IT’S GETTING EASIER to secure your digital privacy. iPhones now encrypt a great deal of personal information; hard drives on Mac and Windows 8.1 computers are now automatically locked down; even Facebook, which made a fortune on open sharing, is providing end-to-end encryption in the chat tool WhatsApp. But none of this technology offers as much protection as you may think if you don’t know how to come up with a good passphrase.
A passphrase is like a password, but longer and more secure. In essence, it’s an encryption key that you memorize. Once you start caring more deeply about your privacy and improving your computer security habits, one of the first roadblocks you’ll run into is having to create a passphrase. You can’t secure much without one.
For example, when you encrypt your hard drive, a USB stick, or a document on your computer, the disk encryption is often only as strong as your passphrase. If you use a password database, or the password-saving feature in your web browser, you’ll want to set a strong master passphrase to protect them. If you want to encrypt your email with PGP, you protect your private key with a passphrase. In his first email to Laura Poitras, Edward Snowden wrote, “Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase. Assume your adversary is capable of one trillion guesses per second.”
In this post, I outline a simple way to come up with easy-to-memorize but very secure passphrases. It’s the latest entry in an ongoing series of stories offering solutions — partial and imperfect but useful solutions — to the many surveillance-related problems we aggressively report about here at The Intercept.
It turns out, coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. If you use an entirely random sequence of characters it might be very secure, but it’s also agonizing to memorize (and honestly, a waste of brain power).
But luckily this usability/security trade-off doesn’t have to exist. There is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. The method is called Diceware, and it’s based on some simple math.
People often pick some phrase from pop culture — favorite lyrics from a song or a favorite line from a movie or book — and slightly mangle it by changing some capitalization or adding some punctuation or using the first letter of each word from this phrase. Some of these passphrases might seem good and entirely unguessable, but it’s easy to underestimate the capabilities of those invested in guessing passphrases.
Imagine your adversary has taken the lyrics from every song ever written, the scripts from every movie and TV show, the text from every book ever digitized and every page on Wikipedia, in every language, and used that as a basis for their guess list. Will your passphrase still survive?
If you created your passphrase by just trying to think of a good one, there’s a pretty high chance that it’s not good enough to stand up against the might of a spy agency. For example, you might come up with “To be or not to be/ THAT is the Question?” If so, I can guarantee that you are not the first person to use this slightly mangled classic Shakespeare quote as your passphrase, and attackers know this.
The reason the Shakespeare quote sucks as a passphrase is that it lacks something called entropy. You can think of entropy as randomness, and it’s one of the most important concepts in cryptography. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion.
Even if you don’t use a quote, but instead make up a phrase off the top of your head, your phrase will still be far from random because language is predictable. As one research paper on the topic states, “users aren’t able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language,” meaning that user-chosen passphrases don’t contain as much entropy as you think they might. Your brain tends to continue using common idioms and rules of grammar that reduce randomness. For example, it disproportionately decides to follow an adverb with a verb and vice versa, or, to cite one actual case from the aforementioned research paper, to put the word “fest” after the word “sausage.”
Passphrases that come from pop culture, facts about your life, or anything that comes directly from your mind are much weaker than passphrases that are imbued with actual entropy, collected from nature.
This short but enlightening video from Khan Academy’s free online cryptography class illustrates the point well.
Once you’ve admitted that your old passphrases aren’t as secure as you imagined them to be, you’re ready for the Diceware technique.
First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You’ll notice that next to each word is a five-digit number, with each digit between 1 and 6. Here’s a small excerpt from the word list:
24456 eo 24461 ep 24462 epa 24463 epic 24464 epoch
Now grab some six-sided dice (yes, actual real physical dice) and roll them several times, writing down the numbers that you get. You’ll need a total of five dice rolls to come up with the first word in your passphrase. What you’re doing here is generating entropy, extracting true randomness from nature and turning it into numbers.
If you roll the number two, then four, then four again, then six, then three, and then look up in the Diceware word list 24463, you’ll see the word “epic.” That will be the first word in your passphrase. Now repeat. You want to come up with a seven-word passphrase if you’re worried about the NSA or Chinese spies someday trying to guess it (more on the logic behind this number below).
Using Diceware, you end up with passphrases that look like “cap liz donna demon self,” “bang vivo thread duct knob train,” and “brig alert rope welsh foss rang orb.” If you want a stronger passphrase you can use more words; if a weaker passphrase is OK for your purpose you can use less words.
The strength of a Diceword passphrase depends on how many words it contains. If you choose one word (out of a list of 7,776 words), an attacker has a one in 7,776 chance of guessing your word on the first try. To guess your word it will take an attacker at least one try, at most 7,776 tries, and on average 3,888 tries (because there’s a 50 percent chance that an attacker will guess your word by the time they are halfway through the word list).
But if you choose two words for your passphrase, the size of the list of possible passphrases increases exponentially. There’s still a one in 7,776 chance of guessing your first word correctly, but for each first word there’s also a one in 7,776 chance of guessing the second word correctly, and the attacker won’t know if the first word is correct without guessing the entire passphrase.
This means that with two words, there are 7,7762, or 60,466,176 different potential passphrases. On average, a two-word Diceware passphrase could be guessed after the first 30 million tries. And a five-word passphrase, which would have 7,7765 possible passphrases, could be guessed after an average of 14 quintillion tries (a 14 with 18 zeroes).
The amount of uncertainty in a passphrase (or in an encryption key, or in any other type of information) is measured in bits of entropy. You can measure how secure your random passphrase is by how many bits of entropy it contains. Each word from the Diceware list is worth about 12.92 bits of entropy (because 212.92 is about 7,776). So if you choose seven words you’ll end up with a passphrase with about 90.5 bits of entropy (because 12.92 times seven is about 90.5).
In other words, if an attacker knows that you are using a seven-word Diceware passphrase, and they pick seven random words from the Diceware word list to guess, there is a one in 1,719,070,799,748,422,591,028,658,176 chance that they’ll pick your passphrase each try.
At one trillion guesses per second — per Edward Snowden’s January 2013 warning — it would take an average of 27 million years to guess this passphrase.
Not too bad for a passphrase like “bolt vat frisky fob land hazy rigid,” which is entirely possible for most people to memorize. Compare that to “d07;oj7MgLz’%v,” a random password that contains slightly less entropy than the seven-word Diceware passphrase but is significantly more difficult to memorize.
A five-word passphrase, in contrast, would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second. Keeping Moore’s Law in mind, computers are constantly getting more powerful, and before long 1 trillion guesses a second might start looking slow, so it’s good to give your passphrases some security breathing room.
With a system like this, it doesn’t matter at all that the word list you’re choosing from is public. It doesn’t even matter what the words in the list are (two-letter words are just as secure as six-letter words). All that matters is how long the list of words is and that each word on the list is unique. The probability of guessing a passphrase made of these randomly chosen words gets exponentially smaller with each word you add, and using this fact it’s possible to make passphrases that can never be guessed.
