Slashdot Mirror

Uses a list of over 7000 common words.
http://www.diceware.com/

>IMHO, you CANNOT use straight dictionary words (regardless of language, and yes, I do mean Klingon and Sindarin!) in your passwords without some sort of numeric or symbolic character replacement pattern.

Of course you can. If they're selected randomly, an attacker has to use the complete source space for the random selection in a brute force attack.

http://www.diceware.com/ gives you 12.9 bits of entropy per word. Brute forcing that is already more trouble than it's worth at three words, and five would require nation-state resources to crack.

While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

I was going to mod this up, but thought it might be a good time for my annual suggestion of using passphrases instead of random sequences of characters. Much easier to remember, and a short 3-word passphrase (maybe with a random character to increase entropy) usually satisfies the moronic "password strength" checks.

I don't know if anyone bothered to read the full report, but I found this recommendation tucked in at the end of the report:
ast character in the password. (pg. 3)

Allow and encourage passphrases instead of passwords. (pg. 5)

And I say amen, amen to that. I've done quite a bit of personal research in this area, and have found passphrase systems to be far superior in terms of security and ease of use/recall over random combinations of characters. For years I've used the list provided at Diceware to generate my passphrases, and I have no problem still recalling little-used 5- or 6-phrase passphrases years later.

The idea that random sequences of characters is somehow superior to a passphrase of equal entropy is a myth borne of ignorance and a resistance to change. So long as companies that know better keep forcing their minions to adhere to a strict range of letter/number combinations, we'll continue to be saddled with the problem presented by the Rockyou.com crack.

>randomness (i.e. entropy) is an attribute of the distribution, not the sample. That means you can't really say that choosing "password" isn't random.
In other words, entropy is a property of the source and not of the output.

http://www.diceware.com/ is another approach. With 4-6 randomly chosen words in a passphrase you can usually make up a story to string them together into a sentence you have a chance of remembering.

2. Sites that I care about, like online banking or ones that contain personal information (LinkedIn, for example), have random line noise for passwords and I just write them down. There is a notebook in my desk with all the passwords. The desk is locked and in my home office. That is far more secure than trying to make them easy enough to memorize.

...then you're just deluding yourself if you believe your passwords are secure. Personally, I use passphrases. More secure than your passwords, and I don't have to write them down. Ever.

Report back to us the first time your house gets broken into, and the perp finds your little black book of passwords.

Hushmail only stores your private key in encrypted form, encrypted with your passphrase. It gets decrypted only on your machine, by the Java applet. Yes, this does mean your security depends entirely on the strength of your passphrase. Use http://www.diceware.com./

As for hashes being easy to crack, please. A dictionary attack isn't a crack of a hash, and reversing a hash algorithm is still beyond the state of the published art. Making collisions, yes, but recovering original text, no.

People pick crappy passwords. Use Diceware (or the password-generation algorithm at the end of the Diceware PDF).

A six-word passphrase selected from a list of random tokens (words) such as offered by diceware trumps even these paltry numbers in parent:

7776^6
221073919720733357899776
26^10
141167095653376
95^5
7737809375

Added bonus: You can actually remember a six-word passphrase. Throw in an extra random character for additional entropy, and you can *still* remember it. Tell me what your ten random-letter password is a year from now.

New Secure Email Account
Welcome to Hushmail, the world's premier free, secure web-based email and document storage system.

  Step 1
Choose your new email address:
Click here to use an automatically generated email address

  Step 2
The security of your account is determined by the strength of your passphrase. Please use a passphrase that is much longer than an ordinary password. For advice on generating a strong passphrase, see http://www.diceware.com./

Choose your passphrase:
Re-type your passphrase:

  Step 3
Five numbers are displayed below to help us distinguish between real people like you and computer programs trying to use our service.
Please type the five numbers you see below:

  Step 4 (Optional)
Show advanced options

  Step 5

By signing up for this service, you acknowledge that you have read and agree to abide by our terms of service.

