Secure Passphrases from Dice

Is the password that protects your data, online and on your computer, secure from hackers? Insecure passwords include a word plus a number, two words, any number, any kind of popular phrase, lyrics, or quote. No matter how clever you think your password choice is, it is likely to be insecure unless it was chosen entirely at random.

There are basically only two types of random passwords: (1) a random set of characters or (2) a set of random words.

The free program “Password Safe” [download link] has a random character generator that can make a secure password, for example: Jx6n8t6hVhjE. The use of upper and lower case letters and numbers gives you 62 characters. A set of 12 random characters from that 62-character set provides 3 billion-trillion possible combinations (3e+21 in scientific notation). The more combinations, the more secure the password. A password of 12 random characters is fairly secure — only if the characters were chosen entirely at random.

A set of random words can be just as secure, but easier to remember. The “character set” is actually a list of words. But since the character set is larger (thousands of words), you need fewer words for good security.

A 3-word passphrase is not secure, with less than 1 trillion possible combinations for a hacker to try — a few seconds of computer time. A 5-word passphrase has the pretty good security with over 10 million-trillion possible combinations (2.8e+19 in scientific notation), and a 6-word passphrase increases the number of combinations by almost 10,000 times (2.2e+23).

If you were to use a set of random characters as a password, with upper and lower letters and numbers — chosen at random — you would need 11 characters for the same security as a 5-word passphrase, or 13 characters for the same security as a 6-word passphrase.

But how can we choose a set of words randomly? This post suggests the use of a numbered word list and a set of dice for that purpose. You choose a number randomly, using the dice, and then look up the word that goes with that number. Choose a set of random words and put them together as a secure passphrase.

This idea was first proposed by Arnold G. Reinhold and is called “Diceware”. The throwing of dice is sufficiently random, and a word list of 7776 entries provides enough combinations to make a passphrase secure with a modest number of words in the phrase. The number 7776 is the result of using a base-6 number system. Dice have only six digits (1-6) and no zero, so 5 dice provide combinations from 11111 to 66666. In the base-10 number system, that would be 6^5 (six to the 5th power), which is 7776.

Choosing a passphrase can be done entirely offline, making the method pretty darn secure against a wide range of software and hardware attacks. You print out a word list, which includes a 5-digit number beside each entry. Throw 5 dice, and read the number. Look up the corresponding word and write it on a piece of paper. Another throw of the dice provides the next word in the phrase.

5 words (out of 7776) is ~ 2.8e+19 combinations (2.8 times 10 to the 19th power)
6 words is ~ 2.2e+23 combinations
7 words is ~ 1.7e+27 combinations
8 words is ~ 1.3e+31 combinations
9 words is ~ 1.0e+35 combinations
10 words is ~ 8.0e+38 combinations (~128-bit security)

The idea behind passphrase systems is that a set of random words is easier to remember than a set of random characters. A 5-word passphrase is about as secure as an 11 character password, but is easier to remember.

You can print out the Diceware word list from this PDF file [37 pages!!], or download this plain-text version of the list. See the Diceware homepage for an alternate word list and other resources. And here is a page with several different word lists for use in choosing a secure passphrase, along with Secure Password and Passphrase Resources.

Any ordinary dice can be used for this purpose. There is sufficient randomness in a throw of 5 dice to choose each word in the passphrase.

Should you write down your passphrase somewhere? Short answer: YES!!

Which is more likely? You forget your passphrase, or someone gets your passphrase from wherever you store it? Unless you need high security to protect you from a very determined opponent, put your passphrase in a software password program like “Password Safe” [download link]. You might also want to write down your most important passwords and put them in a physical home or office safe.

– Thoreau

Comments are closed.