[build #499] -- standard diceware list -- how many words were in the list before?

bennett

One of the changes in build #499 was:

• Added standard diceware list (using 7776 short English words).

Does anyone know how many words were in the diceware list beforehand?

MikeT

Hi @bennett,

It's an additional diceware list, not an update to the existing diceware list. See this screenshot to see what I mean:

bennett

I assumed it was already using the standard list; didn't realize it was using a larger set. Nice to learn my passwords are stronger than I thought. :)

Thack

I don't understand Diceware. What is the advantage? How is a five x five-letter word passphrase (25 + 4 spaces = 29) characters any better than 29 random characters?

RichardPayne

@Thack‌ it's not. 29 random characters is almost certainly stronger than a 29 character diceware password. However, I would suggest that remembering a 29 character random password is nowhere near as easy to remember as a 5 word diceware phrase.

Thack

Ah, so it's sole purpose is to make a long-but-memorable "password"? Thanks.

Personally I don't care about my passwords being memorable - that's the point of using something like 1P, isn't it? To make it possible to use random, non-memorable passwords.

bennett

@Thack In terms of security:

• A four-word diceware phrase (19-35 characters) is equivalent to 8 random characters
• A seven-word diceware phrase (34-62 characters) is equivalent to 16 random characters

(here's the math).

However, I'm much slower at typing random characters; on a keyboard, it's slightly faster to type the equivalent diceware phrase, even though the diceware phrase is significantly longer. (And on my phone, its dramatically faster to type the equivalent diceware phrase).

And as already mentioned by @RichardPayne, it's easier to remember random words than random characters.

Edit:

@Thack (replying to your newer post): arguably, it's more about preventing password reuse (which is a much bigger risk than weak passwords).

If someone gains control of your catpictures.com account, then it's no big deal. However...

• If the same password gives them control of your gmail account, then you can't use the password reset function to regain control of your catpictures account.
• your facebook account, they have access to all your OAuth (stackexchange, etc).
• your microsoft account, they can lock you out of your win8 computer.
• your Apple ID, they can track the location of your iPhone and iPad, and lock you out of them.
• your banking, they have all your money...
  etc.

It's really important to use different passwords for them all, and that's why it's important to use a password manager.

RichardPayne

Personally I don't care about my passwords being memorable - that's the point of using something like 1P, isn't it? To make it possible to use random, non-memorable passwords.

For most of, no. That's why we use 1Password. However, there are some passwords that you need to remember.

1) Your 1Password master password
Obvious really. You can't get at the stored passwords without this

2) Your Dropbox account
If you suffer a device failure and need to recover your keychain from Dropbox, you need to be able to login without access to 1Password

3) Your primary email account
If your keychain is damaged or corrupted (which Dropbox helpfully propagates everywhere, then you need to be able to do manual password resets on your online accounts. Typically this involves a password reset code being send to your registered email address so you need access to it to enable the password reset.

Thack

Thanks, @bennett and @RichardPayne‌. Yes, I appreciate why you need three memorable passwords, which is what I have, exactly in line with those listed by Richard. In my case I didn't use diceware phrases, but I can now see the point: it helps me avoid the usual traps of making passwords memorable. I hope people don't overuse diceware phrases, though, when a random character string is more appropriate.

I'd never heard of Diceware before I joined this forum. I wonder if a quick mention and explanation in the User Guide might be helpful.

Thanks again.

RichardPayne

@Thack‌
Why I generally agree, I don't think it's a huge issue. Diceware is secure enough for most things, even if a random password of the same length would be more secure. And where it might not be, the user will know now that the password strength meters displays more accurately.

bkh

"If your keychain is damaged or corrupted (which Dropbox helpfully propagates everywhere, then you need to be able to do manual password resets on your online accounts."

Only if all your backups have failed: both the 1Password-generated vault backups and your normal disk backups containing the vaults.

And it may be possible to regain control of your email without knowing the password by talking to your email hosting company. I imagine lost passwords are one of their more frequent issues. (And also one of their weak points for attack by the bad guys, so expect lots of questions if the email provider is being properly careful.)

RichardPayne

@bkh‌ I agree, but I still think it's a good idea to remember those three.

MikeT

Diceware is also very useful for security questions and answers. It's far easier to tell your reps on the phone "cat template windows icons dreams requests meters" than it is to say this: BvUc8hBzm.?oZGgxvo2dM.

There are a few other situations like that where diceware is more manageable as it may not be used for just authentication.

RichardPayne

Interesting. I never considered using a randomly generated pass phrase for security questions. Thanks Mike.

MikeT

:) That's what our community is all about, sharing thoughts on extra use cases that other people might not have thought of.