Password with real words (like Diceware) really safe?

Werner85
Werner85
Community Member
I was reading the following Blog post: http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
I then read about Diceware and the "recommendation" to use real words in a password.

I always thought using passwords with real words was bad. Because password crackers use lists of words to guess the right password.
Using passwords with not existing words and some digits are much harder to crack, because the word lists do not have those non existing words right?

Can someone explain why using a password like "cleft 2dM&P cam synod lacy" is safer then "lyq 2dM&P kex ixufd mezr"? Because that password is also something you could remember after some practice.
«13

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Hi Werner,

    It's not really a distinction between "real words" versus "fake words". If you are creating the password all by yourself, then fake words will be better.

    What makes diceware stronger is that the words (real or otherwise) are chosen completely at random (from the list). It is crucial that they be chosen at random. Using a list of real words, just means that the random password will be easier to remember than a random password generated otherwise.

    Please take a look at "Toward Better Master Password" where this is explained through examples of password creation schemes.

    Cheers,

    -j
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Ooops. I see that you already have been reading the Toward Better Master Passwords post. Sorry for just referring you to it again.

    Again, the thing about Diceware is that you roll dice to pick words from the list. This is far more random than using some process of creating a master password from something that is meaningful to you and then distorting it.

    Because the diceware system is truly random (with the roll of dice), then it maintains its strength even if the attackers know exactly what system you used to create your password. When you create passwords without real randomization, then if the attackers know what kind of system you used, they can exploit that to guess a password more easily.

    The kinds of transformations that people use when distorting a meaningful phrase are actually very predictable, and can be easily simulated by computer programs. (This is exactly what tools like John the Ripper excel at.)

    If we didn't need to remember or type our Master Passwords then using something from 1Password's Strong Password Generator would be even stronger. But because these do need to be remembered and typed, we have to use something like diceware where the individual units, chosen at random, have meaning of their own.

    Cheers,

    -j
  • Fooligan
    Fooligan
    Community Member
    Jeff, what do you think about using a combination of words from a site like http://makemeapassword.net/? Is this site effectively using the diceware technique?
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    I'm actually partial to

    https://www.xkpasswd.net/

    But of course I have to say that people shouldn't use passwords that have been generated by a remote service unless they have very very good reasons to trust the tool and the transmission of the data.

    With xkpasswd, you can download the source code and run it on your own computer if you are happy running perl programs. But even with that one, there are a couple of issues about how it gets its randomness. (I've talked with the author, and agree that in most cases on most systems it won't be a big problem, and that it turns out to be harder to fix than I'd thought.)

    So while these tools are probably great, I simply can't recommend that people use them because there is a potential for abuse. Even if I say "I personally have checked and trust site X", that would be teaching people bad habits.

    So, I'm afraid that at the moment people will still have to roll (pun fully intended) their own.

    Cheers,

    -j
  • Fooligan
    Fooligan
    Community Member
    Dice it is. Thanks!
  • khad
    khad
    1Password Alumni
    edited August 2012
    Also, don't forget to read the follow up to "Toward Better Master Passwords":

    Better Master Passwords: The geek edition

    It includes some important points such as:

    "The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system."

    ;)
  • Fooligan
    Fooligan
    Community Member
    Thanks Khad.

    I went through and thoroughly read Jeff's previous posts for both the beginner and geek editions last night...very interesting. I have definitely been trained in the "Tr0ub4dor&3" mindset prior to buying into Jeff's mathematical proof for the DiceWare.

    Keep the security posts coming please, I find them fascinating.
  • khad
    khad
    1Password Alumni
    edited August 2012
    I'm just glad Jeff is a white hat. :lol:

    One thing I want to make clear is that a randomly generated string of characters has greater entropy than a Diceware password of the same length. So that's why 1Password's built-in password generator is intended to generate these kinds of passwords rather than Diceware ones since you don't need to remember them. Diceware is really only useful for passwords one needs to actually remember.

    When calculating bits of entropy in a Diceware password we look at each word rather than each character.

