Passwords by Mail

Julia Angwin's daughter is selling diceware passwords by mail.

Posted on November 5, 2015 at 2:42 PM • 58 Comments

Comments

rgaffNovember 5, 2015 2:57 PM

Just because a letter can't be "opened" legally without a warrant, doesn't mean its content isn't collected... have you ever held up an envelope to a light source? No "opening" technically necessary to read every single word.

You gotta think like NSA wordsmiths... i.e. Obama's announcement "nobody is listening to your calls" means they're just reading the transcripts instead, obviously. He was not lazy in how he chose his words, he was very careful to technically tell the truth while intentionally implying an outright lie. This is the way every politician and large company operates nowadays.

Add to this: since when have laws constrained our government? They've proved over and over that they'll do whatever they jolly well please, and when finally caught, they'll just delay delay delay while they pass laws to make it legal after the fact.

Bob PaddockNovember 5, 2015 3:19 PM

When you could get 'Canned Cold' AKA Freon for freezing electronic components for testing, it would turn non-security envelopes transparent, no holding up to the light was required.

ballsNovember 5, 2015 3:21 PM

@rgaff: Do you attend elementary school science fairs and point out the flaws in their projects?

This is a 6th Grader doing this, and frankly pretty awesome in it's own right. Doubly so when you consider it's in the realm of security, which is something most kids do not care about.

AnuraNovember 5, 2015 3:31 PM

@balls

Apparently you can get arrested for refusing to leave school grounds. I'm sorry, but baking soda and vinegar does not demonstrate how a volcano works and arresting me won't change that!

EvanNovember 5, 2015 4:22 PM

Mail can't be opened by the government without a warrant (as far as we know) but once opened it's pretty fair game.

Slime Mold with MustardNovember 5, 2015 4:29 PM

It's the semi-annual "password thing" on this blog.

Learn This: Walk or drive in a defined space very familiar to you. Memorize each (substantial) object in a specific order (left to right or clockwise - what ever). Assign each object a value. (i.e. if M = 12 then MAPLE = 120151104) Do not use such a simple construct . I vary my simple cipher by (err - ok, it's security by obscurity). My point is, I can memorize long (50 character) passwords. I absolutely do not trust anything called "password manager". It sounds too much like "Free Secrets".

If the password requires eight characters, try Snow White and the Seven Dwarves.

VNovember 5, 2015 4:37 PM

@ Rgaff
The way I heard it was "NOBODY is listening to your calls"
Just another NSA codenamed software package

NonnyNovember 5, 2015 4:45 PM

@Slime Mold with Mustard

Complicated algorithms that you have to run in your head to get your passwords aren't all that great in practice. You have to remember the algorithm, you have to be in a situation where you can run it, and when your password is compromised you need a whole new method.

Much easier to just pick 4-6 random words and remember that.

JesseNovember 5, 2015 4:46 PM

In the Bitcoin community, we ran into problems with "third party choosing password material and physically mailing you the result" as early as Casascius Physical Bitcoins.

No matter how secure the delivery mechanism, one of the weaker links you have to suss out is "can you trust the third party?" I mean, they certainly have access to your key material, now! :P

In any event, here is EXACTLY how hard it is to roll a bunch of D6's or D20's and look up a printed wordlist in order to make your own diceware passwords:

Roll dice, look up result of diceroll in the wordlist, transcribe word. Repeat 4 or more times.

People who would pay somebody else for that work would probably also pay somebody else to print off their emails for them and relay those via snail mail. ;P

Clive RobinsonNovember 5, 2015 5:14 PM

@ Musashi,

... I wonder if the dice are loaded...

Of course they are, all dice are, the question should be "By how much are they loaded?.."

The trick to using dice is to use several from different manufactures and throw say five, and count the spots using clock maths...

The problem with diceware wordlist passwords --as I said on this blog just a couple of days ago-- is that people reorder the words to try to make them more memorable. Which is a mistake, because it reduces the number of actuall passwords, so makes password cracking software more effective.

