Diceware format in 1Password 6

neonomad · September 2015

Hi,

1P 6 looks great!

And I'm curious...

I see that the Diceware-style passphrase option in 1P 6 uses delimiters.

Does that mean that "word1-word2-word3-word4" has greater entropy than "word1word2word3word4"?

Thanks!

1Password Version: 6
Extension Version: Not Provided
OS Version: iOS 9
Sync Type: Not Provided

Ben · September 2015

Hi @neonomad,

I was pretty sure of the answer here, but I wanted to consult with one of our security folks before giving a definitive answer. The delimiters do not add or subtract entropy. They are simply there for usability/readability purposes.

Thanks!

Ben

neonomad · September 2015

Thanks for the clarification, @bwoodruff!

Ben · September 2015

No problem. :) If there is anything else we can do, please don't hesitate to contact us.

rob · September 2015

Hey, @neonomad.

Ben is basically right, but I wanted to clarify one thing here. While the delimiters themselves do not really add entropy, there are certain circumstances in which removing them could cause a significant loss of entropy.

The difference comes in when you consider compound words. For example, say our wordlist for generating passphrases contains all of the following words: "blue", "bird", "race", "track", "bluebird", "racetrack". If the generated passphrase ended up being "bluebirdracetrack", it would be a lot weaker than the passphrase "blue-bird-race-track".

Since the first one could have been generated by just two words from the word list, it has an entropy of just 28 bits (assuming a word list of 18,435 words like ours), and technically less than that since there are other ways it could have been formed. The passphrase with the delimiters could only be generated by those four words, though, so it would have 56 bits of entropy, which is (quite literally) an exponential difference.

Now, this is a rare occurrence to be sure, but besides readability, it is the main reason we choose to put delimiters between the words. That said, if none of the words in the passphrase could form compound words, there would be no significant difference between the two forms.

neonomad · September 2015

Very eloquent clarification, Rob! Thanks to both you and Ben.

Ben · September 2015

You are most welcome! Glad we could help clarify. :)

Danoz88 · September 2015

Just some random ideas for additions to the Diceware generator...

Would there be any worthwhile increase in entropy through allowing the option of random delimiter characters?
From the Diceware FAQ page, it seems that just adding one additional random character can add 10 bits of entropy. For a 5-word passphrase with 65bits of entropy, adding an additional 10 seems like a pretty worthwhile addition; or am I mis-interpreting things?

Or through the addition of random capitalisation of n characters in each word (or for ease, just either 0 or 1 characters gets capitalised in each word)?

Would it be useful to allow some people to do their own dice rolls, manually, and they enter the results of each of x number of dice rolls into 1P from which 1P generates the Diceware passphrase? I don't think that I'd use it, but I could see that some folks might like to 'roll their own' rather than having to rely on a system's pseudo-random generator.

Also, perhaps it would be useful for there to be an option for people to create their own word list (so long as it meets the same size characteristics as the default one in 1P) and then people could opt to use their own word list rather then the default list in 1P?

Thanks.

rob · September 2015

Hi, @Danoz88! Thanks for your suggestions. I'll address each of them individually.

Overall, remember that the main point of the word list passwords is to generate something easily memorable. When you start mixing in random capitalization and other random characters, each addition is one more thing you have to remember, so each one makes it more likely you will forget something.

A second thing to note is that we are not actually using the Diceware word list, but rather our own word list which is over twice as long (18,435 words currently vs 7776 for Diceware). So a 5-word passphrase we generate has about 71 bits of entropy, rather than 65 for Diceware.

Regarding your first suggestion, random delimiter characters are something that would make the passphrase much less memorable. I'm not sure how the 10 bits of entropy for one character was calculated (you'd have to pick from a set of 1024 characters or more for that to be true), but if we're talking about random delimiters, here's the math. We currently have five options for delimiters: hyphen, space, period, comma, underscore. Picking one at random yields log2(5) bits of entropy (2.3 bits). In a five-word passphrase, you'll have four delimiters, so that's 4 * log2(5), which is 9.3 bits of entropy. Not bad, but you'll end up with a password that looks like this: modern_agnostic.outflow,lapdog.blast.

That passphrase would have 80 bits of entropy -- impressive! But now you not only have to remember modern agnostic outflow lapdog blast, you also have to remember underscore period comma period, so a total of 9 discrete things to remember. If instead, you simply added a word to your passphrase like this: modern agnostic outflow lapdog blast rasher, you've got 85 bits of entropy with only one additional thing to remember, a total of 6. More memorable and more secure. Plus, you can type it all on a mobile keyboard without having to switch between keyboard layouts. :)

Now if you're talking about adding random characters on the end, each of those will have about 6 bits of entropy. But each word you add adds about 14 bits of entropy. So there's definitely a tradeoff of memorability vs length vs randomness. Three random characters or one random word that could be up to 8 characters long? An 11-character completely random string is more secure than a five-word passphrase, but which do you want to remember and type all the time? The answer to that is different for different people of course.

Random capitalization is a similar matter. Now you not only have to remember the words but which ones were capitalized, or worse, which character in the word was capitalized.

So again, preferences are different, and we may consider options like these in the future. For right now, though, we want to show people that it's possible to have a secure password without a bunch of customizations that they are unlikely to remember easily. If you'd like to go this route in adding random characters instead of random words, maybe try generating a passphrase, then generating a short random password and combining the two.

Regarding manual dice rolls, this wouldn't be great in 1Password because we have many more words than the Diceware list, so you would only be choosing from 7776 of the 18435 words. But really, if you're going to go through the trouble of manually rolling the dice, you can easily just search the actual Diceware word list for the numbers you roll.