This is a longer discussion, but the short answer is: using physical dice will give you a much stronger guarantee that nothing went wrong. But it’s time consuming and tedious, and using a computer to generate these random numbers is almost always good enough.
Unfortunately there doesn’t appear to be user-friendly software available to help people generate Diceware passphrases, only various command-line-only Diceware projects on GitHub, which power users can check out. Stay tuned for a future post about this.
After you’ve generated your passphrase, the next step is to commit it to memory.
I recommend that you write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple of times a day, it shouldn’t take more than two or three days before you no longer need the paper, at which point you should destroy it.
Typing your passphrase on a regular basis allows you to memorize it through a process known as spaced repetition, according to promising research into high-entropy passphrases.
Diceware passphrases are great for when you’re typing them into your computer to decrypt something locally, like your hard drive, your PGP secret key, or your password database.
You don’t so much need them for logging into a website or something else on the internet. In those situations, you get less benefit from using a high-entropy passphrase. Attackers will never be able to guess a trillion times per second if each guess requires communicating with a server on the internet. In some cases, attackers will own or take over the remote server — in which case they can grab the passphrase as soon you log in and send it, regardless of how strong or weak it is cryptographically.
For logging in to websites and other servers, use a password database. I like KeePassX because it’s free, open source, cross-platform, and it never stores anything in the cloud. Then lock up all your passwords behind a master passphrase that you generate with Diceware. Use your password manager to generate and store a different random password for each website you log in to.
At The Intercept we run a SecureDrop server, an open source whistleblower submission system, to make it simpler and more secure for anonymous sources to get in touch with us.
When a new source visits our SecureDrop website, they get assigned a code name made up of seven random words. After submitting messages or documents, they can use this code name to log back in and check for responses from our journalists.
Under the hood, this code name not only acts as the source’s encryption passphrase, but it’s also really just a passphrase generated using the Diceware method, but with a digital cryptographically secure random number generator, rather than rolling dice. SecureDrop’s dictionary is only 6,800 words long (the developers removed some words from the original word list that could be considered offensive), making each word worth about 12.73 bits of entropy. But this is still plenty enough to make it impossible for anyone to ever simply guess a source’s code name, unless they happen to have massive computational resources and several million years.
Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop. It’s a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training.
Thanks to Garrett Robinson for double-checking my math and preventing me from making stupid mistakes.
Top photo: Getty Images
Any thoughts on this password generation scheme for generating secure passwords?
https://www.grc.com/offthegrid.htm
Ok I tried this after writing my own dice words generator and so far I can’t get any of the agencies to tell me if they were able to crack my passphrase. In fact, I can’t detect ANY change over the older passphrase I used before this. ;)
Google Roll A Die for a “random” Dice roll.
correct horse battery staple.
Xkcd covered this a few years ago.
Advanced persistent threat attackers don’t guess passwords. They steal passwords using spearphishing. This technique is useless against credential theft.
I have written a simple app to generate diceware passphrases for you. Find it here: https://kenkleinman.shinyapps.io/dicewaRe/
so what about just looking around the room and choosing seven words at random from things around the room. For instance “palm scales herb kleen gill mirror bath”
A password verify should lock the users account if 3 bad passwords are submitted. It might be interesting to track rejected passwords. If there are invalid attempts that do not have a valid attempt within a short time, it could mean someone is fishing.
That just introduces another moving part (the unlock mechanism) that can break. Better to incorporate a timing delay on authenticating. See http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication?rq=1.
I think that I have come up with a better idea. Why not insert your rememberable (I have just created the previous word) word or phrase into a large block of randomly typed text onto notepad. Here is a line I am producing as an example of what I am trying to express:
KnVvFfhbbvGtt5$567*(*76#33$ERdcfghgfdSSdCvggHVcxxccCVvvbbbbBBVdwq2YOL<MPppOjhfddssghjgfTYHHJHGfddrffggfddRFgfgfFFFGFFdSSsdfgfGFFF
This is but one line of text created by rapidly moving my fingers across the keyboard with one finger dedicated to frequently hitting the shift button. Make 20 or 2000 lines of the same length on that notepad, then save the results. Now pick a string of text that you can easily remember picking. That string of text can begin anywhere within that block of text and can run any number of characters long, and can be chosen to be read in any direction.
Next, eliminate a specific number of text from the line and replace it with an easy to remember word or phrase. Using the above string as an example:
dcfghgfdSSdCvggHVcxxccCVvvbbbbBBVdwq2YOL<MPppOj could be used if you memorized that the line begins after $ER and ends at the end of GFFF. Now, in order to prevent the attacker from using a future program that could use every combination of strings of text in your notepad file: you need to insert a memorized word or phrase. Example:
dcfghgfdSSd_Example_ccCVvvbbbbBBVdwq2YOL<MPppOj .Note that I have inserted _Example_ within that same line of text and have deleted 9 earlier characters.
I would strongly recommend that you write notes about how you have modified that string of text on a separate notepad for a few days until you have thoroughly memorized how to transform that block of gibberish text into you actual password, then wipe those directions from your computer.
Most passwords have a maximum number of characters , usually around 15. Seven words would have considerably more characters then allowed.
@Byron Hildebrand: “Seven words would have considerably more characters [than] allowed [for most passwords]”
Non sequitur: you’re confusing the different functions of passwords and passphrases. Note above that Lee advocates “use a password database[, then] lock up all your passwords behind a master passphrase that you generate with Diceware.” I.e., one uses a long/strong *passphrase* to unlock a password database (aka password manager–above Lee advocates KeePassX), and one then uses that password manager to generate site/server *passwords*, which as you note are more constrained (not only in length, but often in composition).
lols… what a joke
You do realize that NSA “can” read minds,use telepathy, talk with each other spies using demons…
It doesn’t work
Ask the member of gang stalking and mind control victims, NSA is too far ahead in this game and you can’t hide passwords from them.Its over this is end.Privacy is gone.Also, lets link NSA with voodoo and black magic and you will be suprised they even have literal witches from Latin America as part of Monarch mind control.Example of famous monarch mind control victim [email protected] you guys are too fimilar with who this girl is and why she works with CIA and how she is involved in Voodoo and how her child is a future CIA monarch mind control.. fight continues.
Yes, your tricks works great as long as NSA hasn’t chosen you for “Mind Reading”….
Once you are chosen, no escape.End of story. Proof? Ask Puerto Rican Voodoo Queens about my claims…
Myron May– They can kill people by remote heart palpitations ONLY if person believes they CAN.If you trust in LORD, they can’t.
A good source of online randomness is https://www.random.org which generates bits by provably random processes, uses them once when you ask for a random number and then throws them away. They even have a random dice roller at https://www.random.org/dice/
This is terrible advice for so many reasons they can’t be listed. Password complexity decreases security in EVERY case. Exactly for the reasons mentioned here. Write your password down? C’mon… What happens when Website A gets compromised and your super secret password gets compromised? Now you have to write down and remember a new one, right away? Leaving passwords up to users is the greatest champion for the NSA in the 21st century.
@Terrible Advice: “What happens when Website A gets compromised and your super secret password gets compromised?”
Non sequitur: you’re confusing the different functions of passwords and passphrases. Note above that Lee advocates “use a password database[, then] lock up all your passwords behind a master passphrase that you generate with Diceware.” I.e., one uses a long/strong *passphrase* to unlock a password database (aka password manager–above Lee advocates KeePassX), and one then uses that password manager to generate *individual* site/server *passwords*. Hence “Website A” never sees the passphrase.
Just out of curiousity wouldn’t Adding capitalization to a few of the words only multiply expontially the difficulty in guessing the right one?
Capitalization would increase complexity. Test it for yourself > https://www.grc.com/haystack.htm
Yes and no.
Technically, yes it adds a little entropy. In reality, it’s trivial to create dictionary attack rules that replace the first letter with caps, the last letter with caps, the letter A with 4, and all the L33t speak substitutions and typos we like to use but are difficult to remember. The effective added entropy is pretty minor. You’re far better off simply adding another word.
I think the author has significantly underestimated the security of this system. DOE is already ordering a few supercomputers slated to be 150 petaflops with a possibility of shortly going to 300 PF. Safe to say if DOE gets 2, NSA gets 10. Given this is a highly parallizable problem with few instructions needed, we are probably looking at 500 years to run the whole list of 7 word pairs. Yes, that is still a long time. Buy a few more supercomputers and wait a few years for them to be pushing 1K petaflops.
Also, people need to remember no typed passphrase is immune to a keylogger.
Some questions:
Is this system substantially safer than simply choosing 7 grammatically and semantically unrelated words? Example: fun steel hanging patty arrow with long
Is it possible to quantify the loss of randomness/safety when such a passphrase has two consecutive semantically/idiomatically related words? Example: fun steel hanging rising sun with long
In a word, yes it’s substantially safer to rely on dice than your human noggin. The human brain has been scientifically shown to be *terrible* at randomization. We’re built on patterns, and we’ll drop back to patterns the first chance we get. So the words we’re using really won’t be “random”. But big deal right? Well… Password crackers these days have more insight into how we pick passwords than we do when we pick passwords. How so? With each gargantuan security breech where ten or twenty million passwords are released in plaintext, we can run statistical analysis on those passwords and determine trends and how we pick words. Then crackers build rules based on those trends and patterns. This isn’t theory, this is real world stuff. It used to be crackers would have to run off of brute force attacks, but with every major password dump that occurs, dictionary attacks become stronger and stronger, to the point where they’re the main method of attack against hashed password dumps.
Is it possible to quantify the loss of entropy? Sure… Someone has I’m sure. From the entropy calculators I’ve seen, it can compromise up to 50% of the entropy, depending on the dictionary, the rules, and a few other things.
Long story short: Don’t trust your brain to do this stuff.
Another quick point. The diceware pattern is basically 6000 words or so. There are about 3000 words that make up the vast majority of english communication. If you were tasked to sit down and write down every word you could think of, well, I would seriously doubt you could think of 1000 words in one sitting. So by abandoning the dictionary and the enforced entropy you’re probably culling your entropy down by 5/6ths, which nullifies the entire point.
This is important information I hope everyone pays attention too.
I wrote a GUI version of diceware (stealing more from xkcd though)
https://github.com/jrootham/passphrase
Download the zip file (there is a button on the page) unzip it, and run the python script.
Is it worthwhile to improve the packaging?
I wrote a site to automatically generate passphrases, it is http://passphrase.neocities.org/
Is there a password database that could sync passwords between an iOS device and Mac or would the cloud functionality defeat the purpose?
keepass, keepassX, minikeepass. sync via dropbox.
Does the above described system assume the words are separated by spaces? If yes, how would that change the entropy of the passphrase?
“If words were simply concatenated rather than separated by spaces, concatenating could form words that are already in the word list. For example, “in” and “put” form “input”; all three words can be found in the above mentioned word list. This could slightly decrease the entropy, when compared with the recommended method of using spaces to separate each word in the list.” https://en.wikipedia.org/wiki/Diceware
Your article seems to emphasize entropy or randomness in the creation of a passphrase. However, over at https://www.grc.com/haystack.htm I discovered this comment.
ENTROPY: If you are mathematically inclined, or if you have some security knowledge and training, you may be familiar with the idea of the “entropy” or the randomness and unpredictability of data. If so, you’ll have noticed that the first, stronger password has much less entropy than the second (weaker) password. Virtually everyone has always believed or been told that passwords derived their strength from having “high entropy”. But as we see now, when the only available attack is guessing, that long-standing common wisdom . . . is . . . not . . . correct!
In security and cryptography, your systems should remain secure even if your adversary completely understands how they work (security through obscurity isn’t security and all that). This is how we can rely on public ciphers, like AES, where anyone in the world can study exactly how it works but still can’t break the crypto if they don’t have the key (crypto keys are just a block of entropy, by the way).
So which will be cracked quicker, “D0g…………………” or “PrXyc.N(n4k77#L!eVdAfp9″? Well, if you’re not hiding your passphrase generation method, then obviously the first one will be cracked much quicker. It’s not a stronger password at all. It’s only stronger if the people guessing passwords are ignoring efficiency (guessing more likely passwords first) and instead searching the entire key space sequentially.
You can safely use Diceware to generate measurably secure passphrases even when your adversary knows exactly what method you use to generate the passphrase. This means you can teach it to other people who can reliably use it and it doesn’t make your own passphrases less secure. If you tell someone “pick a random word, mangle it, and then add between 10 and 20 zeros to the end” then that clearly won’t work for long. Diceware passphrases with n bits of entropy will always be secure for as long as it’s infeasible for an attacker to work through the n-bit key space.
How does this compare to randomly flipping to seven different pages of a dictionary?
The Diceware list has less words, and the words are on the shorter side, compared to a dictionary. If you use a dictionary, your passphrase will contain longer, more obscure words, which will make it harder to memorize. But also, how would you choose which random pages to flip to in the dictionary? How many six-sided dice would you need to roll to generate enough entropy to pick a random page, and again to pick a random word on that page?
Human beings are good at dividing things in two. So you could open the dictionary into two halves with approximately equal pages, then flip a coin. Heads would be the first half, tails the second. Then separate the chosen half into two again and repeat. Once you reached a single page, use a ruler to divide the page in two and repeat until you reached a single word. Repeat for as many words as necessary.
Even if you don’t exactly divide into halves, it should be close to random. It might take about 16 flips to get one word, so a passphrase might take an hour or so. You could do it with a friend, and make bets on each flip of the coin to make it less tedious. However, you would have to kill them afterwards to ensure the secrecy of your passphrase.
This is an excellent idea and it would work great. You wouldn’t even have to guess “about half-way”, it would be easy to be exact assuming your dictionary has page numbers (once you got to a single page you’d have to continue flipping coins to divide the page in half, and so on, until you get to a specific word). And in fact, each coin flip is precisely a bit of entropy. Since a seven-word Diceware passphrase contains 90.5 bits of entropy, you would need your system to rely on 91 coin flips to be equally as secure (however many words that ends up being depends on the size of your dictionary).
Suggestion: Use a ten-sided die and just roll for each digit of the page numbers: first throw gives the smallest digit (xx4), next one the 10-digit (x84), and so on. If you end up on page 884 but the book only has 750, start again. Or just use three ten-sided ones with different colours and assign the digits to the dice beforehand.
In terms of entropy, 90 bits can be achieved by 27 throws, much quicker than 90 coin tosses!
(See, role-playing can help you in real life!)
Absolutely right. For example, The Official Scrabble Players Dictionary ($6) contains over 100,000 two to eight letter words. This easily provides much more entropy than the 7776 NSA-selected dicewords and no need to roll any dice.
Would a passphrase consisting of 7 words: one and only one English word, and one from Swahili, a third from Finnish etc, ( and oh, and one custom-made word, just to throw a monkey in the mix ) all randomly selected, have the same strength as a Diceware-generated word sequence ?
I’ d think the snoopers would have to expand their word database to include all the world’s languages to do so…
I like your articles. They feed my technical…
” I’ d think the snoopers would have to expand their word database to include all the world’s languages to do so…”
Meant to read:
” I’ d think the snoopers would have to expand their word database to include all the world’s languages AND DIALECTS to CRACK the phrase…”
I am writing under extreme pain…and typos can be quite frequent. Thanks.
Improving on that line of thought, you could use the names of the seven dwarfs, or those of the six Marx brothers plus that of their Russian cousin (Karl). The advantage over common words is that they won’t appear in a common dictionary. Trickier yet, use English phonetic spelling for seven words taken from a foreign language, such as “Bonjur Madmoo-uzel, vooley voo cooshey uvek moo-u?”, liberally sprinkling the sentence with uppercase, punctuation and spaces.
Lol re: ” Bonjur Madmoo-uzel, vooley voo cooshey uvek moo-u?”. Oh, le monde e fu !
i thought on similar terms as well. what if you have a 7 words passphrase, with each word from a different language romanized with english alphabet. some non-european languages has several standard romanization methods, most dont. this will introduce more randomness. the sequence of languages can be determine by throwing the dice as well, even more randomness. and if you are multilingual, you can use grammar rules of one language and vocabulary of others to form a passphrase. Would this have same strength?
or what if you take a common phrase from english, like a quote from Shakespeare and translate every word in a different language? cause when you look in the dictionary, there’s often a list of translated words with subtle differences in the meaning and one can randomly select a translated word, using dice if necessary. Would this have similar strength?
Since diceware passphrases are so difficult to crack, would it be appropriate to use the same one for different encrypted volumes? Or, is it better to use a different passphrase for each? I understand the danger that if you only use one someone gets it, they can unlock everything that uses it…
You can think of passphrases as physical keys to unlock certain things. It might be fine for your house key to also unlock your garage, but you probably don’t want your office key to unlock your house. So it all depends on how you’re compartmentalizing things.
For example, I might use entirely separate passphrases on air-gapped computers than on internet-connected ones. If my internet-connected computer gets hacked, I don’t want to compromise the security of the air-gapped one. So it entirely depends, but in general I think that yes, you can re-use passphrases if it makes sense for your situation, and if you’re not re-using them in an insecure way (like, don’t have your Facebook password be the same as your disk encryption passphrase).
Let me ask this then…. I use password management software, something like LastPass or 1Password. Am I more secure? Or does it not matter as long as my passwords are randomized?
As long as your passwords contain enough entropy, and most password managers do a good job at this, then it’s totally fine. But you need to unlock your LastPass or 1Password database with a passphrase that have memorized. Diceware is useful for creating passphrases that are both high-entropy and possible to memorize. It’s a lot harder, for example, to memorize LastPass password that contains 90 bits of entropy.
I think one of the benefits of Diceware is that it can be kept totally “hair-gapped” i.e. it never leaves your head. Passwords managers are being targetted.
And I think the idea of these passphrases is more for encrypted devices, where a password manager isn’t going to help (so the extra ease of remembering the words compared to a bunch of ASCII characters helps).
Although I’m not sure Bruce Schneier would necessarily approve of my coinage of “hair-gapped”.
Although to be fair, it’s not actually hair-gapped. Every time you type the passphrase into a computer you break the hair-gap, so any malware running on your computer might get a copy then. :)
Indeed. But it’d probably need to be one of those BIOS keyloggers (or a physical device) to capture system disk encryption passphrases.
Here’s a quick plug for my hastily created insecure seven random word generator from a 58,000 word dictionary http://penfold.fr/
Don’t use it if you’re a Five Eyes target, use an offline method (which is “hair-gapped at least for the passphrase generation process).
https://diceware.herokuapp.com/
Learn a non-sensical phrase in an language other than English? I wonder if ñ or ë will be allowed in your paraphrase though …
So I see solutions in R and Python. Here’s a simple Bash shell script:
#!/bin/bash
for i in {1..7}; do
ran=`\dd if=/dev/urandom bs=4 count=1 status=noxfer 2> /dev/null | \od -A n -t u4`
line=`\echo “($ran % 7776) + 1″ | \bc`
word=`\head -$line diceware.wordlist | \tail -1`
\echo -n ” $word”
done
\echo
where I first created a simple diceware.wordlist with:
wget http://world.std.com/~reinhold/diceware.wordlist.asc
grep ‘^[1-6{6}]’ diceware.wordlist.asc | cut -f2 > diceware.wordlist
Here’s a similar script that does not require bash and uses the preinstalled dictionary file present on Debian systems.
For even better randomness you might want to replace /dev/urandom with /dev/random. The downside with shell
scripts is that any another user on the same system could theoretically sniff the invocation of each line and its
parameters through ps aux -w although that requires very good timing.
#! /bin/sh
file=/usr/share/dict/american-english
numlines=”$(wc -l < "$file")"
for i in 1 2 3 4 5 6 7
do
rnd="$(od -N 4 -A n -t u4 /dev/urandom)"
rnd="$(echo "$rnd % $numlines" | bc)"
word="$(sed -n "${rnd}p" "$file"| sed "s,'s,," | tr '[A-Z]' '[a-z]')"
echo -n "$word "
done
echo
What about keylogging or tapping connection? Seems to me, passwords are not the essence of security?
Diceware is already obsolete. https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
That post doesn’t in any way say that Diceware is “obsolete”. In terms of generating passphrases, Diceware can’t become obsolete. Someday 7-word passphrases will become obsolete, because the capabilities of attackers will increase, but then you can switch to 8 words, or 10 words, etc.
Or you could just grab an old Webster’s Dictionary, open it to a random page, and plop your finger down on a word without looking. . .wait — they don’t print those anymore!
http://www.roll-dice-online.com/
I highly recommend against using a dice roller from any website, but especially one that doesn’t use HTTPS. It’s much better to generate random numbers either with actual dice or on a computer that you have control over, without having to send your random numbers over the internet.
https://www.random.org/dice/?num=1
Nice post, I just use a password manager for many years https://www.stickypassword.com and will stick with that
So you need to roll a lot of dice? What about using this tool?
https://www.youtube.com/watch?v=7n8LNxGbZbs
Not sure where I downloaded this from, but it’s a simple Excel file (with word list hidden on Sheet1), with no macros, just formulas to make a 5×5 grid of words.
Written by David C. Frier, apparently.
https://dl.dropboxusercontent.com/u/2835366/WordBase.xlsx
(the developers removed some words from the original word list that could be considered offensive). 1. I can’t believe I’m reading this. People are still offended about words. 2. Security is trumped by our feelings getting hurt. The mind boggles. 3. Apparently it was beyond the pale to just use a stack of different words because there’s only about 500 000 words in the English dictionary.
There really is no hope for this species. None of this technology matters. Technology can always be beaten. We don’t need better technology, this is not a technology problem. This is a human problem. We need better humans.
Most of the words weren’t actually removed for being offensive, but for not being real words and therefore being difficult to memorize. Here’s the list of words removed from SecureDrop’s word list: https://gist.github.com/micahflee/99809514a6b8556ea4dc
Many of the real words that were removed aren’t offensive themselves (like “africa” and “jew”) but could be in some random passphrases (like if the word “slimy”, or other negative adjectives, appear before them).
Honestly, those actually could make really good passphrases. If trying to crack passphrases with a multi-word dictionary attack, there are probably archaic words that wouldn’t be in the attacker’s dictionary. It would be interesting if the 7776 word database contained a combination of archaic old english words and modern slang and web 2.0 words so you had a passphrase like cutpurse brofist mummer selfie.
The reason for removing potentially offensive words is because I’d suspect a LOT of folks will really roll the dice until they generate a passphrase that pleases (or at least, doesn’t offend) them. This isn’t mentioned in the article, but if you do this, you’ll end up with a non-uniform distribution of diceware words, which would provide a great benefit when trying to finesse the sort order of your attack dictionary.
What does the Law say about being forced to reveal the passphrase when the Authorities demand it?
“I forgot the damn password.”
A recent USA law case ruled that if a person claims 5th Amendment protection against self-incrimination of the information on encrypted electronic media, then (s)he cannot be legally compelled to reveal the decryption password or key.
But note that biometrics will probably not receive the same protections by the time the issue gets to the Supreme Court:
http://jolt.law.harvard.edu/digest/telecommunications/court-rules-police-may-compel-suspects-to-unlock-fingerprint-protected-smartphones
–excerpt–
“Judge Frucci ruled that phone passwords were entitled to protection under the Fifth Amendment’s promise that no person “shall be compelled in any criminal case to be a witness against himself.” Id. He stressed that the password existed only in the defendant’s mind, and thus compelling the defendant to provide a passcode constituted a testimonial communication. The Fifth Amendment protects against such compulsion.
On the other hand, Judge Frucci concluded that smartphone fingerprint protection did not qualify for the Fifth Amendment privilege. He noted that producing a fingerprint did not require the communication of knowledge, but was rather analogous to being ordered to produce a DNA sample or a key, which is constitutionally permissible.”
Seeing that we’re entering a period in history where disrespect for the law, rendering and torture are becoming commonplace, it might be smarter to rewrite authentication software (password handling) in such a way they accept two passwords. One to grant access to data, another to permanently destroy it. No-one could blame you for disclosing the wrong one, because proving so would be impossible in practice, and if it’s easier to guess using brute-force cracking than the one granting access, it even works in your absence.
For those technically inclined, the algorithm is quite trivial:
if destroy-password exists and is entered
destroy (or overwrite) files and directories listed in destroy-catalog
destroy (or overwrite) destroy-catalog
grant access
else
do nothing
This comic is a good quick overview of the concept from the article for those of you who had a difficult time following it. (The example they use is ‘correcthorsebatterystaple’)
https://xkcd (dot) com/936/
There are generators that make similar passphrases with a click of a button, but I don’t recommend them (for all you know they could be keeping a copy of your master passphrase). Basically length and lack of association within word groupings creates entropy or randomness making it more difficult for a machine (or human) to guess. A passphrase like ‘toboldlygowherenomanhasbefore’ has length, but it’s a popular quote. A unique random combination of words means nothing to anyone but you, and is therefore doesn’t have a detectable pattern.
If you really want to get crazy and don’t mind being slow and meticulous, you could also incorporate a key shift. By this I don’t mean press the shift key, but physically move your hands to press another nearby key, keeping your pattern consistent throughout. It’s probably overkill, but it does add numbers to the mix and can prevent a disgruntled co-worker or associate from knowing your passphrase if you happen to drop the English one written on your sticky note.
For example, using an example from the article ‘brig alert rope welsh foss rang orb’
If you can memorize that phrase, replace every letter with the key to the upper left of that letter.
brigalertropewelshfossrangorb
now becomes
g48tqo345490323owyroww4qht94g
Grr… I tried to avoid formatting this as a link since they seem to take way longer to get through the moderation system, but it appears to have come up as a link anyway.
Those using Linux should just open a terminal and type in:
wget http://www.world.std.com/~reinhold/dicewarewordlist.pdf
The file will be saved in the current directory. For some reason the site was refusing to open up.
Great article!
I think this passphrase protocol is superior even to biometrics. As far as I know, thoughts still can’t be taken from someone. We’ve all seen the movies where they take someone’s eyeball, finger or voice recording and use it for biometric authentication. That seems a little more realistic than torturing and/or drugging someone to get them to give up their secrets as we also see in the movies. I guess both scenarios are theoretically possible.
Most people probably don’t care enough to even have a passphrase at all and just use their [email protected] or s0mEth1nG only because most digital services require a certain complexity to their passwords. And only those who understand how the Internet is the backbone of nearly all of the world’s digital information know what it really means when someone refers to mass surveillance as being a problem. I only hope more people begin to wake up and understand how they are being watched, controlled, exploited and who knows what else for what true purposes.
Nice. Good info. Thanks all involved :)
Personally, I’d like to get rid of the series of acts and orders (and the enabling parties) that have given rise to this government mass surveillance mentality and nightmarish phenomena.
That said…at this time, encryption is a fair means of protection from some forms of privacy invading data collection if one wishes to use and/or communicate with cellphones or computers. Unfortunately, it does not stop metadata interception or storage by government facilities.
It is great that you are taking your time to write this series of articles Mr. Lee.
Thank you.
Interesting article.
I was surprised that you said no one had written a simple program to produce Diceware passwords, as it is very easy to do. I’m only an amateur, and it took me about 10 minutes to write this (admittedly very ugly) single-line program in R. (It assumes you’ve already loaded the Diceware word list into a dataframe called “diceware,” with the numbers in the left column and the words in the right column, and that you have a vector called “die” containing the integers 1 to 6.)
> for (i in 1:6) print(diceware[diceware$V1==as.integer(paste(sample(die, size=5, replace=TRUE),collapse=””)),2])
[1] “gripe”
[1] “arden”
[1] “niece”
[1] “gig”
[1] “fraud”
[1] “ova”
It produces a different random list of six words every time you run it.