    Quick example:

    [font=courier new,courier,monospace]audience wool golden path[/font] ≈ 51.7 bits of entropy: 12.925 bits x 4 "symbols" (words in this case)
    [font=courier new,courier,monospace]~h6'l@vm/a?WX*@&amp;p<{d~M&Ag[/font] ≈ 163.875 bits of entropy: 6.555 bits (94 possible printable ASCII characters) x 25 symbols

    So if you do not need to remember the password (pretty much any password except your master password) then a string of printable ASCII is much better. However, if you need to remember the password Diceware is much better. To get a password roughly equal in bits of entropy to that Diceware password, you could use an eight character password composed of random printable ASCII characters (instead of the 25 characters used for comparison).

    6.555 bits of entropy x 8 symbols ≈ 52.44 bits of entropy

    I don't know about you but if both of these passwords provide about the same bits of entropy, I know which one I'm choosing to remember:

    [font=courier new,courier,monospace]audience wool golden path [/font]vs. [font=courier new,courier,monospace]X*@&amp;p<{d[/font]

    The point is that a Diceware password is much easier to remember and type. The comparison becomes even more clear if you are only using lowercase letters and numbers rather than all printable ASCII characters. In that case you would need to have a ten character password (5.170 bits of entropy per character).

    [font=courier new,courier,monospace]audience wool golden path [/font]vs. [font=courier new,courier,monospace]pwrc0qtk4q[/font]

    And remember that the characters need to be truly random or the length will have to go up even higher. :)
  • Michael Tennes
    Michael Tennes
    Community Member
    This is not for everyone, but I use 1P's generator to generate my 24 character master password, and then memorize it. For me, it doesn't take very long for it to be completely automatic to type it. Hopefully this is good enough.
  • Werner85
    Werner85
    Community Member
    Ok, so isn't just randomly making up some words the same as using Diceware?

    For example is "egg dog window glass sunscreen" less secure then a 5 word Diceware password?
    I still don't get the advantage of Diceware.
  • khad
    khad
    1Password Alumni
    Werner, the most important aspect of Diceware is the random nature of it. Once again:

    "The strength of a password creation system is not how many letters, digits, and symbols you end up with, but how many ways you could get a different result using the same system."

    If you pick the words truly randomly that essentially is Diceware. The dice are used to ensure maximum entropy rather than just "randomly" writing a few words down from your own brain (which isn't actually random).
  • sddawson
    sddawson
    Community Member
    edited August 2012
    I'd like to understand the whole diceware thing too. If the aim is to stop automated password cracking, why can't the words be related? What if I use "rock pop jazz soul", or "elephant dog catfish cow", which are even easier to remember. Why is that any worse than a diceware-generated list? Sure, if someone knew the first word is rock, they might have a stab at it, but an automated process isn't going to know the first word is rock - it has to decode the whole thing as a single entity. It would only be a weak password if the password-cracking routines deemed that that sort of string of words is common and decides to have a crack (sorry) at trying all the music genres or animal names.

    I suppose my genre or animal "system" doesn't have as many ways of getting a different result as Diceware, but the automated tools don't know what system I'm using do they?
  • Paul M
    Paul M
    Community Member
    sddawson,

    No doubt one of the pro's will be along shortly to give you a real answer but in the meantime I'd like to have a go, partly to test my own understanding. I've just been working my way through this too and have finished by switching to a diceware master password.

    The clincher for me was predictability. My old password seemed very secure to me, and maybe it was — but I have no way to actually know how strong or weak it was. Intuitively it always seemed to me to be virtually unbreakable, but then tools like John the Ripper exist because people all over the world are choosing passwords that seem to them unbreakable but are really quite flawed. Using diceware I know exactly what I've got because even I can do the math: By following diceware's simple instructions I can pick an easy-enough-to-remember password of, say, 6 words and know that there's no better cracking tactic than brute force, and that an attacker who could try guesses at a completely unrealistic rate of a billion a second would still take 3.5 million years to have a 50:50 chance of finding mine. If I use only 5 words then it's 450 years; 7 words is 27.237 billion years. Whatever length I use I know exactly what I've got, and I can't do that with any home-grown method.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    You have asked exactly the correct question, sddawson:
    sddawson wrote:
    I suppose my genre or animal "system" doesn't have as many ways of getting a different result as Diceware, but the automated tools don't know what system I'm using do they?

    You can hope that they don't know, but you can't rely on it.

    Remember that the people who are cracking passwords have studied millions of compromised passwords. They know more about how people create passwords than any of us do. As I argued in Toward Better Master Passwords, we humans are a lot more predictable than we like to imagine. Dice, however, are not predictable.

    There was an old psychic's trick. In front of TV audience five Zender cards (the things with the circle, square, star, wavy lines, etc), and ask each member of the audience to think of one. After some prancing around, the psychic would stare straight into the camera and would announce that "I see wavy lines in your mind". You would think that he'd only have a 20% chance of being right, but actually his hit rate was more than 50%.

    First we know that when people are given the task, there is a strong tendency to select the more complex figures (star or wavy line). Second we know that when people are asked to pick something at random from a list of five items, they have a tendency to pick the 2nd or the 4th in the list. (2nd is preferred when list is presented vertically, 4th when the list is presented horizontally.) So the list was presented with the star 1st (least picked position) and the wavy line 4th (most picked position). So the tendencies people have when picking something "randomly" were exploited in two was for that trick.

    That is just a simple, well known, example. Now suppose that you had many millions of stolen passwords to study for your research. This is why I consider the only safe system to be one in which the source of randomness is external to the human mind.

    And, there is also a point of principle. It's called "Kerchoff's Principle" and roughly states that when assessing the security of a system, you should assume that the attacker knows as much about the system as you do. Your system is dramatically weakened if the attacker can make a guess at what system you used. Diceware losses nothing even though the attacker is fully aware of the system used.

    Now your genre system will work just as well as diceware if you can find 7776 words within that genre (very very unlikely) and you pick the words through a truly random process (dice) from that list.

    The diceware list isn't perfect. It was constructed to favor short words (to keep the over all pass phrase short in case there are length limits), and so it includes plenty of less familiar words making things a bit harder to remember than necessary. If you aren't concerned about the length in characters, it might be better to make the list out of the most common 7776 nouns in English. (Nouns are easier to remember.)

    Cheers,

    -j
  • sddawson
    sddawson
    Community Member
    Thanks for the insights, guys. What a fascinating subject!
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Let me add something else that was hinted at in an earlier message by sddawson.

    I know that before I saw the wisdom of diceware, I was really proud of my master password. It was clever, it was obscure, it contained some really terrible puns. I felt "ownership" of it in a way that I don't of something that is derived from the roll of some dice. I hated to give it up.

    I know that I am fairly peculiar, but I wonder if this kind of thing is a barrier for people adopting diceware. I know that before I really started advocating diceware, every discussion on picking Master Passwords had people contribute who were very proud of the schemes that they used. I often had the feeling that they really wanted to say what their Master Passwords were (which is a weakness if people act on that impulse.)

    This probably doesn't play a huge role in anything, but I think it is worth noting. So maybe my slogan should be "Surrender your pride, and roll the dice!"

    Cheers,

    -j
  • sddawson
    sddawson
    Community Member
    Yes, an interesting perspective. And a good slogan! Diceware also takes the pressure off having to invent some really clever password in the first place...
  • danco
    danco
    Volunteer Moderator
    Obviously tbontbtitq is not a good password (apart from being too short). But do programs like John the Ripper have complete works of Shakespeare to check against or just common quotes? And would they crack tbontbtitqShakyWillie?
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    danco wrote:

    Do programs like John the Ripper have complete works of Shakespeare to check against or just common quotes?


    It's funny you should ask that. It turns out that the latest "Crack Me if You Can" competition had a set of challenges that were specifically against phrases (this was a "hint" that they tweeted during the competition.)

    More generally, we need to understand that John the Ripper is very configurable. So if people start using a particular password scheme, then JtR rule sets will be written and used for going after that scheme. You may be fine if the particular scheme that you use is uncommon and you are not being individually targeted. But in general, I ask the Kantian question to anyone who recommends a particular password creation scheme: What would happen if everybody (or just lots of people) followed your recommendation?

    Diceware holds up even if everyone follows the recommendation.

    Cheers,

    -j
  • MikeMcFarlane
    MikeMcFarlane
    Community Member
    So, apparently this topic is still HOT!

    I too was really proud of my custom Master password, but after a bit of thought, I see the logic in Diceware as it is a known entity. My question is on randomness and selection of words.