OrangeNovember 5, 2015 5:30 PM

I'd just pick the first five poster names under a random Schneier blog entry. Then all you need is a link to it.

rgaffNovember 5, 2015 5:34 PM

@ balls

You have a good point about kudos to a 6th grader for doing something. I was more referring to adults who think that the mail is safe because of the supposed warrant requirement.

@ V

You have a good point about "NOBODY" probably being a code name for some program to listen to every call :)

@ Clive Robinson

Yes, exactly. Any altering of original true randomness to try to make things "more memorable" significantly reduces or destroys the randomness... (reordering, rejecting difficult ones, etc)

AnuraNovember 5, 2015 5:45 PM

@Clive Robinson

It does make it weaker, but only up to a point. Choosing 5 distinct words at random, choosing again if there is a repeated word, and arranging them so that you can remember provides about 57 bits of entropy. Choosing 4 words, which may repeat, and keeping the order provides around 51 bits of entropy. So if you can remember 5 words rearranged easier than four words in a random order, choose the former.

BlabertonNovember 5, 2015 6:15 PM

Hey you know what? "Today my keyboard went to the pool and drank a duck"

That's how I tend to choose my passwords, a sentence of complete nonsense. I could improve it further by using non real words... For some reason those very long passwords are very easy to remember! I bet you'll remember that one for a long time^^

David HendersonNovember 5, 2015 7:20 PM

I have gone beyond the diceware dictonary. I now use a Scrabble dictionary with various dies and my own rules to generate special characters for extra randomness.

Michael KohneNovember 5, 2015 7:25 PM

Can't be worse than the junk we see whenever a password file gets released.

AnuraNovember 5, 2015 7:41 PM

@David Henderson

I once took random words out of a english word list, the problem was it got hard to remember the words as some of them weren't in my vocabulary (what the hell is erucic??!!). The other problem is that too many sites have restrictions, must have a number, cannot be more than 12 characters, blah blah blah. So these days what I do is I took the first 1296 words of a word list (I think it was this one), I roll four dice, seven times and take the word. I memorize the words, but for the password I take the first letter of each word so I have a 7 character password, capitalize the first letter and append a 1, and then I have a secure password since seven words chosen at random has the equivalent password strength of 72-bits.


(and yes, I am joking)

David HendersonNovember 5, 2015 9:17 PM

@Anura : 12 and 20 sided dies from Dungeons and Dragons help me to generate special characters to punctuate my Scrabble dictionary components.

I do take to trouble to select/arrange the words into nouns, verbs, adjectives and adverbs. Makes it easier to memorize.

Probably makes it easier for an adversary to guess. I dont care because the sentences and punctuation are totally weird.

anonymousNovember 6, 2015 12:44 AM

Those of you who use a *nix machine (and others don't need a passwd anyway), just use "cat /dev/random | tr -cd '[:graph:]' | head -c 20" for e.g. 20-char passwd.

Then, enter it 10 times and your fingers will remember it.

WinterNovember 6, 2015 3:59 AM

@Blaberton
> Hey you know what? "Today my keyboard went to the pool and drank a duck"

I think this is certainly less than 161 bit strong. To be more precise you would need a word-frequency list. I think the restraints of the grammar are negligible.

If I had to guess, I think it will be on the order of 85 bit (content words ~11 bits, function words ~5 bits).

blakeNovember 6, 2015 4:47 AM

I'm intrigued at the possibility that someone would be interested enough to get a randomly generated password but not interested enough to randomly generate their own.

Does the method of *choosing* a password need to be subject to Kerckhoffs's principle? Is it really important to generate a password using a known reliable method as long as the resulting password is good?

@David Henderson

Does your word list include fictional words from D&D too?

Lively SofaNovember 6, 2015 7:03 AM

Cute but, in the spirit of constructive criticism, maybe she could be encouraged to think of a trustless implementation?

