Passwords by Mail
Julia Angwin’s daughter is selling diceware passwords by mail.
Julia Angwin’s daughter is selling diceware passwords by mail.
Bob Paddock • November 5, 2015 3:19 PM
When you could get ‘Canned Cold’ AKA Freon for freezing electronic components for testing, it would turn non-security envelopes transparent, no holding up to the light was required.
balls • November 5, 2015 3:21 PM
@rgaff: Do you attend elementary school science fairs and point out the flaws in their projects?
This is a 6th Grader doing this, and frankly pretty awesome in it’s own right. Doubly so when you consider it’s in the realm of security, which is something most kids do not care about.
Anura • November 5, 2015 3:31 PM
@balls
Apparently you can get arrested for refusing to leave school grounds. I’m sorry, but baking soda and vinegar does not demonstrate how a volcano works and arresting me won’t change that!
Musashi • November 5, 2015 3:52 PM
… I wonder if the dice are loaded…
Evan • November 5, 2015 4:22 PM
Mail can’t be opened by the government without a warrant (as far as we know) but once opened it’s pretty fair game.
Slime Mold with Mustard • November 5, 2015 4:29 PM
It’s the semi-annual “password thing” on this blog.
Learn This: Walk or drive in a defined space very familiar to you. Memorize each (substantial) object in a specific order (left to right or clockwise – what ever). Assign each object a value. (i.e. if M = 12 then MAPLE = 120151104) Do not use such a simple construct . I vary my simple cipher by (err – ok, it’s security by obscurity). My point is, I can memorize long (50 character) passwords. I absolutely do not trust anything called “password manager”. It sounds too much like “Free Secrets”.
If the password requires eight characters, try Snow White and the Seven Dwarves.
@ Rgaff
The way I heard it was “NOBODY is listening to your calls”
Just another NSA codenamed software package
Nonny • November 5, 2015 4:45 PM
@Slime Mold with Mustard
Complicated algorithms that you have to run in your head to get your passwords aren’t all that great in practice. You have to remember the algorithm, you have to be in a situation where you can run it, and when your password is compromised you need a whole new method.
Much easier to just pick 4-6 random words and remember that.
Jesse • November 5, 2015 4:46 PM
In the Bitcoin community, we ran into problems with “third party choosing password material and physically mailing you the result” as early as Casascius Physical Bitcoins.
No matter how secure the delivery mechanism, one of the weaker links you have to suss out is “can you trust the third party?” I mean, they certainly have access to your key material, now! 😛
In any event, here is EXACTLY how hard it is to roll a bunch of D6’s or D20’s and look up a printed wordlist in order to make your own diceware passwords:
Roll dice, look up result of diceroll in the wordlist, transcribe word. Repeat 4 or more times.
People who would pay somebody else for that work would probably also pay somebody else to print off their emails for them and relay those via snail mail. ;P
Clive Robinson • November 5, 2015 5:14 PM
@ Musashi,
… I wonder if the dice are loaded…
Of course they are, all dice are, the question should be “By how much are they loaded?..”
The trick to using dice is to use several from different manufactures and throw say five, and count the spots using clock maths…
The problem with diceware wordlist passwords –as I said on this blog just a couple of days ago– is that people reorder the words to try to make them more memorable. Which is a mistake, because it reduces the number of actuall passwords, so makes password cracking software more effective.
Orange • November 5, 2015 5:30 PM
I’d just pick the first five poster names under a random Schneier blog entry. Then all you need is a link to it.
rgaff • November 5, 2015 5:34 PM
@ balls
You have a good point about kudos to a 6th grader for doing something. I was more referring to adults who think that the mail is safe because of the supposed warrant requirement.
@ V
You have a good point about “NOBODY” probably being a code name for some program to listen to every call 🙂
@ Clive Robinson
Yes, exactly. Any altering of original true randomness to try to make things “more memorable” significantly reduces or destroys the randomness… (reordering, rejecting difficult ones, etc)
Anura • November 5, 2015 5:45 PM
@Clive Robinson
It does make it weaker, but only up to a point. Choosing 5 distinct words at random, choosing again if there is a repeated word, and arranging them so that you can remember provides about 57 bits of entropy. Choosing 4 words, which may repeat, and keeping the order provides around 51 bits of entropy. So if you can remember 5 words rearranged easier than four words in a random order, choose the former.
