Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrcoolbp on Sunday March 29 2015, @10:38PM   Printer-friendly
from the correct-horse-battery-staple dept.

Micah Lee writes at The Intercept that "coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion."

But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You’ll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You’ll need a total of five dice rolls to come up with each word in your passphrase. Using Diceware, you end up with passphrases that look like “cap liz donna demon self”, “bang vivo thread duct knob train”, and “brig alert rope welsh foss rang orb”. If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words. If you choose two words for your passphrase, there are 60,466,176 different potential passphrases. A five-word passphrase would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.

I recommend that you write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn’t take more than two or three days before you no longer need the paper, at which point you should destroy it.

"Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop," concludes Lee. "It’s a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training"

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Nerdfest on Monday March 30 2015, @03:21AM

    by Nerdfest (80) on Monday March 30 2015, @03:21AM (#164037)

    Want to dramatically increase the difficulty? Make a frikkin' spelling mistake or two. Never use something that can be cracked using a dictionary attack.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 4, Insightful) by stormwyrm on Monday March 30 2015, @03:51AM

    by stormwyrm (717) on Monday March 30 2015, @03:51AM (#164052) Journal

    Doesn't increase the difficulty all that dramatically. Changing, say, one letter in a word only means that for each word there are 26 possible variants of that word. That's only 4.7 bits of entropy. Change two letters, that's about 9.4 bits. Seems nice, no? But adding only one more word to your passphrase increases the entropy by nearly 13 bits if you use the original Diceware dictionary. I dunno about you, but for me, remembering the way I misspelled particular words in the passphrase is harder to remember than an additional, correctly spelled word. The game is to make passwords that are easy for humans to remember, right?

    --
    Numquam ponenda est pluralitas sine necessitate.
    • (Score: 1, Informative) by Anonymous Coward on Monday March 30 2015, @08:22AM

      by Anonymous Coward on Monday March 30 2015, @08:22AM (#164106)

      Doesn't increase the difficulty all that dramatically.

      I'd say it does, as it means that even an exhaustive (for small values of infinite length :) dictionary search will never crack the password. And since this kind of advice to string words together is currently given, you can bet that dictionary searches will get more popular.

      Changing, say, one letter in a word only means that for each word there are 26 possible variants of that word.

      This is true as long as the word is one letter long...

      The game is to make passwords that are easy for humans to remember, right?

      No, the goal is to make strong passwords that are easy to remember.....

      • (Score: 2) by stormwyrm on Monday March 30 2015, @08:37AM

        by stormwyrm (717) on Monday March 30 2015, @08:37AM (#164120) Journal

        The point I was trying to make is that adding random misspellings makes passphrases harder to remember much more than adding additional words to the passphrase does, and the entropy gain from doing that isn't as spectacular as one might think. All right, let's make this a bit more rigorous. Your average word in English is about five characters long. Choose one of those letters to change, for the simplest type of misspelling. So that makes 5*26 possibilities. That's just a paltry seven bits of entropy for forcing me remember to change a random letter inside one of the words. Making me remember another word adds almost twice as much entropy (13 bits), and again, I maintain that remembering properly-spelled words is a lot easier than remembering that a word has been misspelled and how it is misspelled. Sure, you can do that if you like; it doesn't hurt passphrase strength, but it sure as hell hurts memorability. We want to have passwords that are both strong and easily memorable.

        --
        Numquam ponenda est pluralitas sine necessitate.
        • (Score: 2) by monster on Monday March 30 2015, @04:18PM

          by monster (1260) on Monday March 30 2015, @04:18PM (#164331) Journal

          Both of you are right and even then, or maybe because of that, you can't agree.

          For dictionary attacks, adding a word is just like adding one more letter to a normal password, albeit from a very large alphabet. It makes forcing the password harder but it is still vulnerable to dictionary attacks. However, changing just one word into something outside the dictionary makes the dictionary attack useless, because then the attacker must include not only normal words like this Diceware list but also many misspellings and likely changes (say, leetspeak and the like) without even being sure she has included all the needed ones.

          Both methods strengthen your password but do so in different ways, and "mistakes" can also be easily remembered, like using plurals, even garbled ones ("pluralz").

          • (Score: 2) by Gaaark on Tuesday March 31 2015, @12:58AM

            by Gaaark (41) on Tuesday March 31 2015, @12:58AM (#164581) Journal

            I think that the longer your password is,the harder it will be to crack, especially if the cracker doesn't know how long your password is.

            Having a 7-10 character password with all kinds of hard to remember characters (ampersands, etc) is not as good as having an 18 to 24-30 character password of standard dictionary words strung together, especially if you can remember to salt it with odd characters (ampersands, etc).

            horsebatterystaplecorrect
            is not as good as horsebatterystaplecorr3ct
            is not as good as horsebatterystaplecorr3ctbeerbash

            my old passwords were about 8 characters long with odd characters
            my new passwords are 18-26 characters long with whatever i can remember.

            and if a website which hasn't done it's password protection properly (salted, hashed) is cracked, it all comes down to naught... the unsinkable just hit an iceberg.

            That given, if a website is working with the NSA, they have your password.

            And you are f*cked.
            Up the back end.
            With a popsicle.
            Named Harry Dick... aka 'Chocolate Rain'.
            And his friend.
            Biggus Dickus... aka... Biggus Dickus.

            --
            --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
            • (Score: 2) by stormwyrm on Wednesday April 01 2015, @08:31AM

              by stormwyrm (717) on Wednesday April 01 2015, @08:31AM (#165308) Journal
              The point I've been trying to make is not that adding misspellings doesn't improve password strength. I agree that it does. If you do changes like that, it adds something like 7 bits of entropy or so. But when you haven't logged onto the site fully after a while because they use persistent cookies, will you still remember that you changed the e in 'correct' to a 3, and only that e? Having a good password is useless if you can't remember it properly! Was it worth adding 7 bits of entropy to make the password less memorable, when you could have just added two more words like 'beer' and 'bash' to increase entropy by 26 bits instead? Lists of properly spelled words are a lot easier to remember, and cracking passwords made up of them is already infeasible even if you use just six.
              --
              Numquam ponenda est pluralitas sine necessitate.