It would undoubtedly be prettier and easier to understand in Python, but this is an R week for me. The idea is simple enough: you “sample with replacement” the integers 1 to 6, with sample size of 5 (for the five dice). You collapse the five digits in your “sample” into a single five-digit number, and then look up the word in the row of the dataframe that corresponds to that number. For a six-word phrase, do it six times.
I’m surprised that no one has mentioned that the list of 7776 words isn’t, in fact, made up entirely of words. And some of the non-word choices seem questionable to me. Here, for example, are the first ten “words”:
11111 a
11112 a&p
11113 a’s
11114 aa
11115 aaa
11116 aaaa
11121 aaron
11122 ab
11123 aba
11124 ababa
The end of the list consists of punctuation marks, sometimes doubled: ## or !! for example.
It seems to me that it shouldn’t be hard to come up with a list of 7776 actual words without resorting to random punctuation and strings like “ababa” or “yz,” and it would be more user friendly, I think. Because the punctuation at the end of the list was making R complain for reasons that I didn’t want to take the time to figure out, I replaced them with the names of famous composers and the like, just for testing. But surely it ought to be easy enough to sit down with a dictionary and make a better list. Is there some reason to think that salting the list with a few non-word strings and punctuation marks will make the generated passphrase more secure?
(I can’t remember whether you mentioned this, but the word list has to have 7776 items because that is equal to 6 ^ 5, the number of possible rolls of 5 six-sided dice.)
Does R default to using a cryptographically-secure random number generator for the sample function?
lol nope
Many thanks.
Or simply Seed-Map your password to whatever degree makes you comfortable:
http://suddendisruption.blogspot.com/search/label/Passwords
I use a program called TrueCrypt it can use blobs (Binary Large Objects) Like jpegs for passwords and also generate pass phrases from random mouse movements.
It allows you to create encrypted volumes (even thumb drives) you can also create a large file and mount it as a volume. It is/was open source.
Pass phrases are subject to keyboard loggers. Using a picture file means you can use a mouse instead of a keyboard. I don’t know how secure TrueCrypt is. I think the NSA et al drove them out of business using an attack through the legal system instead of cryptographically, like they did with The Guardian and others.
If an attacker can put a keylogger on your computer, they can also do everything else that you can do on your computer: read all your files (including TC key files), take screensheets, steal crypto keys from memory, etc.
I agree. One idea with TrueCrypt is that you can encrypt a Virtual Machine (essentially a computer within a computer) and run it on Virtualbox.
Also, some programs these days are designed to be run off a thumb drive. Put these things together and you could end up with something reasonably secure.
Your MAC Address can be tracked so it might be best to buy a cheap laptop of Craigslist, load it with a Secure Linux Distro and start from there. From a cutout stand point, a news organization might simply receive a thumb drive and a password.
If it is a short enough message you might use Steganography for encryption and Bit Torrent for broadcasting.
http://lifehacker.com/linux-security-distros-compared-tails-vs-kali-vs-qub-1658139404
As Micah put it correctly, and how so candidly, if an attacker can put a keylogger on your computer, encryption is pretty much worth diddely squat. This needs be qualified a tad though.
First of all, with apparent ties between chip makers (e.g. Intel, to name but one) and the National Spook Association, it’s pretty fair to assume keyloggers are already in place on most computers. Assuming the worst is key to effective security, whereas hoping for the best is merely relying on faith. The same goes for paternity claims.
Now, with that in mind, an important drawback of a keylogger is that an attacker needs your computer to be connected in order to access the logged data. Which boils down to what Ed Snowden recommended a while ago, that you use encryption on an air-gapped computer.
For the benefit of non-IT-literates (most people), an air-gapped computer is one that has never been connected to the net in any sort of way and has no connection capability which may be activated without your knowledge (wifi card, bluetooth, cable, etc). And even that isn’t 100% proof, which is why the Guardian kept such computers in a windowless basement office.
From a practical point of view, such practice excludes most computer users, because it requires you own two computers: one air-gapped to encrypt/decrypt files, and one that is connected to let you communicate encrypted stuff with others. Plus some sort of hardware (USB stick, memory card) to manually transfer data between the two computers.
I like the steganography/mouse approach suggested by Si1ver1ock, as it bypasses keyboards and keyloggers altogether. It may turn out to be a simple and cost-effective method for most users. The fact (if confirmed) that TrueCrypt was driven out of business for constituting a threat to spook agencies speaks volumes.
May I suggest Micah graces us with a future article on the use of blobs for encryption purposes? That might prove more reliable than a method based on gullible faith in the integrity of our computers, even if the math behind diceware is very sound and eye-opening.
If you’re using a USB stick to transfer files to and from a an air-gapped computer than it’s not very well gapped; STUXNET was transferred into air-gapped computers in precisely this way. I’d guess NSA has many viral toolkits that search for USB sticks attached to internet-connected computers, plant malware on them, and then transfer that malware onto the air-gapped computer.
Many solutions here are going to be low-tech, for example you could print out files on paper from an internet-connected computer, then scan those paper documents into the air-gapped computer. Tedious but pretty secure.
Also, the NSA has built backdoors into RSA encryption standards via the use of algorithm-based pseudorandom number generators. This was deliberate, as knowledge of the algorithm used allows one to predict the ‘random’ sequence – robust high-speed true random number generators are based on detection of nondeterministic phenomena, such as radioactive decay (times between successive decays cannot be predicted; that’s the heart of quantum physics).
This backdoor apparently allows the NSA to spy on all banking transactions both in the US and abroad, without any judicial overview or need for a warrant (as specified by the U.S. Constitution). The bottom line there is that pseudorandom number generation via algorithm-based methods is inherently insecure and should be abandoned in favor of true sources of natural entropy.
The problem I have with the “trillion guesses a second” meme is this. Most systems give you a handful of tries before they lock you out. So this means that the NSA or whoever, won’t get to try a trillion times. And if they have your laptop in their physical possession? If they want the info bad enough, they’ll probably get it eventually. But that seems to be the only scenario where you’d need that kind of protection. Barring obviously stupid passwords (“password” being the classic example), there’s no need to have such a high security password on some service you log into. Unless the service in question is in cahoots with the NSA crowd, said hackers won’t get a trillion tries.
I specifically mention this in the post. Passphrases are basically most useful if you need to encrypt something and want to keep it safe even if an adversary gets a copy of that. Physical possession of your laptop is one scenario. Or storing encrypted things in the cloud, like your Chrome profile with all your saved passwords (if Google or the government tries to decrypt your profile to steal your password database, they won’t be able to if you use a strong passphrase).
Actually, this isn’t true at all. If you encrypt your hard drive using a seven-word Diceware passphrase and your laptop gets confiscated or stolen while it’s powered off (so the attacker can’t do a cold boot attack), how are they going to decrypt your hard drive, even if they want the info really badly? Encryption works. This is the prime scenario where Diceware passphrases make sense.
Micah: Thanks for the gracious reply. But we know that Google, et al are in bed with the NSA, so they already have the master password, and if the NSA tells them to hand it over, they will. I personally don’t store anything in the cloud for that very reason. But your point on the laptop encryption is well-taken. Though I don’t personally store anything like account numbers or credit card numbers on my laptop (again for longstanding “paranoia” reasons that are more justified by the day), I probably should figure out how to encrypt it. Thanks for a great article.
I don’t get it. Why can’t you just use seven random words from The English language? What’s the advantage of rolling dice and choosing words from that list? Wouldn’t the words be just as random if you opened a dictionary at seven random spots and chose a word from each page?
Because we shouldn’t trust ourselves to be really opening the dictionary “at random” or pointing to a place on the page at random. Subtle psychological/behavioral phenomena guide people, and the NSA can observe these trends given enough data.
I have an old set (pair) of dictionaries; A-K and L-Z. If I flipped a coin once, I could use that to choose which volume. I’d need to find a similar system to choose the page number. The another to pick which column of three on the page. And finally which word in the column to pick. Lather, rinse, repeat. The larger list of words to choose from should result in an even stronger passphrase.
That’s a lot of coin flipping. An alternative is to go grab a set of RPG dice (like from Dungeons & Dragons) and get to work rolling. 4 10 sided dice each of a different color could easily fulfill up to 10,000 page books. Way faster than flipping a coin a hundred times.
This is a very good article, thanks very much.
What I have been doing is picking a line in a song in a foreign language, then do add some camel case, punctuation, and number/letter substitution.
But the NSA will certainly be able to be multi-lingually predictive in their algorithms, so I am going to use the dice trick.
Thanks very much
I heard the NSA has a cool pass phrase generator on their website now. Just use that! (They promise it’s secure.)
Definitely worth a guffaw. Thanks for the laugh.
There’s an error in the six word calculation, apparently it’s much harder than a seven word phrase.
What do you mean? The article says a six-word passphrase can be guessed in 3,505 years on average, and a seven-word passphrase can be guessed in 27 million years on average.
Use dice with letters on them. Otherwise you’re just using the English language as the key space no matter how much entropy you introduce. Like blueberrystrawberrywatermelonorange is a 4-character password with the key space being fruits. There are only like 480,000 words in the English language give or take. I mean a 4-character password in a key space of 500,000 is only 500,000 raised to the fourth. It would take the NSA literally one millionth of a nanosecond to crack.
This isn’t even slightly true. With Diceware you collect entropy by rolling dice, and you can think of the entropy itself as your passphrase. You encode it into English words to make it easier to remember, but in the end if you memorize a 7-word Diceware passphrase you’re just memorizing ~90 bits of entropy. The only way it’s possible for an attacker (like NSA) to guess that passphrase is if they successfully guess those same 90 random bits, in the correct order.
You’re failing to appreciate the power of exponential growth. That’s what makes the number of “keys” (words) used more important than the size of the “key space”. Google has a nice calculator, fyi.
500000⁴ = 6.25e+22
7776⁷ = 1.7190708e+27
500000⁵ = 3.125e+28
“I mean a 4-character password in a key space of 500,000 is only 500,000 raised to the fourth. It would take the NSA literally one millionth of a nanosecond to crack.”
Err more like 1000 years, on average.
This is amazing…
976 of the 7,776 Diceware words might be considered offensive?! That’s one out of every eight words!
Great article. Diceware has been around forever but it isn’t widely known. It’s great to see it get some publicity.
A math quibble/question…
But if a user can randomly insert (single) spaces between the words with no additional demand on her memory (as I think would be the case), doesn’t the guesser also have to guess the spaces? If so, and allowing for a leading or trailing space, that would multiply the number of potential passphrases using seven words by 2⁸=256 (a possible space before each word, and one after the last word). And then if we allow for inserting multiple spaces…
Anyway, this is a wonderful article, Micah. Thanks.
You could do that but arguably another word from the list is going to add more entropy, and be easier to remember.
Great article. Thank you!
Thanks Micah!! Passwords really need a lot of attention and most people are amazingly lazy and goofy with them.
It’s not all our fault. We’ve been trained for years by programming and memory constraints to think of passwords that are hard to remember but easy to guess, or easy to remember and trivial to guess.
Think for a moment about all the accounts that you use verification for that have password limits on them? There’s a few out there I”m sure. It’s only in the last 5-10 years that we’re seeing significant shifts towards passphrasing.
The worst offenders are the password systems that simply truncate your longer password down to 8 or 12 characters without warning you. So you think your using “correct horse battery staple” but you’re actually only using “correct “
If you’re *really* determined to use an online generator you may want to google-up dice-o-matic. The down side is that the dice rolls are queued up and stored in blocks of 1000, and probably are archived as well. This is bad from a security standpoint.
However, the machine physically rolls dice. About 1.4 million per day. This is good.
I could see a cheap RNG project that reproduces the dice-o-matic which generates rolled dice numbers over an encrypted connection. Still, it’s easier to just grab a handful of dice and do it yourself. If you’re *extremely* paranoid, go with casino dice, as they are set by law to extreme tolerances for randomness. The sixers in your copy of monopoly at home are probably actually weighted off-balance a little. In reality this shouldn’t make much of a difference, maybe a 1% chance to roll say a 1 or 6, but some may have bubbles in the plastic and may be “loaded” dice, which destroys the idea of randomness.
Thank you, Micah. Practical advice in an easy-to-understand format. Just what most of us need.
I taught my pet monkey to type on the computer, and then left him randomly punching the keys to produce a secure passphrase. But when I got back, I found, as entropy would have it, that he’d produced a complete works of Shakespeare. So I sent him back to the pet shop and demanded a refund.
I’ll give this Diceware thing a go.
I seem to be having Shakespeare issues. I tried Diceware and the six words it chose at random were ‘to be or not to be’. So I tried four more and got ‘that is the question’. I’m wondering if entropy has somehow been subverted by some NSA cryptographer with an english literature degree.
Lol
Your dice are loaded. Buy a new set.
For the regular ol human being, this article is much to complicated to follow enough to actually be able to do the encryption on our own without a helping hand to get started. It is a good first article though. I am in San Diego and I had a very difficult time finding a computer person to help me encrypt. NO one is offering this service and there sure is a huge market for it I believe. Please get the word out to the computer people, the hackers to offer this service, to place ads on Craigslist and in local newspaper ads, etc. This is the way we can as a public make a difference and a strong statement as well. Us Americans need help to get started, even classes would be good for encryption. You all are into it as your job required it, but for the rest of us we need help and it is not available right now and should be. Thank you.
I thought it was quite understandable. Download the list, roll the dice, write down the numbers, construct your passphrase. You want classes? Consider this article a class.
I agree with Cheri Jacobs. There is no reason why each one of, one at a time, should be limited to having to figure all of this out with the only available outlet being limited to reading instructions, however well put together those instructions are, without the accompanying availability of In Person Q&A and personal interaction.
