Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrcoolbp on Sunday March 29 2015, @10:38PM   Printer-friendly
from the correct-horse-battery-staple dept.

Micah Lee writes at The Intercept that "coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion."

But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You’ll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You’ll need a total of five dice rolls to come up with each word in your passphrase. Using Diceware, you end up with passphrases that look like “cap liz donna demon self”, “bang vivo thread duct knob train”, and “brig alert rope welsh foss rang orb”. If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words. If you choose two words for your passphrase, there are 60,466,176 different potential passphrases. A five-word passphrase would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.

I recommend that you write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn’t take more than two or three days before you no longer need the paper, at which point you should destroy it.

"Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop," concludes Lee. "It’s a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training"

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by TheLink on Monday March 30 2015, @02:57AM

    by TheLink (332) on Monday March 30 2015, @02:57AM (#164031) Journal
    If it's for your encrypted drives and other stuff where the main attack might be brute force do use long passphrases.

    But if it's for some random website even your bank, there's really no point having a passphrase that's much stronger than the website's/organization's expected security against getting hacked (which as we all know is typically quite weak). Just have it strong enough so that someone successfully bruteforcing it over the network would have to DDoS it for a very long time ;).

    If the site gets hacked it doesn't matter that much whether your passphrase is strong or not. You have to assume the passphrase and site are compromised.

    Which leads to the more difficult things
    1) you have to have different passwords/passphrases for different roles/sites. So for throwaway sites you might share the same password, but for your banks you might have different passphrases/passwords (even for each bank), then for your webmail accounts you should different strongish passwords (especially for webmail accounts used for account/password recovery).
    2) you have to not be easily phished.
    3) you have to not be easily MITM'ed.

    Can most people remember that many passwords? Are they able to not be phished? Will they know if an https certificate has changed suspiciously? Keep in mind the NSA and others can get their certs signed by CAs and so probably MITM most people's https connections given the way browsers handle certificates and CAs.

    Last but not least does it really matter in practice? So far from all those hacking/phishing incidents how great is the damage that would be avoided by such measures? If the total damage has been less than the total cost and effort to avoid it then you'd just be hurting people more ;). So has it really been such a huge problem?

    If some person is going to spend 5 minutes every day looking up and entering the correct passphrase but would only get hacked once every 2 years if they didn't, that's 60 hours. If the person spends less than 60 hours and $$$ to fix the damage then it's not worth it.
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3