Password "generator" - Diceware

[Boca]

If I understand this correctly, you roll sets of dice, the number rolled then leads to a word chosen from a Diceware list,
You then roll again to get another word
Etc
a combination of these words then makes your passphrase.

But, as the diceware list is in the public domain, what is to stop hackers using brute force to try the various combinations?


Let’s assume you roll 6 times; this gives you 6 words; the fact that the passphrase is 30 letters long is compromised if we know that it contains 6off 5-letter words from a readily available list?

So, is this any better than a password consisting of a single 6 letter word?

Or, am I missing something here?

Tony

[DrHu]

Sure it is, it is longer than the 6 letter password
--an attacker can't know the length of the password or if any characters repeat
The only real caveat apart from otherwise securing a password is not to use common words or words at all or birthday dates and so on; there are many sites which will give suggestions
--also simply consider using a long random password and a password manager such as last pass in order to keep track of the plethora of passwords and service connections you may have
https://en.wikipedia.org/wiki/LastPass
http://wiki.uky.edu/security/Wiki%20Pag ... tions.aspx


Yes, whatever the diceware generator user uses to make his/her passphrase or word
http://world.std.com/~reinhold/diceware.html
--how can the attacker know that you have used diceware as the generator and how will the attacker know the number of throws(spins or turns you used ) to complete a doiceware list, and then picked your choice ??

Passworrd security concepts..
http://ask-leo.com/creating_good_passwords.html
--basically don't use words is the first step, as that has the possibility apart from default that many people still use (laziness), such as

• password =
  admin
  your name
  (user just hits enter key, aka a blank password)
  password
  122345 (etc etc)

I usually use GRC password generation and keep it available on a removable device: such as a usb stick
--the passord chosen is then as long as allowed by whichever service I connect with, and a random sequence as spec'd by Gibson reseach (he often suggesting adding padding that you can always include after the generated password sequence

The only 100% secure password system is the OTP (One Time Pad); the password is used once for that session only
--however this has to be managed-->by the user
https://www.grc.com/ppp.htm

Additionally, encrypting your data would be recommended

[acerimusdux]

I think once the number of words gets to 5, it would take a very long time for a dictionary attack. It shouldn't be that the words are all exactly 6 charcters, for example. An attacker doesn't really know your password is exactly 30 characters long, and then doesn't know how many words it includes, or their lengths.

Even if I know that it's exactly 5 words randomly chosen from a dictionary, and I have the dictionary, that still leaves the math thus:

if a 10 word dictionary: 30,240 permutations
if a 100 word dictionary: 9 billion permutations
if a 1000 word dictionary: 1 quadrillion permutations
If a 10000 word dictionary: 1 million quadrillion permutations

And so on. The formula for permutions of k choices from a set of n is:

Code: Select all

n!/(n-k)!

[MtnDewManiac]

What's wrong with just making something up? I used to just pick six digits back in the 80s. Well... I was pretty paranoid, so I'd do that twice, multiply them together, then take the middle set of digits.

You could punch keys with your eyes closed. You could do it in the text editor of your choice if the password is to be used in a situation where the user must enter it twice. If you don't feel that this is random enough, lol, spin around ten or fifteen times as fast as you can just before blindly hammering on the keyboard. Or throw a handful of catnip on your keyboard and let a cat do it (extreme paranoids may, err, borrow a strange cat from across town ).

I never could see the benefit of allowing any entity other than oneself pick a password.

If you want to increase the security of a password-protected account, contact the entity that the account is at and demand that they institute a "three strikes and you're out" rule, whereby said account is frozen after three incorrect password entries. If the entity refuses, cancel that account and move on to an entity that values your security and/or privacy.

It usually takes me at least five attempts to guess WiFi passwords .

Regards,
MDM

[mike acker]

this is a good thread

to get to Gibson Research (GRC) password generator: click here

it will create random data passwords, thus:

grc.png

now, just pick part of 1 string and use it for your password, thus: KJv+Hpjwz0

if you have malware running in your computer nothing you can do as far as security matters at all. generally malware waits for you to log on and access a sensitive resource and then, using your credentials does what it wants. Banking trojans have been created that will let you pay your bills with everything appearing normal on your screen while the trojan simply makes an electronic funds transfer (EFT) of your whole balance to the Bank of Ukrane or elsewhere -- outside the US.

in thinking about this it is important to recognize that computer hackers are not likely to attack an individual user computer deliberately or directly. they will attack high value targets like Sony or OPM etc deliberately -- but individual computers are more likely to be attacked by some kind of dragenet or sweep such as phishing eMail campaigns or malvertising -- which may have been installed onto a popular website. i.e. the hacker wants to sweep the web looking for easy targets

a lot of popular software in use today has been thrown together with little or no concern for security and is easily compromised by these hacking campaigns.

we are facing a monumental disaster with respect to computer security resulting from this poor approach to security. an essay i read recently on ZD net predicted the Data breaches to cost global economy $2 trillion by 2019

in most cases the only defense available to us is to move the vulnerable software onto an intranet with no public facing access. if linkage to the outside must be opened the data transferred must be carefully sanitized.

any computer with public facing access will be attacked: either deliberately or by one of the web-sweeping hacking campaigns.

if you are air-gapping: use a CD to transport data rather than a USB stick. the USB stick has an on-board CPU -- with "firmware" -- which can be compromised.

[Boca]

Hi,

I saw this article recently which provides some context to this thread about the possible downsides of using words instead of characters

https://paul.reviews/passwords-why-usin ... -idea/amp/

Tony

[lmuserx4849]

xkcd had a comic regarding this topic:

Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

We each can do our part, but every time another site gets hacked and logon credentials are stolen, we can only hope that they are salted and hashed. And then there are all the mobile apps that collect personal data. Ay Caramba! And you end up with, Massive Breach Exposes Android Keyboard App that Collects Personal Data On Millions Of Users. I wish there was another way to fund the internet other than selling our souls.

Security outside the box : Lava lamps used by Cloudflare to generate randomness.