Alison Macrina provides an example of what I’d like to see spread far and wide: “I teach librarians and their communities about privacy and surveillance.” — Alison Macrina
Library Freedom Project
Is this perhaps a learning-styles preference? If the preference is for a person, whom I can see and hear, speaking the instructions and showing movies of the actions, then a video would be an improvement over what Micah has presented. Maybe I’m too deeply burrowed into the “Is there a book or an instruction manual?” mentality to remember that not everybody wants to read an instruction manual.
I think the issue of trust is what makes the notion of a ‘helping hand’ problematic. Having even an ounce of faith in the veracity of a classified advertiser when it comes to something as crucial as safeguarding personal data would be unwise, to say the very least. Perhaps the article could have been a little less intimidating (I welcomed it, but I’m a nerd). In any case, a little manual effort and mental exertion vs a potentially radical increase in data security is a no-brainer. Good stuff, Micah.
Cheri Jacobs:
No problem.
Perhaps you will benefit from reading the following article:
“A Beginner’s Guide to Encryption: What it Is and How to Set it Up”
http://lifehacker.com/a-beginners-guide-to-encryption-what-it-is-and-how-to-1508196946
After you read this…Mr. Lee’s article will be easy to understand.
I know exactly what you mean. Crypto can be really intimidating at first, so take it slowly and don’t worry. Things start clicking into place the more and more you read and try out. There’s a wealth of good info on the interwebs.
This is an excellent start
Of course, you don’t need that level of proficiency to develop good crypto practices, but it never hurts to know the foundations, quite the opposite. If you want I could point you to amazing learning material. But you have to make up your mind and commit to actually putting a minimum effort… The good news is, at the end of the tunnel the rewards are awesome.
Website random.org contains an integer generation method where you can specify a range of integers, (1-6), type in the number you want to generate (35 for a 7-word diceware phrase), and format it in 5 columns so its easy to stick together.
It does, but if your passphrase security is important to you I would strongly advice not using a website to generate your random numbers for you. You can’t confirm that their random number generator is secure, or that they’re not keeping copies of the random numbers they show you or sharing them with anyone else. Also, these random numbers get sent over the internet. It’s much better to do it on your own computer.
If you’re using a Mac or Linux, you can open the Terminal app, run “python”, and type this:
for i in range(35): print ord(os.urandom(1)) % 6 + 1
This isn’t super efficient, but it will indeed end up showing you 35 cryptographically secure random numbers between 1 and 6, generated locally on your own computer.
You’ll want to “import os” first.
this
Lol
The notion of an adversary who can try a trillion guesses per second is far too weak. Password cracking is comparable in computational difficulty to Bitcoin mining.
https://en.bitcoin.it/wiki/Mining_Hardware_Comparison
shows ASIC devices made by relatively small companies that can do 1-3 billion guesses per second per dollar; there are individual devices mentioned there for $1,000-$2,000 or less that can perform a trillion guessing operations per second. Although those devices can’t directly be used for password cracking, they’re similar in engineering effort and complexity to devices that could.
What do you think a more accurate estimate is?
If 1,000,000,000,000 guesses/sec is too low (which I agree, it looks like it’s a low estimate at this point), let’s assume that actual capabilities are a million times faster than that (which I think is probably quite a bit too high). At 1,000,000,000,000,000,000 guesses/sec, it would take an average of 27 years to guess a seven-word Diceware passphrase rather than 27 million years.
keyspace: 7776^7 / 1000000000000000000 / 60 / 60 / 24 / 365 = 54.5113774653863
half that for the average: 27.25568873269315
And an eight-word Diceware passphrase would take, on average, 211,940 years.
keyspace: 7776**8 / 1000000000000000000 / 60 / 60 / 24 / 365 = 423880.4711708439
half that for the average: 211940.23558542196
And a nine-word Diceware passphrase would take, on average, 1.6 billion years.
keyspace: 7776**9 / 1000000000000000000. / 60 / 60 / 24 / 365 = 3296094543.8244824
half that for the average: 1648047271.9122412
Joseph Bonneau said he had a paper that uses the entire Bitcoin network hashrate as a basis for estimating password cracking costs, but I don’t have a link to it.
I think it’s reasonable to worry that a nation-state has spent around $10? on password cracking hardware (albeit with some huge uncertainties about reprogrammability and adaptability to different KDFs, search strategies, ciphers, and plaintext recognition heuristics). But a further import source of uncertainty is how much benefit they would get from hardware fabrication research and economies of scale, as well as from building their own fabs and not having to outsource fabrication. Maybe it costs you $100 to obtain a particular ASIC in quantity 1, but maybe it costs a nation-state only $1 to make an equivalent ASIC in quantity 400,000 (although I don’t know whether I mean marginal cost, amortized cost, or what).
Even at current retail Bitcoin ASIC prices, your “million times faster than that” costs only 1/3 * $10?, or, from another perspective, around 1/3 B-2 bomber, and that’s assuming that the attacker doesn’t have access to a cheaper fabrication process.
As another point of comparison, “all methods” at keylength.com recommend symmetric keys of 78-112 bits as a minimum for security expiring in 2015. That’s longer than a 6-word classic Diceware passphrase; those ranges would generally be satisfied by 7 or 8 words instead.
On the other hand, this is also ignoring KDFs, which help the defender, assuming the attacker doesn’t have a shortcut to evaluate the KDF in dramatically less time or silicon.
Oh Micah, I get very frightened — trembling, pale and queasy — when I see text such as that!
What I must do someday, is bite the bullet and hire some student from the local university computer lab to get me all encrypted. I haven’t had any but the most casual email exchanges with Glenn ever since Snowden put the fear of god into both of us on the great importance of encryption.
I can’t ask him much at all until I just fucknig do it. But I’m concerned I’m not educable. I need Encryption for Dummies.
Equivalent Javascript functions should be offered herein, as well as equivalent vbscript, cscript, Powershell functions.
Using TOR to obtain random numbers one at a time from random.org (which boasts ‘true’ randomness, as opposed to anything algorithmically generated) seems ‘safer’ to me than shortcuts like this. (Of course, using dice can’t be beat.) Our adversary, we must remember, is known to interdict hardware as it travels from supplier to customer so that implants may be introduced into apparently brand-new shrink-wrapped products. Our adversary must also surely have made efforts to compromise the very CPUs that these shortcuts require. Then again, using the dice-pencil-paper approach might be a waste of effort if the result is then entered into a computer system!
random.org knows what random numbers it gave you, and it could be run by malicious people, or it could have been hacked. If you want physical true random numbers for cryptographic applications where they have to be secret, you should make or buy your own physical random number generator, rather than using what is purportedly someone else’s over the Internet.
The safest approach today is to use a cryptographic smartcard with a pinpad reader. The private keys never leave the chip and the chip is made to be rendered useless if tampered with. There are also cheap devices such as the Yubikey which are very similar but usb based thus not needing a reader. Unfortunately, the unlock code and passphrase is entered by keyboard and they are not FIPS or CC certified.