    In a pseudo random generator as found on many computers, OSs, programming languages etc the distribution is not properly random and if a hacker knows the random generator and the seed used they can take an educated guess as to the random numbers generated. I can see this would be a problem in interconnected systems.

    In the case of generating a Diceware password does it actually matter how I generate my random numbers? So long as I don't broadcast my system. Does it matter if I used certified casino grade dice, a dodgy weighted dice, a few lines of code in BASIC or Python to name two extreme examples, pull numbers out a hat, a Turing Machine or a RubeGoldBerg Machine?
  • khad
    khad
    1Password Alumni
    edited September 2012
    Regular ol' dice will do. It is designed to be easy for anyone to do — no fancy equipment or tech knowledge required.

    A. G. Reinhold has a specific section in the Diceware FAQ that addresses casino dice. An excerpt:

    Casino dice are precision made, translucent dice for use in gambling establishments. The added uniformity over toy dice is probably not significant for creating passphrases…


    The following sections also address "electronic dice throw generators":

    Unless you know how the electronics generate the randomness and can evaluate its strength, stick to old-fashioned real dice.


    And using a computer:

    Generating truly random numbers using a computer is very tricky. The so-called random number generators that come with most programming libraries are nowhere near good enough. For most users dice is by far a better way to select passphrase words.


    Rube Goldberg machines are not addressed in the FAQ. It must not be a Q which is A'd very F. :)
  • MikeMcFarlane
    MikeMcFarlane
    Community Member
    khad wrote:

    Regular ol' dice will do. It is designed to be easy for anyone to do — no fancy equipment or tech knowledge required.

    A. G. Reinhold has a specific section in the Diceware FAQ that addresses casino dice. An excerpt:

    Casino dice are precision made, translucent dice for use in gambling establishments. The added uniformity over toy dice is probably not significant for creating passphrases…


    The following sections also address "electronic dice throw generators":

    Unless you know how the electronics generate the randomness and can evaluate its strength, stick to old-fashioned real dice.


    And using a computer:

    Generating truly random numbers using a computer is very tricky. The so-called random number generators that come with most programming libraries are nowhere near good enough. For most users dice is by far a better way to select passphrase words.


    Rube Goldberg machines are not addressed in the FAQ. It must not be a Q which is A'd very F. :)


    Thanks Khad. I like asking questions which aren't asked frequently:-) It was quite good fun building a diceware passphrase with random numbers, maybe I need to get out more.
  • Fooligan
    Fooligan
    Community Member
    I ended up going with diceware.

    I noticed that they don't really have a method for adding CAPS on the site. I rolled "X" die to determine the # of CAPS to use, followed by another roll to determine the word to use, followed by another roll to determine the character to change to CAPS, repeating that sequence until I satisfied the first roll.

    I hope that introduces added entropy as far as capitalization. I figured they don't have that on there since it starts to get into the "hard to remember" category. I know that it is overkill, but I want to have a pass phrase that should last a while...hopefully.
  • khad
    khad
    1Password Alumni
    I actually kind of like Reinhold's take on capitalization. Excerpt:

    The entropy added by having just one random capital in a typical five-word passphrase is 4.4 bits (log2 of number of characters in the average 5-word passphrase). By contrast, inserting one random character somewhere in the middle of your passphrase increases its entropy by about 9.5 bits (4.4 + log2 (36)).
  • benfdc
    benfdc
    Community Member

    You stopped quoting Reinhold too soon, Khad! He goes on to write:

    If all this seems like lily-gilding, just stick with the original passphrase you got from the Diceware word list.

    >

    … For [systems that insist upon a mix of uppercase and lower case letters] we suggest you select one of your Diceware words at random using a dice throw and capitalize its initial letter.

  • khad
    khad
    1Password Alumni

    I would have ended up quoting the whole thing. I think it is great reading for anyone interested in passwords. :D

  • benfdc
    benfdc
    Community Member

    Right, but @Fooligan was asking about a method for using Diceware to add caps, and Reinhold does suggest one.

    The method Reinhold suggests is clearly motivated by his view that, except in special situations, using mixed caps is a silly way to increase entropy. I say "clearly" because, per Kerchoff’s Principle, it adds only 2-3 additional bits of entropy.

