. A password or system so complex the user forgets it. A password assembled from some external reference, a phrase, a pattern, or a source that is later lost or destroyed, taking the password with it. A password that is theoretically perfect but practically irrecoverable has still failed. Nothing was stolen. Nothing was breached. The information is simply gone, encrypted into oblivion by the very credential that was meant to protect it.

Public and Private References

Many of the ideas explored throughout this paper rely on remembering a simple concept rather than the password itself. A password may be derived from a document, a phrase, an image, a piece of source code, or some other reference. This introduces an important tradeoff.

Private references are generally more difficult for an attacker to discover because they exist only within the user's own environment. The disadvantage is that they must also be preserved. If the final copy is lost, the password may be lost with it.

Public references have the opposite properties. They are far easier to recover because they exist independently of the user. If the reference is forgotten or misplaced, it can usually be obtained again from reality. However, this also makes it more knowable to an attacker, increasing the likelihood that it eventually becomes part of a sufficiently sophisticated attack corpus.

Neither approach is universally better. One prioritizes obscurity, the other recoverability. Throughout this paper I treat them as two ends of the same design spectrum.

Bootstraps

Throughout this paper I assume the password being discussed is itself a foundational credential, such as the master password to a password manager or the credential protecting a user's most important encrypted data.

For that reason, suggestions such as storing the reference in an email account, cloud storage, or another password-protected service do not solve the problem. Accessing those services already depends upon credentials that ultimately derive from the very password we are attempting to remember. The chain must terminate somewhere. The challenge explored here is discovering a password that can stand at the root of that chain without depending upon another protected account for its own recovery.

Environmental Assumptions

This thought experiment also assumes the password should survive the loss of the user's local environment. I intentionally do not rely upon physical reminders such as notebooks, printed papers, books on a shelf, labels, safes, safety deposit boxes, or any other object whose survival depends upon continued physical access.

Instead, I assume extreme but plausible failures: regional displacement, fire, flood, tornado, earthquake, electromagnetic disruption, theft, or any other event capable of separating a person from their possessions. Any service provider is considered temporary. The password should ideally remain recoverable through memory, or through references that exist independently of the user's personal environment.

Entropy

Entropy is the standard way cryptography estimates the unpredictability of a password. At its simplest, it is usually discussed in terms of the password field itself: how many different characters each position may contain, and how many positions there are.

Total Passwords = Character Set ^ Password Length

For example, if a password is 10 characters long and each position may contain one of 94 printable keyboard characters, the total search space is:

94¹⁰ = 53,861,611,201,495,341,056 possible passwords

Entropy Bits

Entropy is commonly expressed in bits by using this formula:

Entropy (bits) = log₂(total possible passwords)

Every additional entropy bit doubles the number of passwords an attacker must search.

Entropy of the Generative Process

From here the subject branches into several related ideas about entropy. Those distinctions are important academically, but they are not necessary for the purpose of this paper. What matters is understanding that there is a difference between the entropy of a password space and the entropy implied by the process that generated a particular password.

Imagine a perfectly random password generator producing two eight-character passwords:

R7@k!2Qm

AAAAAAAA

Both passwords came from exactly the same random process. The generator itself is expressing maximum entropy because no human preference, memory, or heuristic influenced the result. The second password simply happened to be an extremely unlikely outcome of that random process.

Entropic Purity

I will briefly step outside established terminology and coin my own term: Entropic Purity.

This represents a real but epistemically inaccessible grading of how closely an output appears to resemble the product of perfect randomness.

For example, imagine a generator producing two passwords:

Q7@mL2#vX9!c

tifalockhart

The prior, tifalockhart, appears to exhibit obvious human structure despite arriving there purely by chance. I would therefore describe tifalockhart as having lower Entropic Purity, even though the entropy of the generating process was identical.

This is an attempt to describe that the entropy of the generative process cannot be inferred from the output alone. I find this to be one of the more bizarre, perhaps even paradoxical, aspects of cryptography.

Attack Contexts

Offline Attack

An offline attack means the attacker has already obtained the password hash (or encrypted data) and can test guesses locally without interacting with a server, there are no ways to throttle it and the attacker can try as rapidly as possible. The cost of each attempt is simply the time required to compute the password verification algorithm. Depending on how the password is stored, this may be extremely fast or intentionally slowed using algorithms designed to resist brute-force attacks.

This would be equivalent to attacking an encrypted ZIP archive, password manager database, or any other encrypted file that can be copied and tested locally.

Online Attack

An online attack is interacting with a designed access point like a login form on a website. The site itself has the ability to throttle your attempts as much as it wants, introduce time delays, make you do captchas, or even ban your IP and other countermeasures if you do suspicious things.

