Diceware method vs generated master passwords

Adama_
Adama_
Community Member

Dear Team Agile,

Everyone is incredibly super-smart here, I am in awe! Please forgive my question, I am new to password security technology and it fascinates me :) I am also a new customer, so my question is:

I read about using a system called Diceware to generate a good master password. However, when I first created a password for 1Password, I used your own generator and memorised it (I hope this is not TMI! If so please edit or delete my post! :))

Which one is better?

Thank you and I look forward to hearing from you.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • danco
    danco
    Volunteer Moderator

    The password generator has a Words option, which is basically the same as diceware, but does the work for you.

    It's largely a matter of personal preference, but a Words password could be too long for a particular site. Aslo, for a very few passwords (such as an iCloud password) one might want to be able to remember them independently of 1PW. In that case a Words password is fairly easy to remember.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Adama_1pw: First of all, thanks for the kind words. We do our best to help any way we can, but I think best part is that you feel comfortable asking questions! We're lucky to have a great community here on the forums, and I think danco 's response exemplifies that. :chuffed:

    But back to the question. While danco is correct, I did want to mention a few things here in case they're of help or of interest to you or anyone else.

    Indeed, the Words options in the password generator uses what we call our "Wordlist", which we've curated in the spirit of Diceware™, but as that is a trademark and we saw some opportunities for improvement, we've made our own version.

    This allows us to modify it as needed (we occasionally find that there are words in there which we and our customers don't necessarily want to have to see), which allows us to iterate on it over time. And this also allows us to easily build it into all of our apps constantly, and update the list in one place for all of them. You can find more details in this forum post.

    But at the end of the day, while Wordlist passwords can be very strong and useful, I think it's important to play to their strengths. A word-based password of any kind (Diceward™ too) will never be as strong as a character-based password of the same length. So unless you specifically need to memorize and/or type a specific password regularly, it's best to use a the Characters option instead. But word-based password are great for things like Wi-Fi login and "security answers".

    So to actually answer your question, Wordlist passwords are stronger than Diceware™. That's not a knock on Diceware™, but it's been around for a long time and our Wordlist is much longer, allowing for greater entropy. But wherever possible, use character-based passwords, which are stronger still. Cheers! :)

  • Adama_
    Adama_
    Community Member

    @danco thanks ever so much!

  • Adama_
    Adama_
    Community Member

    @brenty, awesome! I appreciate your reply, I think was able to digest it all! :) I am guessing that for the master password, which is the most important password for 1PW users, it would mostly be word-based in order for users to memorise? Although technically, character based is stronger?

    Thanks again, I have never seen such fantastic support online before!

  • You get to pick your Master Password, so you can generate it whichever way you'd like. I personally always opt for a words based password as I find those much easier to memorize, and it is absolutely critical that the Master Password be memorized. :)

    Thanks so much for the kind words!

    Ben

  • Adama_
    Adama_
    Community Member

    @Ben hello and thank you! I know I'm on the right track now :) Have a wonderful day guys!

  • I hope this is not TMI! If so please edit or delete my post!

    Thanks for mentioning this bit, @Adama_1pw as it gives a good opportunity to discuss password strength beyond what you initially asked.

    The strength of a password should never depend on the attacker not knowing what kind of password it is. We should make the assumption that the attacker knows exactly how a password was generated. We actually recently changed how password strength was calculated in 1Password to more accurately reflect this.

    Rick

  • Adama_
    Adama_
    Community Member

    Hi @rickfillion thank you for taking this further :) I've been enjoying the blog posts over at the main site and learning more. It's all fascinating!

    Adama

  • We're happy to answer whatever questions you may have. :)

    Rick

This discussion has been closed.