No Dice: Diceware Passphrase Creation System

Not long ago, I was browsing the Tor network and came across several doxing sites.  One of them in particular struck me because it was a list of social media accounts, including usernames and passwords.  The passwords were what stood out the most, because they often looked like this:

  • 123456
  • password
  • bob123456
  • 12345678
  • Letmein
  • batman

After seeing that, I thought, “No wonder people get their passwords stolen so easily!”  This was one of the things that led me to seek out a more secure password system, and one of the ones that I came across was the Diceware Passphrase System.

Diceware is a system used to create passphrases based on random rolls of physical dice.  The dice rolls correspond to a long word list, wherein the outcomes of five dice rolls each stand for a single word, number, or letter combination.  Here’s an example:

21526 crab

32264 haley

52346 rst

12654 avail

54322 slake

The words that the dice rolls represent (in this case) are taken from the official Diceware word list, which contains 7776 short words, abbreviations, and easy to remember character strings (in theory).  Beyond the official list, there are alternate ones, such as the Beale Wordlist, as well.  If you mix and match the different word lists, this improves the security.  Some people may find them harder to remember than others, so you may initially have to store your password somewhere offline.  Eventually you’ll memorize them!

Warning: although there are online sites such as Entima.net: Diceware Passphrase Generator where you can generate Diceware passphrases without going through the process of physically rolling dice, these are significantly weaker than the offline versions.

11

In fact, the site specifically mentions this:  “This passphrase is too weak to resist an offline attack where the password hashes are available to the attacker.”

Beyond just using the word lists, however, you can generate random passwords and characters using the same method (although it takes a little longer and therefore, more patience). On the last page of the official list is a system of dice tables you can use to generate passwords and random characters (which is even more secure, in theory).

With the dice tables, you would roll a die three times for each character, and then select one of three tables, based on what comes up on the first roll.  Here’s a good link that explains how that works: Diceware Passphrase FAQ

Just for fun, to test out the security of one of the Diceware passphrases, I used this example (which is not one of my real passphrases!):

13236 baku

53352 sepoy

42625 rilly

42662 moyer

53643 shrug

64134 white

53234 scuba

65152 yodel

At the end of the list of words, I added a randomly generated set of characters from the dice: $f!{  Also, in between each word, I added a period (which you can choose to do or not).  Here was the result, according to GRC’s Brute Force Password Search Space Calculator.

22

Can you read that?  The Search Space Size (as a power of 10) = 1.51 x 1073 According to the “Time Required to Exhaustively Search this Password’s Space:

  • Online Attack Scenario (assuming 1000 guesses per second): “4.76 hundred trillion (x7) centuries.”
  • Offline Fast Attack Scenario (assuming 100 billion guesses per second): “4.76 million trillion(x6) centuries.”
  • Massive Cracking Array Scenario (assuming 100 trillion guesses per second): “4.76 thousand trillion(x6) centuries.”

I don’t know about you guys, but I find that very reassuring!  Contrast that with one of the common passwords, like “password.”  According to the same site:

33

  • Online Attack Scenario: “6.91 years”
  • Offline Fast Attack Scenario: “2.17 seconds”
  • Massive Cracking Array Scenario: “0.00217 seconds”

That’s not even taking into account that something like “password” is so common that an attacker might try that first.  So, what’s the conclusion?  Although it may take a bit more time and effort, the offline randomly generated passphrases are significantly stronger than many of the most common passwords.

Granted, nothing is unhackable, but even when using a brute force attack, it would still take significantly longer to crack a Diceware passphrase, as opposed to your average, everyday password.

If you ask me, “Is it worth the effort?”  I’d say yes.

Share and Enjoy

  • FacebookFacebook
  • TwitterTwitter
  • DeliciousDelicious
  • LinkedInLinkedIn
  • StumbleUponStumbleUpon
  • Add to favoritesAdd to favorites
  • EmailEmail
  • RSSRSS

TheBitcoinNews.com – leading Bitcoin News source since 2012