I use Password Gorilla. It is written in Tcl/Tk and therefore is very cross-platform. They even have a .app for Mac usage! The Windows version is a standalone executable that is completely self contained so the machine that you use it on doesn't require you to install anything. It reads Password Safe password files. It's nice to have if you're on a machine that Password Safe does not support or if you cannot install software. I keep the Windows, Linux, and Mac versions on a keychain drive along with my (encrypted) password list.

If you're more the command line type, there is also pwsafe that supports the Password Safe format but allows you to add and get passwords from the command line.

One of the benefits of both of these pieces of software is that they allow you to generate completely random passwords. Completely random passwords are quite secure, and are a great way to make it a nightmare for any script kiddie to guess or crack your password. However, that leaves one passphrase that you need to remember and guard - the passphrase to your password managing program. I personally suggest Diceware as a great, truly random way to generate a completely random passphrase. You can even do it while you're away from the computer if you'd like and if you're paranoid. It's also a great way to generate passphrases for SSH keys, PGP keys, or whole-disk encryption.

For high-end passwords I've been steering people toward five- or six-word Diceware passphrases. If physical dice are completely random, then that's 64.5 or 77.3 bits of entropy. An attacker could read them out of swap space, plant a keylogger, or analyze the timing of your keyclicks, but they're outside the reach of clever guessing or feasible brute force.

Your keycard should be your login token.

The technology is available.

The real myth about passwords is that they still make sense. Passwords are dead. Passwords that can hold up to a good cracking program are outside the memory capacity of normal people. (I memorized a 10-word Diceware passphrase with 129 bits of entropy once, but that only proves I'm abnormal).

Your employer would improve both their security and your convenience by letting you have a hardware login.

They are indeed unbreakable, with a theoretical proof of unbreakability -- in the land of spherical horses, where you're allowed to make huge assumptions.

One underappreciated assumption about one-time-pads is that the recipient will (and can!) destroy the keying material after use so thoroughly that the adversary can't reconstruct it. There are several other issues, of which key distribution is one of the easiest. Just put a 500GB external drive in the diplomatic bag once and you've covered communications for a long time.

Here's the problem. The only things secret here are which quasar (13, 14 bits of uncertainty), when the sampling started (?? There won't be very many possible seconds that the adversary has to scan but sampling could start on a fraction of a second), and the sampling algorithm (but you have to assume in crypto that the adversary knows your algorithms). It's going to be easier to brute-force than a 6-word Diceware passphrase unless atmospheric effects somehow make the quasar signal look different everywhere on earth.

Diceware generates secure passphrases that are very useful for this purpose.

If you want to generate cryptographically strong passwords, see http://www.diceware.com/,

..is that it's a terrible model to support when it comes to randomly-challenged humans. The move needs to be away from passwords (especially randomly-generated) and towards passphrases -- still randomly generated, but using pronouncable/easily remembered combinations of words in the user's native language. (Diceware has some good background on the why passphrases are more secure than passwords.)

Before spouting off why you think (erroneously) that "easily-remembered" passphrases can't possibly be more secure than randomly-generated passwords, please read the FAQs at the Diceware site first.

Interesting idea. That sounds almost like the diceware method on steroids.

Passphrases are the only sensible solution I've ever heard of for divising keys that are both relatively easy to remember and sufficiently random so as to be secure. A random string of characters cannot be reliably memorized. Any word, no matter in what language and no matter how obscure, can be cracked by a dictionary attack. A sequence of words chosen at random can be memorized, and if it's about six or seven words long, is probably beyond the reach of cracker software, even the Secret Service's.

One of the best ways I've seen to construct a secure passphrase is Diceware. Arnold Reinhold constructed a list of about 7500 words of up to six characters in length. Roll five dice to pick out a word in the list; do this a few times to create a passphrase, commit the phrase to memory, and burn anything you might have written down. He calculated that if you choose a passphrase consisting of seven words this way, you have about 90 bits of entropy, which a cracker probably couldn't break in this lifetime. His sample phrase is cleft cam synod lacy yr, which probably takes some practice to memorize, but it can be done.

Correct and insightful.

