"He Wears Black and Has a Beard"

Diceware: The Solution to Your Rubbish Password

Toby Roworth

Nov 19, 2018

It won't be news to regular readers that I have a passing interest in security. I'm by no means an expert in cyber-security, but I've done enough background reading on passwords to know what's bad. What's good gets a little more complicated.
In this post I look at Diceware, a method of generating strong passwords that are, supposedly, easy to remember. Before that, I explain why you need to change your password.

The Backstory

Around five years ago my Facebook account was logged into by someone in Eastern Europe. Fortunately, Facebook has heuristics that caught this as "probably not me", so nothing bad happened. But it gave me a clear message - my password was bad.
Until this point I used two passwords, my standard one and my "secure" one. The standard one was used on websites I didn't trust, or websites I didn't care about. The "secure" one was used on websites I felt the other websites shouldn't be able to access. The "secure" password really wasn't, as it involved little more than case changes and additional symbols on the end.
Very quickly I began changing passwords on accounts I considered important - Google, Facebook, online banking etc. I came up with a system that gave me different passwords for every site, and allowed sites to be segregated into "security groups". This meant that if a password (or several) were compromised to the point where my system was obvious then only sites I had a similar trust level on would be compromised alongside it.
I was happy with this system for a couple of years, until I watched this video:

The opening summarises the rest of the video pretty well - "Everyone's passwords are terrible, and they should change their passwords right now". I'd suggest watching the rest though, as it really hits home once he starts demonstrating just how easy most people's passwords are to crack. There are more videos that explain poor passwords, but they all boil down to the same thing - if your password is something you chose because can remember it, it's almost certainly vulnerable to a dictionary attack. That's probably how my first password got cracked.
The dictionaries commonly available online have everything in from names & places to obscure quotes from books you don't think a hacker would read. But, more importantly, there are also substitution tables available, which basically render our cunning plans of "changing an i to a !" useless. These tables are also adept at "adding stuff to the end", another common tactic for making passwords "more secure".
After watching this video I started using LastPass, a password manager, to generate random passwords for new logons, and when I set it up, changed the passwords for the services I considered critical. Except for the single most critical account I have, which is my Google account - I log into this very regularly, often before my password manager is running, as my Chromebook is logged into using my Google account.
Of course the password I chose for LastPass wasn't great either. It was much better than my previous attempts, but it was very vulnerable to a targetted attack, and not invulnerable to a generic one either.

The bit where I actually talk about Diceware

I've heard Diceware come up a few times over the past few years - I think it gets mentioned in the video above, and definitely is suggested regularly at Defcon. Despite being well-recommended, it's taken me two years to start using it, but I'm finally there.
Diceware is a method of generating random passphrases with a high degree of entropy. Entropy is effectively a measure of guessability when it comes to passwords. What's nice about Diceware is that the entropy has been studied, and so a Diceware passphrase effectively has a known guessability. This is different to a standard "secret thing I don't think anyone else knows" password, which, at best, has an entropy based solely on it's length and the range of symbols used but, as demonstrated by the wordlist mentioned earlier, is actually much less than expected.
The process is simple - take five ordinary dice (casino dice are preferred, but this may be a little extreme) and roll them. Take the five numbers generated and look up them up in the Diceware list. Write down the word. The repeat several times. The more words chosen, the higher the entropy. Six is currently suggested for most purposes, but more can be chosen if security is more important.
This creates a password that is high in entropy and more memorable than a random password of similar entropy. What's helpful is that is retains these qualities even if the attacked knows that Diceware was used and how many words were chosen.
So this weekend I sat down with some dice and generated some passphrases. The process was easy, and gave me the excuse to purchase some new dice for the first time in years. I'm not going as far as to say the process was "fun", because that would be mental. It was fairly quick though, more so than writing this blog post about it.
The passphrases I generated aren't as easy to remember as my previous passwords, which isn't ideal, but once they're learned I know they're much stronger. They're also much easier to remember than strings of random characters. I find If I can get the first word, the rest comes more easily. This memorability is what's meant to be good about Diceware, and only time will tell if they're actually memorable.
Overall, I feel Diceware is the best method of password generation that's readily accessible, but is best employed in tandem with a password manager. That way the password manager can choose strong passwords for nearly everything other than itself, where Diceware can be used. The same goes for operating system passwords, where Diceware is a convenient method to choose a strong password.

The Round-up

My apologies if I've got a little preachy, but as passwords are something we rely on every day, I hope some, preferably all, of my readers will take note of this suggestion. The main message I hope to have got across is that your passwords aren't as secure as you think they are, so change them to something where their security is a known quantity.
As an aside, turn on two-factor authentication wherever possible, as then, even if your password is cracked, a remote attacker will find it hard to actually use it. But that's for a future post.