Peter A.November 6, 2015 7:07 AM

@anonymous:

Using cat to take bytes out of /dev/random is not very prudent, it will use up a lot of your entropy pool, hundreds of thousands bits at least, depending on compiled-in stdio buffer size, before the SIGPIPE gets propagated up the pipeline from head terminating after it reads prescribed number of characters. On a not-so-busy desktop this pipeline could even block for many minutes waiting for entropy pool to be filled. (You can move your mouse around and mash your keyboard to shorten the wait a bit.)

It is wiser to use dd to extract as much pseudorandomness as you actually need. I use this:

dd if=/dev/random bs=1 count=15 | base64

to get a 20-character string which would pass most password rules. With base64 you get 4 characters for every 3 bytes - so the 15 figure. Some password rules won't like / or + characters

DannyNovember 6, 2015 8:58 AM

I know it's not 'best practice' but I still use various methods of throwing in upper-case/lower case changes. Most people who try to crack me are people who've watched me type in the password, and having one finger constantly hovering on the shift key makes that harder.

RofloNovember 6, 2015 10:04 AM

@Slime Mold with Mustard, I too can remember a 50 character password...
.. but I can't remember hundreds of them.

CallMeLateForSupperNovember 6, 2015 11:15 AM

@QnJ1Y2U

+1
"Artisanal" seems to be the new "organic". ;-)

A couple of newly minted MIT whiz-bangs have come up with artisanal phone chargers, because, (cough) it should be as easy to charge your phone at a bar or restaurant as it is to get a drink of water. One of them said: "It should be expected, We all have a right to charge our phone while we are dining.”

Nowhere in the story is there any evidence that these charging ,,, um ... thingies isolate USB data lines. Not good.

http://www.bostonglobe.com/metro/2015/11/05/mit-grads-create-beer-coasters-that-charge-smartphones/h4o6TIF5qjI2QHDwKTGtRK/story.html

anonymousNovember 6, 2015 11:24 AM

@Peter A.
Use haveged or rngd to replenish the entropy pool. On my laptop, I can read /dev/random continuously.

CarlNovember 6, 2015 11:52 AM

What about picking -one- word and just repeating it six or seven times? Wouldn't that have the same entropy as seven random words?

ThunderbirdNovember 6, 2015 1:41 PM

What about picking -one- word and just repeating it six or seven times? Wouldn't that have the same entropy as seven random words?
Short version: "no."

HJ HornbeckNovember 6, 2015 2:10 PM

for COUNT in {1..8} ; do perl -e 'rand($.) ;print$line' /usr/share/dict/words ; done

Write down the output. Pick a subset. Add a punctuation mark or two somewhere. Practice a few times.

Still, I'll give the kid props for being concerned about password strength. More adults should follow her lead.

HJ HornbeckNovember 6, 2015 2:40 PM

Bloody HTML. Let's try that again:

for COUNT in {1..8} ; do perl -e 'rand($.) < 1 && ($line = $_) while <>;print$line' /usr/share/dict/words ; done

mdfiveNovember 6, 2015 2:48 PM

For some reason I don't buy the combo of four dictionary words put together and claim the entropy is the whole space of combinations. Wrong calculation. Also wrong assumption that it is hard for computer to guess.

There's a point that strong passwords are hard to memorize. The solution however, is still not available. Definitely not a combo of stupid passwords.

AnuraNovember 6, 2015 2:54 PM

@mdfive

"For some reason I don't buy the combo of four dictionary words put together and claim the entropy is the whole space of combinations."

Why not? It's basically just representing a number in base 7776 - There's a 1 to 1 mapping between 4 base 7776 characters (words) to 20 base 6 characters, it's just that the former is easier to remember because of the way your brain works.

rNovember 6, 2015 3:15 PM

@all

Please, if you're going to use phrases and word groups for passwords introduce and embed both spelling and punctuation errors to them.

Strengthen the keyspace.

I think you will find that an intentionally misspelled word in a diceware grouping or a common phrase is just as memorable if not more so than an exact copy.