Entropy as Time

The crack times quoted throughout this paper are only rough illustrations. There is no single answer to how long a brute-force attack takes because it depends on how much computing power an attacker is willing to devote to the search. One computer may take years, while a thousand similar computers could complete the same search dramatically faster by dividing the work between them. The examples in this paper should therefore be understood as representing a modern, high-performance attack rather than a fixed or universal measure of time. Given enough motivation, budget, and hardware, these times can be reduced substantially.

The times below are rough estimates assuming an offline attack using a general idea of what a modern system computing these tasks would be able to do.

  • 32 bits: Cracked in a fraction of a second.
  • 64 bits: Months in a fast offline attack.
  • 128 bits: Millions of times longer than the age of the universe
  • 256 bits: Incomprehensibly beyond any practical timescale; vastly longer than the remaining lifetime of the universe.

Metis

I propose the term metis (From Mētis Greek:Μῆτις) as a subjective score representing the intrinsic heuristic uniqueness of an idea.

Metis is not entropy. It is not measurable, calculable, or objectively comparable. Instead, it attempts to describe the intrinsic resistance of an idea to heuristic discovery. A metis score of 0 represents an idea that is immediately obvious and almost certain to be included in conventional attacks. A score approaching 1 represents an idea so uniquely conceived that no practical heuristic would ever be expected to discover it.

Unlike entropy, metis cannot be computed. The scores assigned throughout this paper are subjective human judgments rather than mathematical quantities. My intuition, however, is that a true metis value objectively exists, even if it is forever beyond our ability to calculate. In other words, I believe it is epistemically inaccessible rather than fundamentally undefined.

Different people may naturally possess different abilities to invent ideas with high metis scores, just as they differ in creativity, abstraction, or pattern recognition. Whether such a quality truly exists is one of the central questions explored throughout this paper.

Ideas & Hypotheses

In this paper I distinguish between two opposing concepts: Ideas and Hypotheses.

An Idea is the mental construction a person invents to produce a password. It is not necessarily the password itself, but rather the concept, rule, memory, or process from which the password is derived.

A Hypothesis is the attacker's attempt to discover that Idea. Rather than guessing passwords blindly, a sophisticated attacker attempts to formulate hypotheses about how people think. "My mom's name plus my dad's birth year" is an example of such a hypothesis. It is not a password yet, but a rule capable of generating one. The attacker's task is to invent the correct hypothesis; the defender's task is to invent an Idea that resists being hypothesized.

Idea SeeDs

Ideas that humans remember often are anchored by what I call an Idea Seed: a small concept so deeply emblazoned in memory that it can reliably regenerate a much larger chain of thought.

For example, my own Idea Seed is Tifa Lockhart. She's my ultimate waifu, so she's easy for me to remember, and only I know that.

You'll notice I use her name throughout various examples in this paper. The seed itself is not the password; it is simply something I know I can never forget. From that seed I can build increasingly complex ideas through transformations and associations. Not every password construction requires an explicit seed, but I believe human memory naturally works this way. Even complex memories often reduce to a handful of simple anchors from which the rest can be reconstructed.

Idea Transforms

An Idea is not limited to plain values like names or dates. It can also consist of a transform, something closer to an operator than a value, similar in spirit to arithmetic operations like addition or multiplication. A transform takes an input and systematically turns it into something else.

As an example, imagine a calculator that takes a string, converts each letter into a corresponding number, and then exponentiates a running total by each successive letter's numeric value. Typing in a name like TIFA LOCKHART through this process produces an enormous number, far larger than anything a person could generate by typing digits directly. That process is a transform, and the transform itself becomes part of the Idea. Now I can remember an unfathomably large number. This matters because a person doesn't have to remember the output; they only have to remember the transform and its input.

Idea Symbols

An Idea can also act as a placeholder for a large body of content the person doesn't actually memorize, only references. For example, someone could set their password to the full copy-pasted text of their 2011 tax return PDF. No one could recite that text from memory, but they could easily remember "my 2011 tax return PDF, pasted in full" as the instruction for producing it.

These pieces can also be chained. A password could be defined as: take the full text of my 2011 tax return, apply the alphanumeric string exponentializer to it, then reverse the resulting string. Each step is a transform, and the chain of transforms—not any specific value—is what the person actually holds in memory.

Spaces

Keyspace

Keyspace is the complete set of every password a system can technically accept. It is determined entirely by the rules of the password field: the allowed characters, the minimum and maximum length, and any other input restrictions. Keyspace makes no assumptions about what a human would actually choose. It simply represents every value that could exist.

