Hacker News new | comments | show | ask | jobs | submit login
The Diceware Passphrase Home Page (std.com)
18 points by marcopolis on Apr 6, 2015 | hide | past | web | favorite | 12 comments

I discovered Diceware a few months ago when looking for a password generation scheme for my company. We were just letting people choose their own passwords before, which I don't think is a good idea. I really like it. My only annoyance, which isn't really the fault of Diceware, is that for lots of passwords I am required to have a capital letter, a digit and/or a special character. Obviously this is to try and increase the entropy in the password, but I know that I have enough entropy in my diceware password and I just want something easy to type.

I also discovered the password strength estimator zxcvbn at about the same time. It's pretty clever. It works out which password generation schemes could be used to generate your password and then uses that information to calculate the entropy correctly (assuming the attacker would know what scheme you used).

> I discovered Diceware a few months ago when looking for a password generation scheme for my company. We were just letting people choose their own passwords before, which I don't think is a good idea.

I think that if you implement Diceware at your company, people will still choose their own passwords. It's easier, and how would you prove they didn't?

If anyone wants to generate Diceware passphrases, I wrote a small JS library that does this in a portable manner.


It's identical to the one that ships with the EFF's OpenWireless router firmware.

And throwing my (everso slightly different) hat in the ring, I wrote a lookup that uses the different word lists here: http://www.diceware.net

My short Python script that generates diceware passwords. Because dice is often out of reach.


I hope it doesn't have security problems. But feel free to prove me wrong!

If I were to find issues, would you prefer bug reports via github issues or some other mechanism?

GitHub issues are fine for this.

This feels like more of a solution looking for a problem, to me. Why? Because even if I increase the entropy of my passwords/passphrases for systems I have to use every single day, the vast majority of them are still going to need me to use numbers and special characters, AND make me change the password in the region of every 30-40 days.

Going to all this trouble to generate an admittedly excellently secure password continues to pass the burden of good passwords on to the end user whilst doing nothing to alleviate the core problem, namely that I have to regularly use about 10-20 passwords each day.

My preferred solution is www.passwordchart.com

In this, I select one very good password/passphrase (for which I could use this method) and then I use an indicator of where I'm logging into to generate site/program specific passwords, e.g.,

Phrase: cleft cam synod lacy yr wok

Password: 123facebook321

Generates: yb63476F9xk6RjGVyp6yp6Hj8347b6y (with +Include Numbers ticked)

Phrase: cleft cam synod lacy yr wok

Password: 123twitter321

Generates: yb6347963m6mj963963RjfRd347b6y (with +Include Numbers ticked)

So, for my remembering one complex passphrase and one strategy for generating passwords I can generate strong, complex passwords for any site I need and don't have to remember a single one of them. The only pre-requisite I have to get into a site on another machine from my own is that I have internet access (or have a printed copy of the matrix, or something like that).

(My dependence on this website is the one weak link in this, and I have actually implemented something similar on my own webspace that I just need to tweak usability for a bit before I switch over.)

There are security problems with this idea:

1. Your twitter password leaks information about your facebook password. E.g., "e" is encoded as "Rj" in both of them.

2. If attacker gets hold of your twitter generated password and assumes "twitter" is encrypted somewhere inside, he now knows how you encode "t", "w", "i", "e" and "r" in your other passwords. Numbers are easy to guess or brute-force.

3. It's too tempting to just add a number to password in order to change a generated password for some site. But the generated password barely changes (and remember that attacker could know how you encrypt numbers):

Password: facebook Generates: 6F9xk6RjGVyp6yp6Hj8

Password: facebook1 Generates: 6F9xk6RjGVyp6yp6Hj8y

Software security is an engineering problem. If your threat model includes the attacker knowing how you generate your passwords (and it probably should for most companies — insiders and disgruntled staff are a big risk), this scheme may not be significantly better than using 1password or a similar password safe on a device you know you/your employees will always have on them. That's not to say you're wrong, it's just that you're making trade offs here like in any other engineering problem.

Good idea. Unfortunately I wouldn't want to be near you when you hit the inevitable "Please provide a password between 8-20 characters" like you see throughout the web.

Microsoft is one of the biggest offenders of this issue.

This reminds me of Passera: https://github.com/mwgg/passera/issues/5

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact