Password with real words (like Diceware) really safe?

Werner85

I was reading the following Blog post: http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/

I then read about Diceware and the "recommendation" to use real words in a password.



I always thought using passwords with real words was bad. Because password crackers use lists of words to guess the right password.

Using passwords with not existing words and some digits are much harder to crack, because the word lists do not have those non existing words right?



Can someone explain why using a password like "cleft 2dM&P cam synod lacy" is safer then "lyq 2dM&P kex ixufd mezr"? Because that password is also something you could remember after some practice.

jpgoldberg

Hi Werner,



It's not really a distinction between "real words" versus "fake words". If you are creating the password all by yourself, then fake words will be better.



What makes diceware stronger is that the words (real or otherwise) are chosen completely at random (from the list). It is [i]crucial that they be chosen at random[/i]. Using a list of real words, just means that the random password will be easier to remember than a random password generated otherwise.



Please take a look at "[url="http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/"]Toward Better Master Password"[/url] where this is explained through examples of password creation schemes.



Cheers,



-j

jpgoldberg

Ooops. I see that you already have been reading the Toward Better Master Passwords post. Sorry for just referring you to it again.



Again, the thing about Diceware is that you roll dice to pick words from the list. This is far more random than using some process of creating a master password from something that is meaningful to you and then distorting it.



Because the diceware system is truly random (with the roll of dice), then it maintains its strength even if the attackers know exactly what system you used to create your password. When you create passwords without real randomization, then if the attackers know what kind of system you used, they can exploit that to guess a password more easily.



The kinds of transformations that people use when distorting a meaningful phrase are actually very predictable, and can be easily simulated by computer programs. (This is exactly what tools like John the Ripper excel at.)



If we didn't need to remember or type our Master Passwords then using something from 1Password's Strong Password Generator would be even stronger. But because these do need to be remembered and typed, we have to use something like diceware where the individual units, chosen at random, have meaning of their own.



Cheers,



-j

Fooligan

Jeff, what do you think about using a combination of words from a site like [url="http://makemeapassword.net/"]http://makemeapassword.net/[/url]? Is this site effectively using the diceware technique?

jpgoldberg

I'm actually partial to



[url="https://www.xkpasswd.net/c/index.cgi"]https://www.xkpasswd.net/[/url]



But of course I have to say that people shouldn't use passwords that have been generated by a remote service unless they have very very good reasons to trust the tool and the transmission of the data.



With xkpasswd, you can download the source code and run it on your own computer if you are happy running perl programs. But even with that one, there are a couple of issues about how it gets its randomness. (I've talked with the author, and agree that in most cases on most systems it won't be a big problem, and that it turns out to be harder to fix than I'd thought.)



So while these tools are probably great, I simply can't recommend that people use them because there is a potential for abuse. Even if I say "I personally have checked and trust site X", that would be teaching people bad habits.



So, I'm afraid that at the moment people will still have to roll (pun fully intended) their own.



Cheers,



-j

Fooligan

Dice it is. Thanks!

khad

Also, don't forget to read the follow up to "Toward Better Master Passwords":



[size=5][b][url="http://blog.agilebits.com/2011/08/10/better-master-passwords-the-geek-edition/"]Better Master Passwords: The geek edition[/url][/b][/size]



It includes some important points such as:



"The strength of a password creation system is not how many letters, digits, and symbols you end up with, but [i]how many ways you could get a different result using the same system[/i]."



<img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/wink.png' class='bbc_emoticon' alt=';)' />

Fooligan

Thanks Khad.



I went through and thoroughly read Jeff's previous posts for both the beginner and geek editions last night...very interesting. I have definitely been trained in the "Tr0ub4dor&3" mindset prior to buying into Jeff's mathematical proof for the DiceWare.



Keep the security posts coming please, I find them fascinating.

khad

I'm just glad Jeff is a white hat. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/laugh.png' class='bbc_emoticon' alt=':lol:' />



One thing I want to make clear is that a [i]randomly generated[/i] string of characters has greater entropy than a Diceware password [i]of the same length[/i]. So that's why 1Password's built-in password generator is intended to generate these kinds of passwords rather than Diceware ones since you don't need to remember them. Diceware is really only useful for passwords one needs to actually remember.



When calculating bits of entropy in a Diceware password we look at each word rather than each character.



Quick example:



[font=courier new,courier,monospace][b]audience wool golden path[/b][/font] ≈ 51.7 bits of entropy: [i]12.925 bits x 4 "symbols" (words in this case) [/i]

[font=courier new,courier,monospace][b]~h6'l@vm/a?WX*@&p<{d~M&Ag[/b][/font] ≈ 163.875 bits of entropy: [i]6.555 bits (94 possible printable ASCII characters) x 25 symbols[/i]



So if you do not need to remember the password (pretty much any password except your master password) then a string of printable ASCII is much better. However, if you need to remember the password Diceware is much better. To get a password roughly equal in bits of entropy to that Diceware password, you could use an [b]eight character[/b] password composed of random printable ASCII characters (instead of the 25 characters used for comparison).



6.555 bits of entropy x 8 symbols ≈ 52.44 bits of entropy



I don't know about you but if both of these passwords provide about the same bits of entropy, I know which one I'm choosing to remember:



[font=courier new,courier,monospace][b]audience wool golden path [/b][/font]vs. [font=courier new,courier,monospace][b]X*@&p<{d[/b][/font]



The point is that a Diceware password is much easier to remember and type. The comparison becomes even more clear if you are only using lowercase letters and numbers rather than all printable ASCII characters. In that case you would need to have a ten character password (5.170 bits of entropy per character).



[font=courier new,courier,monospace][b]audience wool golden path [/b][/font]vs. [font=courier new,courier,monospace][b]pwrc0qtk4q[/b][/font]



And remember that the characters need to be truly random or the length will have to go up even higher. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

Michael Tennes

This is not for everyone, but I use 1P's generator to generate my 24 character master password, and then memorize it. For me, it doesn't take very long for it to be completely automatic to type it. Hopefully this is good enough.

Werner85

Ok, so isn't just randomly making up some words the same as using Diceware?



For example is "egg dog window glass sunscreen" less secure then a 5 word Diceware password?

I still don't get the advantage of Diceware.

khad

Werner, the most important aspect of Diceware [b]is[/b] the random nature of it. Once again:



"The strength of a password creation system is not how many letters, digits, and symbols you end up with, but [b]how many ways you could get a different result using the same system[/b]."



If you pick the words truly randomly that essentially [b]is[/b] Diceware. The dice are used to ensure maximum entropy rather than just "randomly" writing a few words down from your own brain (which isn't actually random).

sddawson

I'd like to understand the whole diceware thing too. If the aim is to stop automated password cracking, why can't the words be related? What if I use "rock pop jazz soul", or "elephant dog catfish cow", which are even easier to remember. Why is that any worse than a diceware-generated list? Sure, if someone knew the first word is rock, they might have a stab at it, but an automated process isn't going to know the first word is rock - it has to decode the whole thing as a single entity. It would only be a weak password if the password-cracking routines deemed that that sort of string of words is common and decides to have a crack (sorry) at trying all the music genres or animal names.



I suppose my genre or animal "system" doesn't have as many ways of getting a different result as Diceware, but the automated tools don't know what system I'm using do they?

Paul M

sddawson,



No doubt one of the pro's will be along shortly to give you a real answer but in the meantime I'd like to have a go, partly to test my own understanding. I've just been working my way through this too and have finished by switching to a diceware master password.



The clincher for me was predictability. My old password seemed very secure to me, and maybe it was — but I have no way to actually know how strong or weak it was. Intuitively it always seemed to me to be virtually unbreakable, but then tools like John the Ripper exist because people all over the world are choosing passwords that seem to them unbreakable but are really quite flawed. Using diceware I know exactly what I've got because even I can do the math: By following diceware's simple instructions I can pick an easy-enough-to-remember password of, say, 6 words and know that there's no better cracking tactic than brute force, and that an attacker who could try guesses at a completely unrealistic rate of a billion a second would still take 3.5 million years to have a 50:50 chance of finding mine. If I use only 5 words then it's 450 years; 7 words is 27.237 billion years. Whatever length I use I know exactly what I've got, and I can't do that with any home-grown method.

jpgoldberg

You have asked exactly the correct question, sddawson:

[quote name='sddawson' timestamp='1344394887' post='61326']I suppose my genre or animal "system" doesn't have as many ways of getting a different result as Diceware, but the automated tools don't know what system I'm using do they?

