Diceware Gives You Truly Random Yet Easy-to-Memorize Passwords
Get link
Facebook
X
Pinterest
Email
Other Apps
Diceware Gives You Truly Random Yet Easy-to-Memorize Passwords
Passwords are everywhere. We use them to unlock phones, computers,
websites, encrypted disks, encrypted files... the list just goes on and
on. Savvy users will already have a password manager of some sort that
can generate a very strong password on a per site basis. However, these
password managers also require a password. Not only that, it has to be
something memorable.
So How Do You Keep Your Key Vault Secure?
In
order for a password to be strong, it needs to be random and long.
Unfortunately, random passwords generated by a password manager are very
difficult for humans to memorize. Humans like simplicity and ease, and
that leads to very insecure passwords. So coming up with a strong yet
memorable password to secure your passwords remains difficult. We've all
been there staring at the screen, thinking what can I use as a password. We can't have it in the password manager, so we have to do it ourselves, and we don't often do the best we could.
The answer to this problem isn't some hot new tech. It's old, it's analog, and it's called Diceware. This system, created by Arnold G. Reinhold,
has been around since 1995, and it works well. Plus, the underlying
concept is really simple: roll dice to create a memorable passphrase
based off a corresponding wordlist. The more words you roll up, the
safer the passphrase is.
When you roll up a passphrase, you can be
sure that it is truly random. A computer-generated password uses
algorithms to generate pseudo-random numbers. Since these algorithms are
deterministic, you will always get the same results given the same
seed. This means that if someone finds the seed, they find your
passwords.
How Long Should a Diceware Passphrase Be?
Diceware
passphrases that use five words with spaces in-between them have an
entropy of at least 66.4 bits. That means it would take roughly 1,000 or
so high-end PCs to crack it. This is well within the reach of botnet
operators, so it's better to go higher.
A
six-word passphrase is at least 77.5 bits, putting it into the realm of
potentially breakable by a well-funded government actor like the NSA.
Generating
a seven-word passphrase using this method has at least 90.4 bits of
entropy, which is enough to be considered unbreakable by today's
standards. Reinhold does state that by 2030,
it's probable that a seven-word passphrase will be crackable, but let's
just hope that we've come up with a better authentication system by
then.
Getting Your Diceware Passphrase
Setting up a Diceware passphrase is a fairly simple process of downloading the wordlist
from Reinhold's website and opening it up in your favorite text editor.
You'll also need to raid your game cupboard for some six-sided dice.
Each
word is generated based on five 1d6 rolls. For example, if you rolled
62514, "utmost" would be your first word. Just keep rolling dice until
you have reached the level of entropy you need.
Many
of you maybe thinking, "That's great... if I know someone uses
Diceware, then I've got myself a wordlist for brute-forcing." Even if
you know an individual uses Diceware and download the wordlist, it'd be a
difficult passphrase to crack.
The
Diceware list has 7,776 words. If you use a five-word passphrase, the
total number of possibilities is 7,776 to the 5th power. If you use a
seven-word passphrase, you're looking at a whopping
1,719,070,799,748,422,591,028,658,176 possibilities, which boils down to
about 90 bits of entropy. Of course, you could achieve this same mount
of entropy with a password generated by a password manager, but it would
be extremely difficult to remember. It would, however, be equally
difficult to crack.
Overall,
this is a great solution for the chicken egg problem of password
managers. During the first week of using it, you may need to have the
passphrase written down. After that, it's just muscle memory. It
couldn't be simpler. Aside from the extra security, making a Diceware
passphrase is also kind of fun; I rolled up the four-word passphrase
"man haley i'd cream" which gives me an entropy of 71 bits. Not bad,
definitely better than my old password "hunter2" which was only 24
bits... and probably on a list somewhere.
Comments
Post a Comment