Search Space

Search space is the total set of password candidates an attacker actually evaluates during a specific attack. Unlike keyspace, which is fixed by the system, search space depends entirely on the attack strategy. A brute force attack attempts to make its search space equal to the entire keyspace. A heuristic attack deliberately searches only selected regions of that keyspace where human-generated passwords are believed to be concentrated.

Hypothesis Space

Hypothesis space is the full range of guesses an attacker might reasonably try, based on patterns, rules, and human behavior — as opposed to keyspace, which is the full range of values something could technically be. In terms of ideas an attacker could pursue, hypothesis space is effectively infinite; there's no limit to the number of theories or angles someone could chase. Keyspace, by contrast, is often small. Take a single digit password: a number from 0 to 9. An attacker could dream up endless theories about what that number "means" — birthdays, lucky numbers, favorite jerseys — but the number of possible answers is exactly ten. Chasing clever theories about what the number represents is almost always a worse strategy than just trying all ten directly.

Idea Space

Idea space is the counterpart to hypothesis space, seen from the other side of the password: it's the boundless range of ways a person can dream up a secret in the first place — a memory, a transform, a reference, a chain of both. Where hypothesis space is what an attacker searches, idea space is what a creator draws from. And unlike hypothesis space, which collapses under cost the moment it gets expensive to explore, idea space has no such ceiling. A person can always go one layer more abstract, one more transform deep, one more obscure reference — there's no threshold where generating a new idea becomes "not worth it" the way there is for guessing one.

Idea Space Theories

This section proposes a theoretical model for understanding the relationship between Hypothesis Space, Idea Space, and classical brute force.

Expense

The expense of a heuristic attack is the total number of attempts required to generate every permutation of every hypothesis the attacker chooses to execute. Every hypothesis contributes some number of candidate passwords, and the total expense is simply the sum of all of those attempts.

The Threshold

At some point, the cumulative expense of a hypothesis-driven attack exceeds the total number of attempts required to brute force the remaining keyspace. I call this the Threshold.

Past this point, heuristics cease to provide any computational advantage over exhaustive search. An attacker may still continue generating hypotheses, but from a computational perspective they have already spent more effort than brute force would have required.

Beyond the Threshold still exists an effectively infinite Idea Space capable of expressing passwords within the finite keyspace. Human creativity does not terminate simply because brute force has become the cheaper strategy. There always remain further ideas, transformations, abstractions, and constructions capable of producing passwords that lie somewhere within the same finite password space.

The Crossover Point

This Threshold resembles the goal of guessing-number research, which seeks to identify the point at which heuristic attacks cease being cheaper than exhaustive search. I arrive at the same destination from a different direction: by considering the relationship between a finite keyspace and an effectively unbounded Idea Space.

The exact location of this threshold could, in principle, be determined only in hindsight, once every hypothesis had either been executed or discarded. In that sense, an all-knowing observer—call it God, for lack of a better term—could assign the exact Threshold for any password against any attack.

As with many qualities proposed throughout this paper, I consider this threshold to be objectively real but epistemically inaccessible.

Algorithmic Expressibility

Not every password construction is equally likely to become an attack rule. Some ideas are simple to express algorithmically, while others become increasingly difficult to describe without introducing so many variables that the rule itself ceases to be practical.

Expressibility

I will refer to this quality as Algorithmic Expressibility: the degree to which a password construction can be cleanly expressed as an algorithm.

This is not simply a question of whether a rule can exist. Given enough effort, any specific password could be described by an exact rule that generates only that password. Such a rule is meaningless because it solves nothing beyond the password it already knows.

Instead, useful rules are those that generate many plausible passwords while requiring relatively few total attempts. A good rule compresses a large amount of human behaviour into a compact algorithm.

Brute Force

Brute force is the simplest rule imaginable. It generates every possible password, but it also generates the entire keyspace, making it computationally expensive. Heuristic rules exist because they attempt to express a much smaller collection of likely passwords for far fewer attempts.

As additional variables are introduced, however, a rule gradually loses its advantage. Eventually it becomes surrounded by so many equally plausible neighbouring rules that no single rule can reasonably be preferred. At that point the attack begins to resemble brute force in another form: not by exhausting the keyspace directly, but by exhausting an ever-growing space of possible algorithms.

This suggests there exists a practical boundary beyond which some ideas are simply no longer worth expressing as attack rules. They may still be perfectly describable, but the computational cost of expressing and executing the rule outweighs any advantage it provides over brute force.

Folding Spaces

Many constructions within Idea Space appear, at first glance, to dramatically reduce the search space. They seem to offer a compact algorithm capable of expressing a vast family of passwords.

Yet repeated examination often reveals an interesting pattern. As additional variables are introduced to make the rule expressive enough to capture increasingly complex ideas, the rule itself begins to unfold into a search space approaching the size of the password space it was intended to replace. The apparent compression gradually disappears.

