SoylentNews is people
SoylentNews
Micah Lee writes at The Intercept that "coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you’ll probably do a bad job of it. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion."
But there is a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize. First, grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You’ll notice that next to each word is a five-digit number, with each digit being between 1 and 6. Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You’ll need a total of five dice rolls to come up with each word in your passphrase. Using Diceware, you end up with passphrases that look like “cap liz donna demon self”, “bang vivo thread duct knob train”, and “brig alert rope welsh foss rang orb”. If you want a stronger passphrase you can use more words; if a weaker passphrase is ok for your purpose you can use less words. If you choose two words for your passphrase, there are 60,466,176 different potential passphrases. A five-word passphrase would be cracked in just under six months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.
I recommend that you write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn’t take more than two or three days before you no longer need the paper, at which point you should destroy it.
"Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop," concludes Lee. "It’s a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training"
(Score: 2) by stormwyrm on Monday March 30 2015, @03:39AM
If you have a space of 100,000 words that means that each word contributes approximately 16.6 bits of entropy to the entire passphrase. The prescribed space of only 7776 words already gets you almost 13 bits of entropy per word (12.9248 to be more precise). It's not that a big a difference. Four words from a 100k size dictionary gets roughly 66 bits of entropy. Four words from the 7776 word dictionary gets 51 bits of entropy. Just add one more word and you have 64 bits of entropy. If you have more, familiar words that makes it easier to remember.
Also, adding spelling mistakes as someone else suggests makes the passphrase harder for a human to remember correctly, and only adds a few bits of entropy at most.
The reason why you would want to print out a list of words like that is so that you can generate a passphrase without using a computer. Just roll 5d6 as many times as your paranoia and memory will permit, write it down on paper, keep it safe until you've committed it to memory, and then burn the paper when you're sure you won't forget it. No security through obscurity. The NSA can have a copy of the same Diceware list I printed to make my passphrase and it will do absolutely squat for them to break my passphrase.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Monday March 30 2015, @10:28AM
Please keep in mind that the 7776 words are known to be the source of passphrases simply based on it being published specifically for use in passphrases. The passphrase attacks will start with that list.
My mom uses the least common last names of members of the youth sports teams her small business sponsors. It's a relatively small list but it's not published as a complete set. Would it stop the government from breaking her password? No, but if they asked she'd probably hand it over and offer to make them a sandwich. Will it keep out everyone else who doesn't have unlimited resources? Yup.