Passwords are everywhere. We use them to unlock phones, computers, websites, encrypted disks, encrypted files... the list just goes on and on. Savvy users will already have a password manager of some sort that can generate a very strong password on a per site basis. However, these password managers also require a password. Not only that, it has to be something memorable.
In order for a password to be strong, it needs to be random and long. Unfortunately, random passwords generated by a password manager are very difficult for humans to memorize. Humans like simplicity and ease, and that leads to very insecure passwords. So coming up with a strong yet memorable password to secure your passwords remains difficult. We've all been there staring at the screen, thinking what can I use as a password. We can't have it in the password manager, so we have to do it ourselves, and we don't often do the best we could.
The answer to this problem isn't some hot new tech. It's old, it's analog, and it's called Diceware. This system, created by Arnold G. Reinhold, has been around since 1995, and it works well. Plus, the underlying concept is really simple: roll dice to create a memorable passphrase based off a corresponding wordlist. The more words you roll up, the safer the passphrase is.
When you roll up a passphrase, you can be sure that it is truly random. A computer-generated password uses algorithms to generate pseudo-random numbers. Since these algorithms are deterministic, you will always get the same results given the same seed. This means that if someone finds the seed, they find your passwords.
Diceware passphrases that use five words with spaces in-between them have an entropy of at least 66.4 bits. That means it would take roughly 1,000 or so high-end PCs to crack it. This is well within the reach of botnet operators, so it's better to go higher.
A six-word passphrase is at least 77.5 bits, putting it into the realm of potentially breakable by a well-funded government actor like the NSA.
Generating a seven-word passphrase using this method has at least 90.4 bits of entropy, which is enough to be considered unbreakable by today's standards. Reinhold does state that by 2030, it's probable that a seven-word passphrase will be crackable, but let's just hope that we've come up with a better authentication system by then.
Setting up a Diceware passphrase is a fairly simple process of downloading the wordlist from Reinhold's website and opening it up in your favorite text editor. You'll also need to raid your game cupboard for some six-sided dice.
Each word is generated based on five 1d6 rolls. For example, if you rolled 62514, "utmost" would be your first word. Just keep rolling dice until you have reached the level of entropy you need.
Many of you maybe thinking, "That's great... if I know someone uses Diceware, then I've got myself a wordlist for brute-forcing." Even if you know an individual uses Diceware and download the wordlist, it'd be a difficult passphrase to crack.
The Diceware list has 7,776 words. If you use a five-word passphrase, the total number of possibilities is 7,776 to the 5th power. If you use a seven-word passphrase, you're looking at a whopping 1,719,070,799,748,422,591,028,658,176 possibilities, which boils down to about 90 bits of entropy. Of course, you could achieve this same mount of entropy with a password generated by a password manager, but it would be extremely difficult to remember. It would, however, be equally difficult to crack.
Overall, this is a great solution for the chicken egg problem of password managers. During the first week of using it, you may need to have the passphrase written down. After that, it's just muscle memory. It couldn't be simpler. Aside from the extra security, making a Diceware passphrase is also kind of fun; I rolled up the four-word passphrase "man haley i'd cream" which gives me an entropy of 71 bits. Not bad, definitely better than my old password "hunter2" which was only 24 bits... and probably on a list somewhere.
It’s Black Friday week in the Null Byte shop! If you’ve been wanting to improve your skill set in hacker- and cybersecurity-geared topics such as Python, Raspberry Pi, and Linux, now’s the time. We’ve got huge sales on online courses, and we’ve outlined 13 favorites you won’t want to miss. Check them out!