Blaberton • November 5, 2015 6:15 PM
Hey you know what? “Today my keyboard went to the pool and drank a duck”
That’s how I tend to choose my passwords, a sentence of complete nonsense. I could improve it further by using non real words… For some reason those very long passwords are very easy to remember! I bet you’ll remember that one for a long time^^
Daniel • November 5, 2015 6:27 PM
so this is what pass for news these days on this blog…
http://www.amazon.com/Drew-Curtis/e/B001JPC2AG/
Apparently Bruce has been reading that book and drawing all the wrong lessons.
Ronnie • November 5, 2015 6:46 PM
Memorize a random, computer-generated 60-bit string by converting it into a rhyming couplet – an extension of the xkcd method https://xkcd.com/936/
This article has a link to a couplet generator that they created.
http://www.refinery29.com/2015/10/96126/password-security-poem
David Henderson • November 5, 2015 7:20 PM
I have gone beyond the diceware dictonary. I now use a Scrabble dictionary with various dies and my own rules to generate special characters for extra randomness.
Michael Kohne • November 5, 2015 7:25 PM
Can’t be worse than the junk we see whenever a password file gets released.
Anura • November 5, 2015 7:41 PM
@David Henderson
I once took random words out of a english word list, the problem was it got hard to remember the words as some of them weren’t in my vocabulary (what the hell is erucic??!!). The other problem is that too many sites have restrictions, must have a number, cannot be more than 12 characters, blah blah blah. So these days what I do is I took the first 1296 words of a word list (I think it was this one), I roll four dice, seven times and take the word. I memorize the words, but for the password I take the first letter of each word so I have a 7 character password, capitalize the first letter and append a 1, and then I have a secure password since seven words chosen at random has the equivalent password strength of 72-bits.
(and yes, I am joking)
Password123 • November 5, 2015 7:44 PM
Print your own password cards,
http://www.webplaces.org/passwords/
then deal out along random password and memorize it.
QnJ1Y2U • November 5, 2015 8:20 PM
They should call them ‘artisanal’ passwords, along the lines of this:
http://www.artisanalpencilsharpening.com/
David Henderson • November 5, 2015 9:17 PM
@Anura : 12 and 20 sided dies from Dungeons and Dragons help me to generate special characters to punctuate my Scrabble dictionary components.
I do take to trouble to select/arrange the words into nouns, verbs, adjectives and adverbs. Makes it easier to memorize.
Probably makes it easier for an adversary to guess. I dont care because the sentences and punctuation are totally weird.
anonymous • November 6, 2015 12:44 AM
Those of you who use a *nix machine (and others don’t need a passwd anyway), just use “cat /dev/random | tr -cd ‘[:graph:]’ | head -c 20” for e.g. 20-char passwd.
Then, enter it 10 times and your fingers will remember it.
Bruce • November 6, 2015 3:29 AM
I will probably stick with my password manager 🙂
Winter • November 6, 2015 3:59 AM
@Blaberton
Hey you know what? “Today my keyboard went to the pool and drank a duck”
I think this is certainly less than 161 bit strong. To be more precise you would need a word-frequency list. I think the restraints of the grammar are negligible.
If I had to guess, I think it will be on the order of 85 bit (content words ~11 bits, function words ~5 bits).
blake • November 6, 2015 4:47 AM
I’m intrigued at the possibility that someone would be interested enough to get a randomly generated password but not interested enough to randomly generate their own.
Does the method of choosing a password need to be subject to Kerckhoffs’s principle? Is it really important to generate a password using a known reliable method as long as the resulting password is good?
@David Henderson
Does your word list include fictional words from D&D too?
Lively Sofa • November 6, 2015 7:03 AM
Cute but, in the spirit of constructive criticism, maybe she could be encouraged to think of a trustless implementation?
Peter A. • November 6, 2015 7:07 AM
@anonymous:
Using cat to take bytes out of /dev/random is not very prudent, it will use up a lot of your entropy pool, hundreds of thousands bits at least, depending on compiled-in stdio buffer size, before the SIGPIPE gets propagated up the pipeline from head terminating after it reads prescribed number of characters. On a not-so-busy desktop this pipeline could even block for many minutes waiting for entropy pool to be filled. (You can move your mouse around and mash your keyboard to shorten the wait a bit.)