This reminds me of mathematical objects that contain smaller versions of themselves, or the thought experiment of a library containing every possible book, where removing a page still leaves another library containing every possible remaining book. The space appears to fold back into itself.

I suspect many heuristic attacks possess this property. A hypothesis may initially appear concise and powerful, but once all of the parameters, transforms, exceptions, and neighbouring possibilities are accounted for, expressing the hypothesis begins to require exploring a space comparable to the one it was attempting to avoid. At that point, the distinction between searching hypotheses and searching the password space itself begins to blur.

War Games

A favorite pastime of mine is to subject passwords to a fictional scenario: What percentage chance would the NSA have of cracking this password if it possessed 100,000 years, technology one hundred years beyond today, and unlimited motivation? The exercise is intentionally unrealistic. It is pure guesswork about a scenario we cannot truly know, so throughout this section I will simply speculate rather than continually qualifying every statement with disclaimers.

Modern discussion naturally favors classical entropy models because they are quantifiable. Yet there is another value that we cannot presently quantify: the size and structure of idea space. The following examples are simply an exploration of what that unknown might mean in practice.

These are exploring ideas that humans could easily hold in their memory.

1. Word Repetition

The word password repeated 230 times.

passwordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpasswordpassword

If this hypothesis were guessed and prioritized early, the broader rule would provide only around 24.5–26 bits of security, which is extremely weak. This figure assumes a dictionary of roughly 100,000–300,000 words, with every word tested at repetition counts from one through 230. Once programmed, the NSA could exhaust that entire rule in a fraction of a seconds.

A more obscure word might provide slightly more practical protection because some attacks use smaller dictionaries, but it would not meaningfully strengthen the rule against an attacker willing to test a complete one.

Within the fictional 100,000-year timeframe, I would speculate that this rule would be attempted within days. Is there a repetition count so extreme that it would fall beyond the range anyone thought worth testing. (I capped the entry exactly at 230 attempts but what if we did 2300).

Exploring the rule more fully would also require variations such as leetspeak, capitalization, camel case, common substitutions, misspellings, separators, and other transformations. These would greatly expand the number of attempts, although the basic repeated-word rule would remain cheap to test.

The inclusion of even a single wildcard could greatly improve the password's chances by creating uncertainty beyond the repetition rule itself. An unusual misspelling could do the same if it were absent from both the attacker's extended dictionary and its collection of common misspellings. If the altered word were already present in either set, however, the repeated-word rule would remain trivial to test.

2. Wild Card

The number "1" 320 times with the 270th spot switch to "^".

1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111^111111111111111111111111111111111111111111111111111

The hypothesis required to catch this would be: repeat any character up to 320 times and replace one occurrence with a different character from the same set. Using the roughly 94 printable characters found on a standard keyboard, the complete rule provides around 29 bits of entropy. Expanding the search to roughly 100,000 Unicode characters, including large Chinese, Japanese, and Korean character sets, raises it to around 49 bits. Searching the entire Unicode code-point range would raise it to roughly 56 bits.

Even the broadest version could be exhausted in hours by the fictional NSA once the rule had been programmed, making this a reasonably attractive rule to include.

My hunch is that this password would be discovered within the first year. It would need several additional twists to have a serious chance of surviving.

龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘㐂龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘龘

This version suggests a much more expansive character set, but even searching the entire Unicode range would remain feasible within hours once the rule was known.

A key insight is that the length and wildcard position contribute relatively little to the rule's complexity. Each adds only about eight bits at a maximum of 320 possibilities. Most of the entropy comes from selecting the repeated character and the replacement character. A much shorter version of the password would therefore offer nearly the same protection.

3. Human Twists

A popular Beatles lyric divided into two halves. The first half is repeated nine times and suffixed with !, while the second half is repeated eleven times and suffixed with #.

iwantto!iwantto!iwantto!iwantto!iwantto!iwantto!iwantto!iwantto!iwantto!holdyourhand#holdyourhand#holdyourhand#holdyourhand#holdyourhand#holdyourhand#holdyourhand#holdyourhand#holdyourhand#holdyourhand#holdyourhand#

This is where I begin to lose confidence in my intuition.

Unlike the previous examples, the attacker is no longer searching for a simple structural rule. The password is built from several independent human decisions: selecting a particular lyric, deciding where to divide it, repeating each half a different number of times, choosing punctuation to separate the repetitions, and finally concatenating the result into a single password.