David LeppikNovember 6, 2015 5:07 PM

Lately I've been thinking about passwords that are easy to type on a phone. Not every website accepts Unicode in passwords, but if they do, here are my thoughts:

  1. On a Mac or iPhone, it's easier to type bāt or cłue than to type b4t or c1ue, because switching to the numeric keyboard and back is a pain. But good luck if you plan to use those characters from a Linux box with the standard US keyboard.
  2. Emoji and other pictures are a bad idea in a password, even though the emoji keyboard is so convenient, because the emoji keyboard is designed to be emotive rather than precise; at some point in the future, the keyboard might reassign skin color or replace one emoji with a related one (e.g. there are now 3 snowman emoji, and that doesn't count Unicode snowman, ☃, or its friends Unicode snowman with snow and Unicode black snowman.) In a related note, Apple Messages replaces Unicode snowman (typed on a Mac) with an emoji snowman when displayed in iOS.
  3. Leading or trailing spaces are a bad idea in any web form, because they are often stripped because they are so easy to add accidentally.

David LeppikNovember 6, 2015 5:10 PM

@r

I used to think so, but I have forgotten so many misspellings and grammatical choices (e.g. did I end the passphrase sentence with a period?) over the years that it's just not worth it. There are just too many ways to misspell a word.

BrutusNovember 6, 2015 9:58 PM

@HJ Hornbeck, I wouldn't trust, without looking in to it, the Perl rand function. Might it be just a linear congruential prng? Or some other prng? To generate a strong password, you want to know, in hard bits, how much entropy you have. A fair D6 has just over 2.5 bits of entropy per throw (log_2(6)). A pseudorandom number generator has at most as much entropy as its seed has.

cautiousNovember 7, 2015 2:17 AM

@Randal

Love it! Wood cabinet like the 1978 Z-80 Northstar is a lovely touch.

How many words in the dictionary?

Can I download the code? This is sooooo sweet. Thank you!

BoppingAroundNovember 7, 2015 9:38 AM

David Leppik,
> But good luck if you plan to use those characters from a Linux box with the
> standard US keyboard.

Two words: compose key. Usually available in the DE keyboard configuration
panel. If you don't use a DE, you probably already have an idea how to enable
it or where to look for instructions :-)


ã, ł, ü, ỹ, á, ë.

AnuraNovember 7, 2015 9:19 PM

@BoppingAround

My concern with that is that there is no guarantee that two systems encode those characters the same. If the site isn't configured properly, one browser can default to ISO-8859-1, one browser UTF-8, and even if it is UTF-8, you don't know that your IOS phone and Linux Desktop are going to encode the characters the same since there are multiple valid ways to encode them.

rNovember 7, 2015 10:49 PM

well, if you guys [or gals] don't like the idea of additional keyspace through the intentional entry of erroneously keyed words and phrases try adding names to the mix.

blue green algIE who is clive robinson?

it doesn't have to make sense to anyone other than yourself and imho it may help having a system of misdirection in more ways than one.

i'm sorry but the dice ware passwords just feel dicey to me.

/* p.s. i'm going to investigate the DE keyboard 'compose' hack that was mentioned here, obv the requirements would be a utf or unicode supporting function though right?

Diceware GoodNovember 8, 2015 10:20 AM

Diceware is not dodgy.

If you are worried that your adversary can break your 7 word diceware passphrase, then you are concerned about 90.5 bits of entropy.

Now, that means they have to deal with a one in:

1,719,070,799,748,422,591,028,658,176 chance

of picking your passphrase on each attempt (7776^7).

Assuming they use 1 trillion guesses a second, it will still take them 27 million years to guess it.

If paranoid - go to a 10 word diceware passphrase, giving you 129 bits of entropy and they have a one in:

808,281,277,464,764,060,643,139,600,456,536,293,376 chance

on each attempt (7776^10).

I gather that by brute force, using current level technology it would take longer than the universe has been in existence.