It is wiser to use dd to extract as much pseudorandomness as you actually need. I use this:
dd if=/dev/random bs=1 count=15 | base64
to get a 20-character string which would pass most password rules. With base64 you get 4 characters for every 3 bytes – so the 15 figure. Some password rules won’t like / or + characters
Danny • November 6, 2015 8:58 AM
I know it’s not ‘best practice’ but I still use various methods of throwing in upper-case/lower case changes. Most people who try to crack me are people who’ve watched me type in the password, and having one finger constantly hovering on the shift key makes that harder.
Russtopia • November 6, 2015 9:55 AM
I have had positive feedback for my own inventions, designed to solve passsword predictability, sold here.
https://www.tindie.com/search/#q=recall
Not ‘perfect’, but they generate MUCH better passwords than those commonly found to be used in leaked user lists, and also enforce unique per-site passwords.
Roflo • November 6, 2015 10:04 AM
@Slime Mold with Mustard, I too can remember a 50 character password…
.. but I can’t remember hundreds of them.
Rex Rollman • November 6, 2015 10:36 AM
I use Diceware, not to generate passphrases, but to create random character strings:
http://world.std.com/~reinhold/dicewarefaq.html#tables
Also, as far as “loaded” dice goes, you can buy Casino dice, which are precision made for gambling.
CallMeLateForSupper • November 6, 2015 11:15 AM
@QnJ1Y2U
+1
“Artisanal” seems to be the new “organic”. 😉
A couple of newly minted MIT whiz-bangs have come up with artisanal phone chargers, because, (cough) it should be as easy to charge your phone at a bar or restaurant as it is to get a drink of water. One of them said: “It should be expected, We all have a right to charge our phone while we are dining.”
Nowhere in the story is there any evidence that these charging ,,, um … thingies isolate USB data lines. Not good.
anonymous • November 6, 2015 11:24 AM
@Peter A.
Use haveged or rngd to replenish the entropy pool. On my laptop, I can read /dev/random continuously.
Carl • November 6, 2015 11:52 AM
What about picking -one- word and just repeating it six or seven times? Wouldn’t that have the same entropy as seven random words?
Thunderbird • November 6, 2015 1:41 PM
What about picking -one- word and just repeating it six or seven times? Wouldn’t that have the same entropy as seven random words?
Short version: “no.”
HJ Hornbeck • November 6, 2015 2:10 PM
for COUNT in {1..8} ; do perl -e 'rand($.) < 1 && ($line = $_) while ;print$line' /usr/share/dict/words ; done
Write down the output. Pick a subset. Add a punctuation mark or two somewhere. Practice a few times.
Still, I’ll give the kid props for being concerned about password strength. More adults should follow her lead.
HJ Hornbeck • November 6, 2015 2:40 PM
Bloody HTML. Let’s try that again:
for COUNT in {1..8} ; do perl -e 'rand($.) < 1 && ($line = $_) while <>;print$line' /usr/share/dict/words ; done
mdfive • November 6, 2015 2:48 PM
For some reason I don’t buy the combo of four dictionary words put together and claim the entropy is the whole space of combinations. Wrong calculation. Also wrong assumption that it is hard for computer to guess.
There’s a point that strong passwords are hard to memorize. The solution however, is still not available. Definitely not a combo of stupid passwords.
Anura • November 6, 2015 2:54 PM
@mdfive
“For some reason I don’t buy the combo of four dictionary words put together and claim the entropy is the whole space of combinations.”
Why not? It’s basically just representing a number in base 7776 – There’s a 1 to 1 mapping between 4 base 7776 characters (words) to 20 base 6 characters, it’s just that the former is easier to remember because of the way your brain works.
@all
Please, if you’re going to use phrases and word groups for passwords introduce and embed both spelling and punctuation errors to them.
Strengthen the keyspace.
I think you will find that an intentionally misspelled word in a diceware grouping or a common phrase is just as memorable if not more so than an exact copy.
David Leppik • November 6, 2015 5:07 PM
Lately I’ve been thinking about passwords that are easy to type on a phone. Not every website accepts Unicode in passwords, but if they do, here are my thoughts:
David Leppik • November 6, 2015 5:10 PM
@r
I used to think so, but I have forgotten so many misspellings and grammatical choices (e.g. did I end the passphrase sentence with a period?) over the years that it’s just not worth it. There are just too many ways to misspell a word.