None of these decisions are individually difficult to search once they have been hypothesized. The challenge is deciding that this family of constructions deserves to be searched at all. A rule capable of finding this password would likely need to explore not only song lyrics, but quotations, poems, books, sayings, nursery rhymes, and countless other forms of remembered language. It would then need to consider arbitrary split points, unequal repetition counts, punctuation, capitalization, substitutions, and other transformations. Each new possibility is inexpensive to execute, yet collectively they create an enormous number of plausible hypotheses.

My speculation is that this is approaching the point where idea space begins to dominate classical search space. I can easily imagine an attacker writing a rule that would discover this password, yet I can also imagine an effectively endless supply of similarly plausible human constructions competing for attention.

Would the fictional NSA eventually discover this rule within one hundred thousand years? I genuinely do not know. My intuition places it somewhere near the boundary where the engineering effort required to invent and prioritize the hypothesis begins to outweigh the cost of executing it. If forced to assign a probability, I would estimate roughly a twenty-five percent chance that this password is ever discovered.

My intuition is that a single additional wildcard would likely push this beyond the point of discovery, if it has not already crossed that threshold.

4. Public Documents

This section explores using entire public documents as passwords. Candidates might include the complete text of the MIT License, the screenplay of The Notebook, a famous speech, a recipe from a cookbook, a software source file, or any other publicly available document reproduced verbatim.

What appeals to me about this approach is not necessarily its strength, but its recoverability. While such documents are far too large to memorize, they are also difficult to permanently lose. As long as the simple idea is remembered, the original document can usually be obtained again from reality.

Once the hypothesis is known, the rule itself is trivial: hash every document in a corpus and compare the result. The interesting question is whether such a corpus would ever become large enough. Should it include books, recipes, speeches, poems, song lyrics, software source code, legal documents, academic papers, technical standards, patents, or everything ever published? While the most famous documents might justify inclusion, I suspect a vast amount of human writing would never become worthwhile to search.

In my fictional scenario, I would estimate roughly a 95% chance that the complete MIT License would be discovered within one hundred thousand years. By contrast, I would place the screenplay of The Notebook at roughly 30%, simply because I am far less confident that a corpus of film scripts would ever become sufficiently complete to justify the effort. As the documents become increasingly obscure, my intuition is that the probability rapidly approaches zero.

5. Private Document

This section explores using an entire private document as a password. As an example, imagine using the complete text extracted verbatim from my 2011 tax return PDF.

Like public documents, this approach is attractive because it is easy to remember. I do not need to memorize the document itself, only the idea behind it. Unlike a public document, however, I am now responsible for preserving the source. If every copy is lost, then the password is lost forever. It cannot simply be obtained again from reality.

The more interesting question is whether an attacker would ever search this family of passwords. Would a sufficiently sophisticated attack begin enumerating every text file on a compromised computer and attempting each verbatim? If so, would it stop at plain text, or continue into PDFs, source code, spreadsheets, email archives, notes, chat logs, configuration files, and every other document it could extract? Would it then begin hashing binary files directly? Would it attempt to interpret images as raw pixel data, generated text through OCR, or metadata? Would it execute scripts and hash their output? Would it recursively transform every file into every plausible textual representation before testing it?

I genuinely have no intuition where such a search would end. Each individual hypothesis appears reasonable in isolation, yet together they form an almost boundless collection of possible representations. My speculation is that many transforms easy to program program would likely be attempted within one hundred thousand years, even into relatively obtuse trials but the complete space would never be exhausted. To survive I'd say it likely would need some exotic twist, or alteration, simply pruning, splicing, or cropping might not be enough.

6. Love Letters

A hand-authored piece of prose of sufficient length.

This example explores using original prose as a password. A love letter is simply one illustration of the broader category, which could equally include a short story, an essay, a journal entry, a speech, or any other piece of writing authored by the user. At this length the password is approaching the practical limits of human memory, although I believe it could still be memorized with modest effort through repetition.

Dear Tifa Lockhart,

How does one capture in mere ink the devotion I hold for you, who stood unshaken as the Guard Scorpion's tail cracked like thunder in that first reactor? You break all limits of the magnitudes that I have loved. You are my final heaven. I vow to love you through every triumph and tempest life dares to throw your way. Would you like to get a coffee with me?

Forever yours, Alex

This thought experiment asks a different question from the previous examples. Rather than searching a finite dictionary or applying a deterministic transformation, the attacker would need to decide whether to generate original human prose itself. Could future language models realistically enumerate every plausible love letter? Every plausible speech? Every short paragraph a person might naturally write? If they could, how would those generations be prioritized among the effectively limitless space of possible human expression?

My wager is that this construction has a high probability of surviving the fictional one hundred thousand year NSA scenario. I would estimate only around a 10–25% chance that the exact passage is eventually generated. This is another examples where I believe idea space might begin to dominate classical entropy. The challenge is no longer simply searching a known space efficiently, but deciding which of the countless forms of human thought are worth generating in the first place.

