TypewriterFrom The Urbach Letter April 2012

Return to Archive

Rolling Up a Better Password

You’re spending more time on the web and using online services more than ever before. That means you’re increasingly exposed to people who want to invade your privacy and steal your money. I recently wrote an article titled The Password Game to help you choose and manage good passwords, your first line of defense against crackers and other miscreants. In that article, I mentioned the Diceware method for generating strong yet easily memorable passphrases. However, Diceware is such a powerful, easy-to-use technique that I felt it deserved a write-up of its own.

There are two kinds of “good” passwords: (1) somewhat shorter but “complex” passwords that often include both upper and lower case characters, numbers, and symbols such as “9^j*p8#$E%~”, and (2) longer but “simpler” passphrases such as “shaking till curve running tea.”

The “short and nasty” password and the “long and simple” passwords are both secure. I don’t know about you, but personally, I find memorizing passwords with random upper/lower case, numbers, and symbols is REALLY difficult. For me, it’s MUCH easier to memorize a passphrase of severalwordsstrungtogether.

Which is Better?
There’s more. Even though I stated that the two examples are secure, one is much stronger than the other. Care to guess which one? That’s a set-up question. The simpler passphrase is nearly twice as strong as the gnarly, hard to remember password. The reasons are somewhat geeky, so I’ll leave that discussion to later, and get right into the instructions.

The Diceware Method · Step by Step

Here’s how to create a super-secure but easily rememberable passphrase:

1. Get yourself five regular throwing die. If you don’t have a board game to steal them from, and there’s no toy store near you, than order a bunch online.

Dice Cup2. Shake and throw the die.

3. Line them up from left to right.

Throw 1

4. Write down the numbers on a piece of paper you can tear up afterwards.

Throw 1

5. Repeat this 5 more times.

6. Look up the six numbers in the Diceware list (Download it here)

Throw 1 Throw 1 Throw 1
Throw 1 Throw 1 Throw 1
Throw 1 Throw 1 Throw 1
Throw 1 Throw 1 Throw 1
Throw 1 Throw 1 Throw 1
Throw 1 Throw 1 Throw 1

lumbar brine hoff above paint quip

7. A five word passphrase is plenty strong, but I look up six words to have one “throwaway.” I think hoff might not be easily memorable so just omit it and use the 5 others. My only mental association to it is David Hasselfhoff and that’s quite disturbing...

8. String the words together to form your passphrase: “lumbarbrineabovepaintquip.” It very slightly reduces security to rearrange the words in the phrase but if that helps you remember it better, go right ahead. The trade-off is well worth it.

9. Tear up or swallow the scrap paper.

By the way, since your passphrase lumbarbrineabovepaintquip is all lower case, it’s fast and easy to type, especially on your smartphone. Adding capital letters and symbols won’t make it all that much more secure. If you need more security, just add an additional word or two.

What's a Good Passphrase?
The essential difference between a good passphrase and a passage of words from a book or a song lyric or an everyday expression, is randomness. The generated phrase, “lumbar brine above paint quip,” is not a sequence of words that would likely be found in any published work or cracker dictionary. Nor will it be deduced, even by even someone who knows the intimate details of your life. However, generating random phrases on your own is surprisingly hard to do. When you’re just sitting there trying to think of words to use, your mind will typically gravitate to the familiar, and that in itself reduces security.

The Three Powers
The first power of Diceware is its total randomness. You shake and throw five dice. The resulting five-digit number corresponds to one and only one of 7776 possible choices. There’s no arbitrariness involved. You look up the numbers in the Diceware word list and it is what it is. Repeat as often as you need to create a phrase of sufficient length. The second power of Diceware is “vocabulary.” The vocabulary space of using only lower case letters is 26 (i.e., a-z). Adding upper case characters increases that space to 52. Adding numbers increases it by 10 more. Using almost all (33) of the additional keyboard characters ~!@#$%^ &*()-_+={}[]|;:/?.,<>"'` increases your vocabulary space to 95 unique choices (but makes it exponentially harder to memorize). However, each of the 7776 words in the Diceware list can be thought of as a unique “symbol” in a giant character set. The large number of possible choices results in high security. The third power of Diceware is “rememberability.” The Diceware word list is composed of short English words along with some common abbreviations and intuitive character strings. Its average word length is 4.2 and no word is longer than six letters. Having a phrase composed of short, sensical elements enables you to easily create a “word picture” that’ll help you to remember it after a few uses.

How to Look up Words in the List
The quickest way to look up words in the Diceware list is by opening the PDF version and searching (CTRL-F) on the five digit number generated by your dice throws. However, if that search history is discovered, or you have a software or hardware key-logger on your computer, all bets are off. For maximum security, do it the old fashioned, low-tech way. Print the list, take yourself off the grid, close the blinds, write numbers/words down on a piece of paper placed on a hard surface (not a pad), and burn it afterwards. Make no marks on the Diceware list. Then your passphrase will truly be as secret as possible.

How About a Shortcut?
Diceware is clever and secure but it does require a nominal amount of effort on your part to get out the 5 die, throw them several times, and do a lookup in the tables, in order to generate a single passphrase. Sometimes you just want a passphrase and don’t care quite so much about the security level. At those times, just head over to www.passphra.se (that’s the URL, no dot-com).

passphra.se

Every time you click the [Generate Another!] button, passphra.se will cough up a four word passphrase for you. The words are separated by spaces to make it easier to memorize and copy the phrase, but I recommend removing them in use. (Some experts say it doesn’t matter if you keep spaces in your passphrase, but I think security is enhanced by not using spaces.) If a four-word passphrase is not secure enough for you, then you can just hit the button twice and concatenate the two phrases. An eight-word passphrase is very secure but remember, this is supposed to be a quick-and-dirty alternative to Diceware. By the way, I came across another passphrase generator. It has some nice attributes but I can’t attest to the quality of the generated phrases. Any automated method has defects, particularly one that travels via wireless/insecure connection and uses a pseudo-random generator. If you need a truly crack-proof passphrase, use Diceware.