What I use for high-security applications and recommend to clients is a genuinely random passphrase. You generate it one word at a time without regard to grammar by using 5 dice and the list of 6**5 short words at the Diceware page. Then you make up some kind of story to go with a phrase like "cleft cam synod yr" (hey, challenges are good for you) so you can remember it.

Bruce Schneier wrote that passwords are dead because normal people can't memorize enough randomness to defeat a brute force attack. I took that as a challenge and memorized a 10-word Diceware passphrase, which has about 129 bits of entropy. Of course that doesn't prove Schneier wrong, just that I'm abnormal :-)

This page offers a better way to create a strong, yet easy to remember passphrase for use with encryption and security programs. Weak passwords and passphrases are one of the most common flaws in computer security. Take a few minutes and learn how to do it right. The information presented here can be used by anyone. No background in cryptography or mathematics is required. Just follow the simple steps below.

I have Password Safe installed on my PDA, as well as my USB Flash drive. I use that to manage my passwords. It's a bit of a pain to keep the two in sync, but not too bad. I used Diceware to generate a fairly secure master passphrase.

Just use the Diceware method and stop whining.

I'm surprised that I haven't seen any mention of diceware yet.

Allows for strong passwords with high entropy, but easier to remember than traditional passwords. Well worth a look, IMHO

I highly recommend Diceware for advice on and tools for generating passphrases.
A Diceware passphrase has 12.9 bits of entropy per word, assuming you can throw dice randomly.

Yeah, I do something like that. I used to use separate weak passwords for sites that I don't give a damn about, but I found that it's much easier to have one weak password for all such accounts.

So that's for my my Slashdot, Starcraft, hotmail spam account, etc etc.

For root and otherwise important UNIX accounts, 8-character random alnum.

For paypal (which has like 10 bucks on it), and the like, 3-word diceware.

For real banking, 5-word diceware.

For PGP master key (controls encrypted list of passwords), 7-word diceware.

I use diceware because it produces passwords that are strong, easy to remember, and fast to type (especially on Dvorak, which is optimized for English words).

While this is not allowed by many websites or by UNIX crypt passwords, Diceware makes for very good passwords that are easy to type and remember.

Basically, you take a list of words indexed by all possible rolls of 5 dice, 11111 through 66666. You roll 5 dice and pick a word, and repeat to desired password length, eg

cleft cam synod lacy yr

Sure, your password is longer this way, but you can memorize it easily and type it quite fast as it is a series of English words.

For my secure passwords, like PGP keys or banking, I use diceware, 7 words. This is some 85-90 bits of entropy and pretty much unbreakable for the forseeable future. For account passwords I use 3-4 words, which is enough that a database thief will break someone else's login first. For crypt shell accounts, I use mixed-case alphanumerics (similarly, about 48 bits of entropy). This adds up to under 10 good passwords to remember, and I don't change them often (no good changing a PGP password anyway, and I only change shell passwords occasionally).

For most websites (/.), I use a family of very weak passwords (a couple random words and symbols, but varies little from account to account), as I don't care much if you hack here and post in my name.

All these are in a heavily backed-up text file in case I forget them, encrypted with my PGP key.

Looking for a decent password?

"apt-get install pwgen" for a program that can produce (among other things) pronouncable passwords.

Or grab some dice and go to: Diceware.

No. A 10-word diceware passphrase can be typed in about 6 seconds and gives you 128 bits of entropy.

PGP/GPG requires some knowledge of public-key cryptography (and computers) to be effective - that is, we don't want to saturate the userbase with newbies who don't bother to check fingerprints before signing, choose crummy passwords (instead of passphrases), etc. If you understand how to properly use a system such as PGP then installing a plugin shouldn't be out of your reach.

You get to the point where you want to worry about making smarter users rather than smarter software. It should be beyond most people.

I use the diceware system. I generally end up with 25+ character passwords, and when mixed up cases, swap letter for number and word separator special chars are used, it gives very high strength passwords.

Then just use memory path tricks to store them in the old' grey matter, nuff said. I use the same rules every time for character substitution, so I don't have to remember the coded password, just the diceware phrase. Apply the coding, and there's the password.