7. This Entire Article

{Insert this entire article copy pasted verbatim.}

This construction explores using an entire original work of prose as a password. Unlike public documents, the article itself is a personal chain of reasoning, reflecting my own writing style, vocabulary, structure, and thought process. That individuality may simultaneously strengthen and weaken it. It is far less likely to appear in generic heuristic attacks, yet a sufficiently sophisticated attacker with extensive access to my personal writings may begin constructing increasingly accurate models of how I think and write.

Whether a deeply personal document is ultimately more secure than an impersonal one is difficult to answer. Personal writing benefits from uniqueness but is also vulnerable to profiling. Impersonal works are more broadly known but may receive less targeted attention. I cannot confidently say which property dominates.

Its sheer length alone places it well beyond anything I would expect conventional attacks to reproduce. I would speculate it would require some novel form of highly accurate behavioral prediction: an intelligence capable of modelling a person's thought processes by analyzing vast amounts of historical data through time. Such a system would likely require an almost universal understanding of the variables that shape human behavior.

All of that remained true—right up until I typed this section.

From here, the question becomes less about password construction and more about the effect disclosure itself has on security.

Diceware (Memorable Entropy)

Diceware represents one of the strongest practical solutions to the human memory problem. Rather than remembering an arbitrary string of characters, the user memorizes a sequence of randomly selected words. Because each word is chosen independently, every additional word exponentially increases the search space while remaining comparatively easy for a human to recall.

The point of Diceware is that the words are chosen by chance, not by the user. If a human chooses the words themselves, they immediately reintroduce personal patterns and associations that Diceware was specifically designed to eliminate.

Approximate entropy using the standard Diceware word list:

  • 3 words: ~39 bits
  • 4 words: ~52 bits
  • 5 words: ~65 bits
  • 6 words: ~78 bits
  • 7 words: ~90 bits
  • 8 words: ~103 bits

Practical Security

One of Diceware's greatest strengths is that it largely bypasses ordinary human heuristics. Attackers cannot exploit grammar, sentence structure, or meaningful associations because the words are selected independently and at random. Once generated, the password is simply another point in a very large search space.

Its practical limitation is human memory. Four words are generally manageable. Beyond that, recall becomes progressively more difficult, particularly if the password is used infrequently. A password that has not been entered for several years is, in my opinion, increasingly likely to be forgotten. This illustrates the tension explored throughout this paper: every additional word improves security, yet also increases the probability of self-lockout.

Sophisticated Attacks on Diceware

I would speculate at extreme levels of motivation and sophistication Diceware would have some weaknesses. I would wager the following in my hypothetical one hundred thousand year NSA scenario:

  • A dedicated Diceware attack is one of the first attack families written and it is run continuously exhausting as much of the diceware space as it can.
  • The algorithm is trivial to engineer.
  • The hypothesis is immediately recognizable.
  • The search space is completely defined.
  • The rule can be expanded continuously as computation allows.

Within the fictional one hundred thousand year NSA scenario explored throughout this paper, I do not believe conventional Diceware recommendations would survive indefinitely. Diceware is a well-known best practice with a fixed public word list and an obvious attack strategy. The hypothesis is immediate: enumerate one word, then two, then three, and continue increasing the word count until the computational cost becomes prohibitive.

My intuition is that passwords in the practical range of three to five Diceware words remain excellent protection for ordinary people over ordinary human timescales. They are exactly the kind of passwords I would recommend for protecting the vast majority of personal information. However, they are also the kind of passwords I would expect a sufficiently capable attacker to prioritize because the attack rule is so obvious.

My speculative intuition is that somewhere around seven words the search space begins to exceed what even the fictional NSA could reasonably exhaust within one hundred thousand years. The exact threshold is unknowable because it depends entirely upon assumptions about future computation, but it illustrates the direction of travel: surviving the thought experiment requires progressively more words until the password itself becomes increasingly impractical for human memory.

Memorable Entropy vs Idea Space

I will use Diceware to champion an idea of an effective entropy that humans can memorize, it's likely the best example of this in a way that can be accurately audited. I will compare it here to Idea Space.

This is where I believe idea space begins to compete with classical entropy.

Consider the earlier Beatles example:

iwantto! repeated nine times, followed by holdyourhand# repeated eleven times.

I would personally bet on this construction over six or even seven Diceware words within the fictional NSA scenario. Not because I believe it possesses greater classical entropy—it almost certainly does not—but because it occupies a far less obvious hypothesis space.