[/quote]

You can [i]hope[/i] that they don't know, but you can't rely on it.



Remember that the people who are cracking passwords have studied millions of compromised passwords. They know more about how people create passwords than any of us do. As I argued in [url="http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/"]Toward Better Master Passwords[/url], we humans are a lot more predictable than we like to imagine. Dice, however, are not predictable.



There was an old psychic's trick. In front of TV audience five Zender cards (the things with the circle, square, star, wavy lines, etc), and ask each member of the audience to think of one. After some prancing around, the psychic would stare straight into the camera and would announce that "I see wavy lines in your mind". You would think that he'd only have a 20% chance of being right, but actually his hit rate was more than 50%.



First we know that when people are given the task, there is a strong tendency to select the more complex figures (star or wavy line). Second we know that when people are asked to pick something at random from a list of five items, they have a tendency to pick the 2nd or the 4th in the list. (2nd is preferred when list is presented vertically, 4th when the list is presented horizontally.) So the list was presented with the star 1st (least picked position) and the wavy line 4th (most picked position). So the tendencies people have when picking something "randomly" were exploited in two was for that trick.



That is just a simple, well known, example. Now suppose that you had many millions of stolen passwords to study for your research. This is why I consider the only safe system to be one in which the source of randomness is external to the human mind.



And, there is also a point of principle. It's called "Kerchoff's Principle" and roughly states that when assessing the security of a system, you should assume that the attacker knows as much about the system as you do. Your system is dramatically weakened if the attacker can make a guess at what system you used. Diceware losses nothing even though the attacker is fully aware of the system used.



Now your genre system will work just as well as diceware if you can find 7776 words within that genre (very very unlikely) and you pick the words through a truly random process (dice) from that list.



The diceware list isn't perfect. It was constructed to favor short words (to keep the over all pass phrase short in case there are length limits), and so it includes plenty of less familiar words making things a bit harder to remember than necessary. If you aren't concerned about the length in characters, it might be better to make the list out of the most common 7776 nouns in English. (Nouns are easier to remember.)



Cheers,



-j

sddawson

Thanks for the insights, guys. What a fascinating subject!

jpgoldberg

Let me add something else that was hinted at in an earlier message by sddawson.



I know that before I saw the wisdom of diceware, I was really proud of my master password. It was clever, it was obscure, it contained some really terrible puns. I felt "ownership" of it in a way that I don't of something that is derived from the roll of some dice. I hated to give it up.



I know that I am fairly peculiar, but I wonder if this kind of thing is a barrier for people adopting diceware. I know that before I really started advocating diceware, every discussion on picking Master Passwords had people contribute who were very proud of the schemes that they used. I often had the feeling that they really wanted to say what their Master Passwords were (which is a weakness if people act on that impulse.)



This probably doesn't play a huge role in anything, but I think it is worth noting. So maybe my slogan should be "Surrender your pride, and roll the dice!"



Cheers,



-j

sddawson

Yes, an interesting perspective. And a good slogan! Diceware also takes the pressure off having to invent some really clever password in the first place...

danco

Obviously tbontbtitq is not a good password (apart from being too short). But do programs like John the Ripper have complete works of Shakespeare to check against or just common quotes? And would they crack tbontbtitqShakyWillie?

jpgoldberg

[quote name='danco' timestamp='1344764253' post='61437']

Do programs like John the Ripper have complete works of Shakespeare to check against or just common quotes?[/quote]



It's funny you should ask that. It turns out that the latest "Crack Me if You Can" competition had a set of challenges that were specifically against phrases (this was a "hint" that they tweeted during the competition.)