  • Nunuv Yurbiz
    Nunuv Yurbiz
    Community Member
    edited August 2013

    The problem I have with diceware is that passwords made up of a series of short words (where each word is a "letter" in a much larger "alphabet") is that they're long, and it's a pain to type all that on an iPhone. Six short words may be easier to remember than, say, 9 random characters/symbols (96 charset) but what a pain to type! Especially while driving.

    We really need a better solution for mobile devices. If I want to do something quickly on my iPhone, I have to first enter my iPhone's password, then launch 1Password, then enter my 1Password password. And forget using any characters near the backspace key! [scream] It's not so bad when you have a full size, two-handed keyboard; awful when you're driving and fumbling around your iPhone.

    I gave up on the iPhone itself and just set a six-number password. But my 1Password password is long. (I thought there was an ability in 1Password to have normal entries and high-security entires? DId that go away?)

    And here's another thing [rant] why can't the 1Browser save SSL certificates? I have a self-signed certificate to access my web server over SSL and every time I have to confirm that the certificate is OK [/rant]

    Is voice recognition security feasible? That, at least, would be hands free. (Voice recognition could be either recognizing the letters/numbers/words I'm speaking and/or recognizing my voice as my own.)

  • khad
    khad
    1Password Alumni

    Especially while driving.

    Yikes! As a motorcyclist, I do hope that you never actually do that. Please keep your eyes on the road.

    (I thought there was an ability in 1Password to have normal entries and high-security entires? DId that go away?)

    Yes, one of our goals with 1Password 4 was to make strong security the default. The old PIN code had the downside of being used to encrypt some items and with only 10,000 possibilities, this just wasn't good enough for us to continue with. We did away with that approach in the first iPad version as well. The PIN code was originally conceived as a convenience feature for frequently accessed items in the time before iPhone OS supported fast app switching and background tasks. It was a compromise we were never happy with, but it provided the best balance of security and user experience at the time. We do still have the unlock code available in settings, but it is only used to control access to the 1Password application, never for encryption of any of your data. This means that you need to authenticate with your master password at least once per session in order to be able to use the QUC.

    From the User Guide:

    You can configure 1Password to never prompt the password/code, but this only works after you:

    1. Initially unlock 1Password app already,
    2. Set both Request After and Request Code After to Never, and
    3. Also keep re-opening 1Password once in a while.

    Why the last one? When you stop using 1Password, the iOS app will keep track of how long it’s been in the background in order to ensure there’s enough memory for your current and most recently used apps. 1Password can remain unlocked in memory only until iOS is forced to fully close the app in the background to reclaim its memory block, so that your current apps can use it.

    If the termination has occurred, you’ll have to enter the master password to unlock it.

    Note that the more memory you have in your iOS devices, the longer 1Password can remain unlocked. Keep this in mind when switching to older iOS devices that might see 1Password locked more often.

    I hope that clarifies the situation and our decision a bit. If you have other thoughts or ideas, please let us know.

    And here's another thing [rant] why can't the 1Browser save SSL certificates? I have a self-signed certificate to access my web server over SSL and every time I have to confirm that the certificate is OK [/rant]

    I'll pass your request along. Thanks for mentioning this.

    Is voice recognition security feasible? That, at least, would be hands free. (Voice recognition could be either recognizing the letters/numbers/words I'm speaking and/or recognizing my voice as my own.)

    Even just recognizing a voice can be tricky. I'm sure you've used Siri. ;) Accurately recognizing and securely verifying a specific voice is not really a suitable option at this time. But who knows what the future holds?

    As for the main point of your post, by all means, please use a Master Password that you are comfortable with. If you prefer not to use a Diceware password, that can be perfectly acceptable. Diceware is just the method we recommend. :)

  • benfdc
    benfdc
    Community Member

    Interesting. @jpgoldberg is working on a diceword-ish generator based on the notion that all-lowercase pass phrases are, as a rule, easier to type on mobile devices than mixed case + numeric + symbol passwords, but noneofyourbusiness dislikes typing six short words.

    I prefer short words, and that's what I use for my iPhone's unlock code.

    One thing that noneofyourbusiness and I have in common is that I too often find myself inadvertently hitting the backspace key on my iPhone keyboard when trying to type an L or M.

    Having an "avoid L and M" checkbox in a diceware-ish generator sure sounds odd, but if it were there I might well use it!!

This discussion has been closed.