Diceware presents the attacker with a single, well-defined family of rules whose magnitude can simply be increased as computation allows. The Beatles construction requires the attacker to first invent the rule itself by isolating specific parts of the human experience and combining them with arbitrary transforms. Once known, a narrow rule is inexpensive to execute. The uncertainty lies in whether it is ever prioritized among the effectively limitless number of plausible human cognitive constructions.

The attacker may eventually discover it. But if I were forced to choose between a password that relies purely on increasing entropy and one that also exploits uncertainty in human cognition, I would begin to favor the latter. That possibility is the central question this paper has been exploring.

Bias in Diceware

I will tangent here momentarily as an exploration around human influence even in systems like Diceware.

The theoretical security of Diceware assumes that every dice roll is accepted exactly as it appears from the first roll. In practice, I suspect many people would feel tempted to reroll words they dislike or continue rolling until they obtain a sequence that feels more memorable or aesthetically pleasing. Every such choice reintroduces human preference into a system specifically designed to eliminate it. Whether this meaningfully reduces security depends on the extent of the cherry-picking, but it does move the construction away from the ideal randomness that gives Diceware its theoretical strength.

Disclosing Information

If I were specifically targeted by a sufficiently sophisticated attacker, this paper would likely become part of the attack itself. The specific constructions discussed here would almost certainly become weaker. By publicly describing the transforms I consider, I may have disclosed not only candidate passwords, but entire families of hypotheses that a sufficiently sophisticated attacker could begin exploring.

If my writings or ideas somehow became widespread, or perhaps even if they remain nothing more than an obscure musing, would that still gradually diminish the security universally of everything I've discussed?

Disclosing Transforms

Screen shot of my Encode BaseN Stream Calculator Interface outputing TIFA LOCKHART encoded in BaseTIFA LOCKHART
  • Screen shot of my Encode BaseN Stream Calculator Interface outputing TIFA LOCKHART encoded in BaseTIFA LOCKHART

Above is a screenshot of one of my calculators encoding TIFA LOCKHART into BaseTIFA LOCKHART. Does this posting permanently make the outcome of that insecure forever? My website has an interface section where I provide a variety of calculators. Has this entire family of passwords become heuristically obvious simply because the transform is now public? Does this extend just to me or to all?

Disclosing Reality

Photograph of the dice pack I used for diceware rolls including the shipping packaging.
  • Photograph of the dice pack I used for diceware rolls including the shipping packaging.

Above is a photograph of the dice I rolled before generating the Diceware passphrase protecting my most valuable data. Does showing this image cause the entropy of that password todecreased, even if only by an immeasurably small amount? Could some future technology, perhaps an unimaginably advanced AI, analyze that single frozen moment in time and recover information about the outcome of the roll that today appears impossible to extract?

Down the Rabbit Hole

Following this line of thought to its extreme, would simply mentioning that I have a friend who performs ultrasounds slightly reduce the security of every project associated with me? Has every publicly observable action I have ever taken, no matter how ordinary, marginally reduced the uncertainty surrounding every future security project I might be involved with? To a sufficiently advanced attacker willing to model every detectable aspect of my life, does every piece of information become a small reduction in entropy? Is every action I take or make in a publicly detectable way a diminishing of the entropy of everything I'm associated with? Is every public action anyone makes diminishing the entropy of all future security in the universe? Is something with no public information still leaking information by having no information?

The M'aiq Problem

If I were to publish a highly sensitive encrypted file on a public forum, protected only by a password, how much would this paper diminish the security of that file? Could the existence of this paper ever improve its security by introducing so many competing ideas that it becomes more difficult for an attacker to determine which ones I actually used?

Suppose a criminal could anonymously submit unlimited evidence that was genuinely created by them but intentionally misleading. Every submission could consume investigative effort, yet each submission would also reveal something about the criminal's thinking. Does introducing false hypotheses ultimately make an investigation more difficult, or does every additional clue, even a deceptive one, increase the probability of eventually discovering the truth?

!E7vc9{e<8e{0b9k05vKe@vLvI#VBbN!T

Standardized Entropy

Ironically, even best practices may introduce heuristics of their own.

Modern password guidance encourages users toward a relatively small collection of approved generation methods. Password managers commonly omit problematic symbols to satisfy website compatibility. Many websites require at least one uppercase letter, one lowercase letter, one digit, and one symbol. Users also tend to select familiar lengths such as 20, 32, or 64 characters rather than arbitrary values.

Each of these conventions removes some portion of the theoretical keyspace. Individually the reductions are modest, but together they define a much smaller region that millions of users are encouraged to occupy. An attacker does not need to search the entire theoretical password space first, they can begin with the standardized region created by modern password guidance itself.