Custom word lists are not something we are planning to implement at this time. That would be a pain on iOS, and I'm not sure I understand the value of it.

I did enjoy reading your suggestions, and I hope I've been helpful in my response!

MikeT · September 2015

Hi @Danoz88,

Would there be any worthwhile increase in entropy through allowing the option of random delimiter characters?

The point of diceware is to make it easier for you to memorize and type it quickly in different locations. Using random delimiters decreases the usability of diceware because you can't type them in easily without knowing what delimiter is next.

If you are concerned about entropy, you'd be better off expanding the number of words, the length usually is the most important factor such as choosing 7 words instead of 5 or 6.

In addition, you can always switch to the random password generator that's not based on the diceware.

From the Diceware FAQ page, it seems that just adding one additional random character can add 10 bits of entropy. For a 5-word passphrase with 65bits of entropy, adding an additional 10 seems like a pretty worthwhile addition; or am I mis-interpreting things?

Can you point to the specific FAQ page talking about this?

I would imagine what they meant is that if you add a random character to one of the known words, the entropy increases by a large factor because that unknown word would not be in any dictionary attacks.

In other words, if you type thinkw instead of leaving it at think, password crackers would have a hard time finding it because thinkw would not be in any optimized diceware-based attacks.

That is correct but the odds of people not remembering to look out for the random character in their diceware and getting themselves locked out because of that are higher than just picking an extra word to increase the entropy bit.

In addition, you can edit the password yourself to add the random character.

Would it be useful to allow some people to do their own dice rolls, manually, and they enter the results of each of x number of dice rolls into 1P from which 1P generates the Diceware passphrase?

You can regenerate the diceware password by tapping on the Regenerate Password several times, we use a pseudo-random generator to generate the dice roll, it's not going to be the same for everyone.

I don't think that I'd use it, but I could see that some folks might like to 'roll their own' rather than having to rely on a system's pseudo-random generator.

I'm not sure it is worth the complexity of supporting this in the app. You get a lot more just by adding an extra word alone. We'll look into this in the future.

Also, perhaps it would be useful for there to be an option for people to create their own word list (so long as it meets the same size characteristics as the default one in 1P) and then people could opt to use their own word list rather then the default list in 1P?

I'm not sure there is a huge benefit for doing this, a lot of diceware-based generators are sourced from the same diceware lists and that hasn't really cause any problems or provide an easier time for crackers.

rob · September 2015

Well, looks like Vanilla didn't do a great job informing me and Mike that we were both replying, but now you've got two good answers! At least we agreed. :)

Danoz88 · September 2015

Thanks for those detailed responses; great stuff.
Here's the page that mentions the addition of 10 bits of entropy from one character: http://world.std.com/~reinhold/diceware.html
Under 'Optional stuff you don't really need to know'

For the technically inclined, each word in your Diceware passphrase yields 12.9 bits of entropy, the way passphrase security is measured. A five word Diceware passphrase would have an entropy of at least 64.6 bits...Inserting a letter at random adds about 10 bits of entropy.

rob · September 2015

I see. Yes, so the random placement of that character is what adds the 10 bits of entropy. I believe the calculation that gave them that number is 4*log2(6), which gives me about 10.34 and would be the entropy generated by four dice rolls.

Thanks for the link!

forgetpasswords · December 2015

Hi, will this password generation scheme become available in the OS X Application? I love word-list passwords, but I can't seem to be able to generate them in 1Password 5.4 for OS X.

Stephen_C · December 2015

@forgetpasswords:

will this password generation scheme become available in the OS X Application?

I think it's a fairly open secret (at least I hope it is: don't want anyone shooting me for saying it :) ) that it's included in the 1P for Mac 5.5 betas. So, provided it doesn't crash and burn while in beta (and there isn't any sign of that of which I'm aware) you might reasonably expect to see it appear when 1P 5.5 for Mac is released. I don't know when the release date might be, of course.

(Bear in mind I'm merely a volunteer here and don't work for AgileBits so I'm not speaking on AgileBits' behalf.)

Stephen

Ben · December 2015

Stephen isn't wrong. :)

Ben

forgetpasswords · December 2015

That's awesome. Thanks!

AGAlumB · December 2015

;) :+1:

Dick99999 · January 2016

"neonomad on September 2015:
Hi,
1P 6 looks great!
And I'm curious...
I see that the Diceware-style passphrase option in 1P 6 uses delimiters.
Does that mean that "word1-word2-word3-word4" has greater entropy than "word1word2word3word4"?
Thanks!"

Yes it can. It can add about 1.5 to 6 bits. It depends on how random the delimiter character is. I'm assuming though, that the same delimiter character is used between all the words of one pass phrase.

The reason for adding strength is that all the words have to be tried with and also without that character. Roughly a 2-fold of the number of dictionary words.

However, if you know that it is a 1Passowrd generated pass phrase, a cracker would now of course first start guessing (brute force) phrases that include the dash character and does not have to try all other or no delimiter characters. Given 1Passowrd's choice for the dash delimiter, one might even say that using the dash character does not add strength as bwoodruff answered, **but ** that not using a delimiter character does add strength!

I use capitals at word starts and no delimiter char. No keyboard change and readable.You can check effects like this one with the Simthrow passphrase analyser/generator, ..... if you trust the (my) calculations.

Ben · January 2016

Thanks for adding that info, @Dick99999! Yes, you certainly raise some valid points.

Ben

Diceware format in 1Password 6

Comments