How Many Passphrases Do You Need?
In The Password Game, I highly recommended that you dispense with creating and memorizing passwords, and just use a password manager application like RoboForm, 1Password, KeePass, or LastPass. That recommendation still stands. There is no way you’ll be able to maintain good security without one. An important rule (that everybody breaks) is “never use the same password for two different sites/purposes.” A good password manager will quickly create unique, very tough passwords for nearly every purpose, encrypt and store them, and auto-fill your logins for you. The key to making that work is having one super-secure master password/phrase that’ll unlock all the rest. So that’s the first application of a Diceware passphrase. There are other important applications as well.

Your Wi-Fi Security
If you’ve got wireless in your home or office, and it’s not secured with WPA or better, that’s a huge security hole you need to plug immediately. That goes for the router password too. If it’s still set to the manufacturer’s default (most are) you’re making it way too easy for the bad guys. For your Wi-Fi, you need a strong password/phrase that’s easy to remember, and easy to say. You’ll frequently get asked by guests, “What’s the wireless password?” on a regular basis and it’s more convenient to just speak the passphrase words: “shaking till curve running tea, with no spaces” than recite some Martian Poetry: “9^j*p8#$E%~” !

Remember, unlike many online web forms that will lock you out after a limited number of failed tries, your Wi-Fi and other encrypted storehouses of information can be hit thousands to millions of times PER SECOND. Your only defense against this assault is a long and strong password/phrase. That’s why you don’t want your wireless (or any other) password to be something dumb like your family or company name (and especially not “admin”).

Your Email/Webmail
Having a weak email password is an egregious vulnerability. Since people are constantly forgetting their logins and passwords, most web forms offer to “email me my password.” If your email account has been compromised (it could be now and you wouldn’t know), it’s very easy for the bad guy to intercept the password and delete the reset message before you see it. That’s why, after you finish reading this article, please make yourself a strong new email password and update your account.

Credit Where it’s Due
Diceware is a trademark of A.G. Reinhold and full credit for Diceware is due Arnold G. Reinhold, who maintains a comprehensive website and FAQ.

Warning: What follows may be more than you care to know. Read on only if you like math.
If you’re still curious about why the simpler example passphrase was twice as strong as the complex one, then you’ll need to understand the basic concept of information entropy. The strength of a password or passphrase is a function of its length, its complexity, and its unpredictability. I don’t want to assume any specific math knowledge on your part, but you probably remember exponents. (2^2 = 2x2 = 4, 2^3=2x2x2 = 8, and so on.) You may also recall the idea of putting a penny in the bank and then doubling your deposit every day of the month. On day 31, you’d be depositing 2^30 pennies or $10,737,418. The chance that someone would correctly pick out one special penny from the truckload you’d be driving to the bank that day is 1/1,073,741,824, or about one in a billion. If we’re now talking about passwords instead of pennies, we’d say the strength of a corresponding password has “30 bits” of entropy. While a billion guesses for brute force discovery of your password sounds like a lot, in reality, it’s not. A 30-bit password is relatively weak. A 50-bit one is reasonably strong (a million times better than the 30-bit), but still insufficient for protecting high-value accounts and information like your bank login. For high-stakes purposes, you need to have a 60-bit to 120-bit password/phrase. In case you were wondering, a 60-bit one would require a quintillion (a million trillion) guesses to crack.

The entropy of a password/phrase depends upon its “symbol length” as well as the “entropy per symbol.” Arabic numerals (0-9) have ten possibilities and therefore 3.322 bits of entropy per character (i.e. 2^3.322 = 10. Lower case letters (a-z) have 26 possibilities and therefore 5.170 bits per character 2^5.170 = 26. See how this works? Continuing on, using a full character set consisting of mixed upper and lower case letters plus numbers and symbols has 95 possibilities and 6.570 bits of entropy per character. Sure, 95 symbols is a lot, but when you think of each short Diceware list word as a “character,” it’s just one of 7776 possible choices and has very high entropy per (12.925 bits). It therefore only takes a few dice rolls to create a very secure phrase.

This table shows what it takes to achieve a required level of security

Password/Phrase
Entropy

Numbers
Only
Lower Case
Letters Only
Full
Keyboard
Diceware
Words
32-bit
10
7
5
3
40-bit
13
9
7
4
64-bit
20
14
10
5
80-bit
25
18
13
7
96-bit
29
21
15
8
128-bit
39
28
20
10

Considering a strong 64-bit password/phrase, you’d need to memorize 20 random numbers (like 82075822616389652664), 14 gibberish lowercase letters (like drbpeuvgiixdd), 10 mixed characters (like vKmYJ9!.3D) or a 5-word Diceware passphrase (like “sense carl ouch menlo byword”). They’re all equally strong. You pick.

Just an Intro
While the above may seem very technical and detailed, at best, it’s just a brief intro. In this short article, I could only begin to give you a sense of what’s happening. Once you dip a toe in the encryption/password/security pool, the water gets very deep, very fast. Nonetheless, if you’ve followed along, you now know more about this topic than 99.999% of the population. And whether or not you understand the science behind it, just using this easy-to-follow Diceware strategy will ensure you’ll be on top of the Password Game.

-V-

Return to Archive

(c) Copyright 2002-2012 Victor Urbach
This article
may be reprinted with permission and attribution