This is difficult to calculate precisely, so take this with a grain of salt. My intuition is that these conventions likely reduce the theoretical entropy by somewhere in the region of 2–4%. I do not consider that reduction trivial, but once a password already occupies an astronomically large search space, it simply becomes 2–4% less astronomical.

Future

LLM Requirements

One possible distinction between deterministic rules and natural language is the cost of generating candidates. A password consisting of coherent, personally authored prose, such as the love letter discussed earlier, may eventually be expressible by future language models, but today it appears to require substantially more than simple algorithmic transformations. Producing meaningful prose often involves a language model, potentially tuned to an individual's writing style, with every candidate carrying computational cost and inference time beyond that of conventional rule-based generation. Whether this distinction remains meaningful as language models improve is an open question, but today it represents a different class of attack than traditional deterministic heuristics.

Normative Evoluition and Adaptation

Human password behavior is unlikely to remain static. If conventional human-generated passwords continue to become easier to crack, society may gradually adopt more creative memory strategies out of necessity. Techniques that appear unusual today—extreme repetition, transform-based constructions, references to large documents, or other mnemonic systems—may eventually become standardized recommendations. Should that occur, today's unconventional ideas would become tomorrow's low-hanging fruit as attackers adapt their models to reflect evolving human behavior. In this sense, hypothesis space is not fixed. It evolves alongside culture, education, software, and accepted security practices.

Data Trails

Throughout this paper I assume an attacker of extraordinary sophistication. Under that assumption, discussing a password strategy with any system outside your direct control should be considered a potential disclosure.

It is easy to think only of information that is intentionally sent, but modern software often observes much more than that. Emails, web browsers, cloud services, search engines, large language models, collaborative editors, and countless other applications may retain logs for debugging, analytics, training, security, or legal purposes. In some cases even partial drafts, keystrokes, or text that is typed and later deleted before being sent may still have been sent and exists somewhere outside the user's awareness.

At the level of attacker considered throughout this paper, the user cannot confidently know where every piece of information ultimately resides, how long it persists, whether it is later leaked, purchased, subpoenaed, compromised, or intentionally collected. My practical conclusion is therefore conservative. If a password strategy is intended to protect information of exceptional importance, I would avoid discussing or experimenting with that strategy anywhere that is not entirely under my own control.

At this threat level I would not even muse it's strategy in a private room alone, in consideration of devices and who nows what else might be deployed to gather data. Perhaps this is futile, and leaks occur at the operating system level, or some vector we can't fathom, maybe we should simply have 0 confidence in any privacy.

Horizons

Every search rule possesses one or more magnitudes. A dictionary attack must decide how many words to include. A repetition rule must decide how many repetitions are worth testing. A wildcard rule must decide how many wildcards to allow. Every one of these choices can be expanded almost indefinitely, but never without cost.

As an example, suppose I can reliably memorize only six characters of maximum entropy:

X#7q!L

This represents approximately 39 bits of entropy. By itself, it is too short to resist serious brute-force attacks despite being generated by a genuinely high-entropy process.

Now consider it repeated 35 times.

X#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!LX#7q!L

The memory burden has changed very little. I only have to remember a six-character random seed and the number 35. The attacker, however, now faces another magnitude to search. They must decide how many repetitions are worth attempting before abandoning the repetition rule and moving on to entirely different hypotheses.

At some point a repetition rule becomes too expensive to continue expanding. Every additional repetition multiplies the work required to exhaust the rule, and eventually the attacker must decide whether another repetition is more valuable than exploring a completely different hypothesis. That decision point is another horizon.

I suspect sophisticated attacks naturally organize these magnitudes into tiers. Cheap versions of many rules would be exhausted first, followed by progressively larger and more expensive versions only if justified. This resembles how modern computational systems often allocate finite resources: broad, inexpensive exploration first, increasingly costly refinement later.

Every magnitude therefore possesses a horizon: the point beyond which extending a rule becomes more expensive than exploring alternative hypotheses. That horizon is unknowable and likely shifts with available computation, new algorithms, and practical experience. I suspect it represents another important dimension of practical password security beyond classical entropy alone.

Perhaps typing password 100,000,000 times is an invincible password.

Closing

Thank you for reading.

Cryptography is a high-stakes, rigorous, and sensitive subject, and I am not an expert in the field. This essay is not intended as professional security guidance or as a recommendation for constructing passwords. It is simply an exploration of concepts, thought experiments, and hypotheses that emerged from my own attempts to reason about the relationship between human memory and practical security.

At times a joke suddenly falls into my mind as a conversation unfolds. I pause and ask myself whether I really want to say it. More often than not, I keep it to myself. Perhaps not every thought benefits from becoming information.

© 2024 Alex Stevovich

About the Author