Something like 122,890,800,000,000,000 years for 100 hackers at 10 trillion guesses a second with a 50% probability of retrieving it.

Sounds pretty solid to me, absent quantum computers.

AndyNovember 8, 2015 5:00 PM

Damn. I had a business plan selling previously owned (used) Passwords. Her prices blow a hole into my calculations...

NateNovember 9, 2015 2:14 PM

Is it just me or is letting someone else know your 'secret' password a bit...

... dicey?

I'll see meself out.

NateNovember 9, 2015 2:32 PM

I reckon we could expand on this extremely successful business model a bit. This idea has legs.

1. Send us your huddled masses of musty paper, your classified documents, your corporate secrets yearning to breathe free.

2. We'll encrypt them with our special Secret Sauce Technology (tm) involving extremely, double super cryptographically secure one-time-use passwords.

3. Naturally we won't reuse these passwords or reveal them to others! They are individually, Artisinally Crafted (tm) to our exacting specifications and involving a life mantra tuned to your specific quantum cellular vibrations. You, our Valued Customer (tm), are our topmost priority and your secrets are *very* important to us.

4. You, our Valued Customer (tm), need never trouble your beautiful, rare and *so very special* head with these passwords. You just keep that head focused right on those hulking, dynamic core competencies of yours. It's a great head! In a certain light, of a morning, it looks... statuesque? Like a Greek god. Or goddess. Have you lost weight? And your hair, I think it's grown back? That bone structure is just stunning. You're so *very* smart, running that big, throbbing, powerful enterprise of yours, and you made *such* a right choice to outsource your encryption requirements to us, the very best industry leading cryptologomigummy experts. S.M.R.T. That's what you are.

5. We give you your documents back! Plaintext, of course. We wouldn't give you any unreadable cryptogobbledegook nonsense! That's *our* job! To shield you from that dark, bad, world full of cyberthreats in their cyberdens. We may make some deals with the cybercops, cybergrunts and a few private cybereyes and cybermercs. You don't need to want to know any of that! We love you! To keep you safe, we won't tell you. We're the hero you deserve, not the hero you need.

6. You, you big statuesque Greek god/ess you, go on to conquer the world! With our super-double-secure cryptologomigummical technexpertise behind you! A good, safe distance behind. Stepping quietly even further back. So as not to even sully your shadow. Bye bye, now! Tell the world hi from us! We'll be, um, somewhere! Do call!

7. [REDACTED]

8. [ALSO REDACTED]

9. [OH SO VERY MUCH REDACTED]

10. I have NO idea how all these documents keep getting dumped! Terrible isn't it. That's why you *need* us. Your strong, statuesque, conquering head. Looking better every day! By the way, would you care for our... *extra* special service? We can, um, find information. Not normally available. On things. For you. Information on your competitors, maybe. For the right price, naturally, but that's business!

Your security is *important* to us. We *love* security!

cfNovember 10, 2015 12:46 AM

I'm intrigued at the possibility that someone would be interested enough to get a randomly generated password but not interested enough to randomly generate their own.

@blake, prepare to have your mind blown by two amazing facts that are both strange and true...

1. Double blind studies have shown that the vast majority of adults who have patronized a lemonade stand run by a child, were not actually thirsty at the time.

2. Almost invariably these adults smile and say something like, "That sure hit the spot!" even if the lemonade they just drank tasted awful.

Believe it, or don't...

SlavoNovember 14, 2015 5:02 AM

Well, "Diceware Good" is pretty much right. In the case of Casino dice (multiple dice if you're paranoid as hell) - the 7 word DiceWare is pretty strong, and "almost impossibly strong" for a random attacker who is not aware of DiceWare and is running plain alphanum brute-force. Also, guys - if you're already on Bruce's page - then please stop suggesting to use [whatever progr. language] built-in PRNGs - this will hardly end you up with a good pass.

And, it's actually really cool to see even kids being aware of the importance "of choosing a good password" these days. Thanks Bruce!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.