

The Diceware Passphrase Home Page - marcopolis
http://world.std.com/~reinhold/diceware.html

======
owenjonesuk
I discovered Diceware a few months ago when looking for a password generation
scheme for my company. We were just letting people choose their own passwords
before, which I don't think is a good idea. I really like it. My only
annoyance, which isn't really the fault of Diceware, is that for lots of
passwords I am required to have a capital letter, a digit and/or a special
character. Obviously this is to try and increase the entropy in the password,
but I know that I have enough entropy in my diceware password and I just want
something easy to type.

I also discovered the password strength estimator zxcvbn at about the same
time. It's pretty clever. It works out which password generation schemes could
be used to generate your password and then uses that information to calculate
the entropy correctly (assuming the attacker would know what scheme you used).

~~~
pavel_lishin
> _I discovered Diceware a few months ago when looking for a password
> generation scheme for my company. We were just letting people choose their
> own passwords before, which I don 't think is a good idea._

I think that if you implement Diceware at your company, people will still
choose their own passwords. It's easier, and how would you prove they didn't?

------
sarciszewski
If anyone wants to generate Diceware passphrases, I wrote a small JS library
that does this in a portable manner.

[https://github.com/resonantcore/lib/blob/develop/js/diceware...](https://github.com/resonantcore/lib/blob/develop/js/diceware/diceware.js)

It's identical to the one that ships with the EFF's OpenWireless router
firmware.

~~~
iamben
And throwing my (everso slightly different) hat in the ring, I wrote a lookup
that uses the different word lists here:
[http://www.diceware.net](http://www.diceware.net)

------
ash
My short Python script that generates diceware passwords. Because dice is
often out of reach.

[https://github.com/shamrin/diceware](https://github.com/shamrin/diceware)

I hope it doesn't have security problems. But feel free to prove me wrong!

~~~
peri
If I were to find issues, would you prefer bug reports via github issues or
some other mechanism?

~~~
ash
GitHub issues are fine for this.

------
herghost
This feels like more of a solution looking for a problem, to me. Why? Because
even if I increase the entropy of my passwords/passphrases for systems I have
to use every single day, the vast majority of them are still going to need me
to use numbers and special characters, AND make me change the password in the
region of every 30-40 days.

Going to all this trouble to generate an admittedly excellently secure
password continues to pass the burden of good passwords on to the end user
whilst doing nothing to alleviate the core problem, namely that I have to
regularly use about 10-20 passwords each day.

My preferred solution is www.passwordchart.com

In this, I select one very good password/passphrase (for which I could use
this method) and then I use an indicator of where I'm logging into to generate
site/program specific passwords, e.g.,

Phrase: cleft cam synod lacy yr wok

Password: 123facebook321

Generates: yb63476F9xk6RjGVyp6yp6Hj8347b6y (with +Include Numbers ticked)

Phrase: cleft cam synod lacy yr wok

Password: 123twitter321

Generates: yb6347963m6mj963963RjfRd347b6y (with +Include Numbers ticked)

So, for my remembering _one_ complex passphrase and _one_ strategy for
generating passwords I can generate strong, complex passwords for any site I
need and don't have to remember a single one of them. The only pre-requisite I
have to get into a site on another machine from my own is that I have internet
access (or have a printed copy of the matrix, or something like that).

(My dependence on this website is the one weak link in this, and I have
actually implemented something similar on my own webspace that I just need to
tweak usability for a bit before I switch over.)

~~~
ash
There are security problems with this idea:

1\. Your twitter password leaks information about your facebook password.
E.g., "e" is encoded as "Rj" in both of them.

2\. If attacker gets hold of your twitter generated password and assumes
"twitter" is encrypted somewhere inside, he now knows how you encode "t", "w",
"i", "e" and "r" in your other passwords. Numbers are easy to guess or brute-
force.

3\. It's too tempting to just add a number to password in order to change a
generated password for some site. But the generated password barely changes
(and remember that attacker could know how you encrypt numbers):

Password: facebook Generates: 6F9xk6RjGVyp6yp6Hj8

Password: facebook1 Generates: 6F9xk6RjGVyp6yp6Hj8y