PGP 6.5.8 uses for its passphrases by default an iterated salted SHA-1, which is roughly 2^160 chosen collision, 2^80 birthday collision, strong random salt and no known patterning through successive iterations.

I will assume that an attack requiring you to use a key that has been tampered with is impractical in this case.

I can't really give any accurate figures because it purely depends on how strong the passphrase is - how easy it is to guess - and that's not information you really want to give us.

At that size, it could be very secure indeed, up to the limit of a hash break (160 bits). It probably isn't even close to that good, because you can remember it. If you used, say, Diceware to generate your password, you're probably cool. It's a known wordlist, yes, but the randomness provided by the dice gives real, measurable entropy - if you can remember it, it's good.

We only really know the rough length here - if you picked a quote from anything, a word or phrase from any language, or a host of other things, it could be much less than you thought, possibly 2^40 or less. If you haven't been such a moron, then it could be 2^70 or even up to 2^90 depending on how ninja you've been.

This may not be as high as you were hoping for but if you have chosen a good passphrase, then you are safe unless you have a heavy, serious threat model trying to get your communications the dumb way (or if there was a keylogger on your machine).

It's not all that insecure - Hushmail uses this principle. But you have to choose a really good passphrase for that - it's critical, and it's something most people are bad at (hence the Diceware link).

At the end of the day, you have more security if your private keys stay private. If you are able to revoke that key and make another, do it, but don't use the same passphrase, or any part of it, ever again.

Because Diceware is so much easier. Just roll 5d6 a couple of times, and you have a secure password, à la "cleft cam synod lacy yr." Well, so the paranoid ones of you will use 10 words to match the strength of the hash, but...

You can generate strong and relativly easy to remember password with Diceware

"I don't think you can create a password that is easily memorizable that is 20 characters long," Kirovski said.

1. Since five die rolls can have 7776 possible combinations (6^5), each "word" has an entropy of just over 12.924 bits. (2^12.924 ~ 7776, so that many bits are necessary to represent each combination five die rolls can create).
   
2. Now, one "character", if we take it to mean an integer with values 0 through 255 inclusive, has entropy of 8 bits.
   
3. Therefore, every two diceware words correspond to three completely random bytes.
   

1. "56k modems are worse junk than what Napoleon had at Elba -- a bleating piece of lard is faster down an incline if you've given it a push, for chrissakes!!" together with the picture of a goat bleating in terror as it rides a chunk of lard down a hill. Also picture the goat in a Napoleon posture (one hoof inside vest) so you remember elba.[5]
   
2. "Wacko tries being a minister: comes up with wacky sermon about how we need to annex canada. I for one think it should be swept under the rug. (the idea advanced by the sermon or canada? :) )"
   Picture: arm stretching borders of alaska over canda.
   

• Note that the 7776 words diceware uses are all short. There are far more than that many common English words, but by including obscure shorter words and semi-words (like numbers), which are less common but equally memorable once you've thought about it / looked it up, the total typing is reduced. However, this leads to:
  
• Be very sure to accept any words you're given. If you need to look up a word to know what it means, do so. By avoiding words you don't know (rolling again), you reduce entropy.
  
• Don't change words. If I change "56" to "56k" above, and make that the word in my passphrase, it's not enough that I make sure 56k isn't already one on the list: I need to make sure that none of the other 7776 words are ones I might change to 56k if I roll them. In other words, just don't change words.
  

Everyone should go out and buy some dice and use them.

http://www.diceware.com/

The assertion that you should never write passwords down is not necessarily a good one. When deciding whether to write the password down, determine two things: 1) what damage is done if someone steals my password 2) what damage is done if I forget the password. In most cases of personal encryption, writing it down does little harm.

From the Diceware FAQ:

Should I write down my passphrase?

This is a very important question. Most experts say never write down your passphrase under any circumstances. This approach comes from military doctrine, but military crypto systems are designed in such a way that one person forgetting a passphrase is not a calamity.

I believe most people are more afraid of forgetting their own passphrase than they are of having it stolen. As a result they tend to pick passphrases that are far too weak. I actually did a small survey on this question and the results support my view. See http://world.std.com/~reinhold/passphrase.survey.a sc

Also many people need multiple passphrases for different programs and needs. Remembering them all can be difficult, particularly those that are used infrequently. For most people it is better to pick strong passphrases, write them down and keep them in a very safe place. There may be legal advantages to memorizing your key, however.

I use a Diceware password for my PGP (slightly obfuscated). The password is written unobfuscated in my wallet. I had no difficulty memorizing it, but I might forget it in the future, so I have some insurance.

To anybody and everybody out there with insecure passphrases: Use DiceWare.

To run the script, click here.

• You're using a computer that could have a keystroke logger installed. http://www.keyghost.com is an example of a tiny & cheap hardware logger.
• You need to use your personal GPG keys at work, school or a web hosting facility where you don't trust or own the equipment.
• If you maintain a PGP Certificate Authority or signing key and have to have a safe place to use the CA key.
• If you simply don't want to risk putting a PGP key on a hard drive where someone else might have access to it.
• The Illuminati are watching your computer, and you need to use morse code to blink out your PGP messages on the numlock key.

• readme.txt, also on the floppy image
• The source code for files on the floppy
• The tinfoilhat linux floppy image plus disk signature file Transfer this image to disk using rawrite (on windows) , dd on unix (dd if=tinfoil.img of=/dev/floppy ), or Diskcopy on a MAC.

• Q: Why doesn't the floppy I got at codecon match the signature above?
  A: because I screwed up & wrote a nvram.md5 file to the floppy I then used as a master. I had to remove that file from every floppy. The result is that the MD5sum of the codecon floppies should be: 3608290765de7d5283a1a22813677a56
• Q: How do I undo that horrible screen in paranoid mode?
  A: Type "contrast" at the command prompt, or play with ctheme.
• Q: Is this really a 1.0 stable release?
  A: Think of this as a linux kernel 1.0 . Yes, it's stable to the best of my ability, and has been tested, but not for very long or by many people.
• Q: What sort of hardware is required to run tinfoil hat?
  A: Any 386DX or faster IBM compatible with more than 8 megs of RAM. Pretty much any PC made in the last 8 years will work fine.
• Q: where do I send complaints, bugs & feature requests?
  A: anonymous AT nameless DOT cultists.net
• Q: What is the license for this distribution?
  A: The scripts, documentation, and the distribution as a collection are released under a modified BSD license. Obviously, other people's software in this distribution retain their original licenses.

• Aluminum foil deflector beanie from zapatopi
• The man in the Tinfoil Hat . A good example for people confused by the tinfoil hat reference.
• http://www.gnupg.org
• Joelm's comprehensive TEMPEST site.
• Tempest for Eliza A fun tool for observing the radiation from your computer. If anybody ports this to Direct FB, I'll put it on tinfoil hat in a flash.
• Diceware a tool for generating very secure passphrases.

As it happens, I ended up encrypting the piece of paper, such that the only thing that I definitely have to remember is the non-trivial decryption scheme. Of course, I also remember the passwords that I need most often, but for the others my encrypted paper has occasionally worked miracles.

So how do you encrypt a piece of paper? Are you talking about using an encryption program (scanning in that sheet of paper?) or something like cutting it into little confetti-like bits and hiding them around your neighborhood? Actually, that approach is more like steganography.

Has anyone mentioned Diceware already? (Another link here to the same site.) It's the system I like the most, especially because I get to real d6s in the process.

I've been using Diceware as a way to generate easy to use, and yet fairly secure passphrases and passwords. There are some interesting statistics in the Diceware FAQ, like cracking a 5 word Diceware passphrase is equivalent to cracking a 64.6 bit symetric key using brute force. I doubt you could get a whole organization to use this method (you'd probably get busted for playing craps!), but it's still intriguing.

Use Diceware to generate your passphrases.
--------
Genius dies of the same blow that destroys liberty.