More generally, we need to understand that John the Ripper is very configurable. So if people start using a particular password scheme, then JtR rule sets will be written and used for going after that scheme. You may be fine if the particular scheme that you use is uncommon and you are not being individually targeted. But in general, I ask the Kantian question to anyone who recommends a particular password creation scheme: [i]What would happen if everybody (or just lots of people) followed your recommendation?[/i]



Diceware holds up even if everyone follows the recommendation.



Cheers,



-j

MikeMcFarlane

So, apparently this topic is still HOT!



I too was really proud of my custom Master password, but after a bit of thought, I see the logic in Diceware as it is a known entity. My question is on randomness and selection of words.



In a pseudo random generator as found on many computers, OSs, programming languages etc the distribution is not properly random and if a hacker knows the random generator and the seed used they can take an educated guess as to the random numbers generated. I can see this would be a problem in interconnected systems.



In the case of generating a Diceware password does it actually matter how I generate my random numbers? So long as I don't broadcast my system. Does it matter if I used certified casino grade dice, a dodgy weighted dice, a few lines of code in BASIC or Python to name two extreme examples, pull numbers out a hat, a Turing Machine or a RubeGoldBerg Machine?

khad

Regular ol' dice will do. It is designed to be easy for anyone to do — no fancy equipment or tech knowledge required.



A. G. Reinhold has [url="http://world.std.com/%7Ereinhold/dicewarefaq.html#casino"]a specific section in the Diceware FAQ that addresses casino dice[/url]. An excerpt:



[indent=1]Casino dice are precision made, translucent dice for use in gambling establishments. The added uniformity over toy dice is probably not significant for creating passphrases…[/indent]



The following sections also address "electronic dice throw generators":



[indent=1]Unless you know how the electronics generate the randomness and can evaluate its strength, stick to old-fashioned real dice.[/indent]



And using a computer:



[indent=1]Generating truly random numbers using a computer is very tricky. The so-called random number generators that come with most programming libraries are nowhere near good enough. For most users dice is by far a better way to select passphrase words.[/indent]



Rube Goldberg machines are not addressed in the FAQ. It must not be a Q which is A'd very F. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

MikeMcFarlane

[quote name='khad' timestamp='1348800440' post='62434']

Regular ol' dice will do. It is designed to be easy for anyone to do — no fancy equipment or tech knowledge required.



A. G. Reinhold has [url="http://world.std.com/%7Ereinhold/dicewarefaq.html#casino"]a specific section in the Diceware FAQ that addresses casino dice[/url]. An excerpt:



[indent=1]Casino dice are precision made, translucent dice for use in gambling establishments. The added uniformity over toy dice is probably not significant for creating passphrases…[/indent]



The following sections also address "electronic dice throw generators":



[indent=1]Unless you know how the electronics generate the randomness and can evaluate its strength, stick to old-fashioned real dice.[/indent]



And using a computer:



[indent=1]Generating truly random numbers using a computer is very tricky. The so-called random number generators that come with most programming libraries are nowhere near good enough. For most users dice is by far a better way to select passphrase words.[/indent]



Rube Goldberg machines are not addressed in the FAQ. It must not be a Q which is A'd very F. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

[/quote]



Thanks Khad. I like asking questions which aren't asked frequently:-) It was quite good fun building a diceware passphrase with random numbers, maybe I need to get out more.

Fooligan

I ended up going with diceware.



I noticed that they don't really have a method for adding CAPS on the site. I rolled "X" die to determine the # of CAPS to use, followed by another roll to determine the word to use, followed by another roll to determine the character to change to CAPS, repeating that sequence until I satisfied the first roll.



I hope that introduces added entropy as far as capitalization. I figured they don't have that on there since it starts to get into the "hard to remember" category. I know that it is overkill, but I want to have a pass phrase that should last a while...hopefully.

khad

I actually kind of like [url="http://world.std.com/%7Ereinhold/dicewarefaq.html#capitalize"]Reinhold's take on capitalization[/url]. Excerpt:



[indent=1]The entropy added by having just one random capital in a typical five-word passphrase is 4.4 bits (log2 of number of characters in the average 5-word passphrase). By contrast, inserting one random [i]character[/i] somewhere in the middle of your passphrase increases its entropy by about 9.5 bits (4.4 + log2 (36)). [/indent]