Randal • November 6, 2015 6:55 PM
We made XKCD style generators in a PHP class I took. Mine emulates an electronic component just for kicks. http://randalcarr.com/passgen
Brutus • November 6, 2015 9:58 PM
@HJ Hornbeck, I wouldn’t trust, without looking in to it, the Perl rand function. Might it be just a linear congruential prng? Or some other prng? To generate a strong password, you want to know, in hard bits, how much entropy you have. A fair D6 has just over 2.5 bits of entropy per throw (log_2(6)). A pseudorandom number generator has at most as much entropy as its seed has.
cautious • November 7, 2015 2:17 AM
@Randal
Love it! Wood cabinet like the 1978 Z-80 Northstar is a lovely touch.
How many words in the dictionary?
Can I download the code? This is sooooo sweet. Thank you!
BoppingAround • November 7, 2015 9:38 AM
David Leppik,
But good luck if you plan to use those characters from a Linux box with the
standard US keyboard.
Two words: compose key. Usually available in the DE keyboard configuration
panel. If you don’t use a DE, you probably already have an idea how to enable
it or where to look for instructions 🙂
ã, ł, ü, ỹ, á, ë.
Anura • November 7, 2015 9:19 PM
@BoppingAround
My concern with that is that there is no guarantee that two systems encode those characters the same. If the site isn’t configured properly, one browser can default to ISO-8859-1, one browser UTF-8, and even if it is UTF-8, you don’t know that your IOS phone and Linux Desktop are going to encode the characters the same since there are multiple valid ways to encode them.
well, if you guys [or gals] don’t like the idea of additional keyspace through the intentional entry of erroneously keyed words and phrases try adding names to the mix.
blue green algIE who is clive robinson?
it doesn’t have to make sense to anyone other than yourself and imho it may help having a system of misdirection in more ways than one.
i’m sorry but the dice ware passwords just feel dicey to me.
/* p.s. i’m going to investigate the DE keyboard ‘compose’ hack that was mentioned here, obv the requirements would be a utf or unicode supporting function though right?
Diceware Good • November 8, 2015 10:20 AM
Diceware is not dodgy.
If you are worried that your adversary can break your 7 word diceware passphrase, then you are concerned about 90.5 bits of entropy.
Now, that means they have to deal with a one in:
1,719,070,799,748,422,591,028,658,176 chance
of picking your passphrase on each attempt (7776^7).
Assuming they use 1 trillion guesses a second, it will still take them 27 million years to guess it.
If paranoid – go to a 10 word diceware passphrase, giving you 129 bits of entropy and they have a one in:
808,281,277,464,764,060,643,139,600,456,536,293,376 chance
on each attempt (7776^10).
I gather that by brute force, using current level technology it would take longer than the universe has been in existence.
Something like 122,890,800,000,000,000 years for 100 hackers at 10 trillion guesses a second with a 50% probability of retrieving it.
Sounds pretty solid to me, absent quantum computers.
BoppingAround • November 8, 2015 10:28 AM
r,
I have a feeling that I need to clarify what ‘DE’ means. It means ‘desktop environment‘, not ‘German keyboard’.
Just for the sake of correctness.
Andy • November 8, 2015 5:00 PM
Damn. I had a business plan selling previously owned (used) Passwords. Her prices blow a hole into my calculations…
Nate • November 9, 2015 2:14 PM
Is it just me or is letting someone else know your ‘secret’ password a bit…
… dicey?
I’ll see meself out.
Nate • November 9, 2015 2:32 PM
I reckon we could expand on this extremely successful business model a bit. This idea has legs.
We give you your documents back! Plaintext, of course. We wouldn’t give you any unreadable cryptogobbledegook nonsense! That’s our job! To shield you from that dark, bad, world full of cyberthreats in their cyberdens. We may make some deals with the cybercops, cybergrunts and a few private cybereyes and cybermercs. You don’t need to want to know any of that! We love you! To keep you safe, we won’t tell you. We’re the hero you deserve, not the hero you need.
You, you big statuesque Greek god/ess you, go on to conquer the world! With our super-double-secure cryptologomigummical technexpertise behind you! A good, safe distance behind. Stepping quietly even further back. So as not to even sully your shadow. Bye bye, now! Tell the world hi from us! We’ll be, um, somewhere! Do call!
[REDACTED]
[ALSO REDACTED]
[OH SO VERY MUCH REDACTED]
I have NO idea how all these documents keep getting dumped! Terrible isn’t it. That’s why you need us. Your strong, statuesque, conquering head. Looking better every day! By the way, would you care for our… extra special service? We can, um, find information. Not normally available. On things. For you. Information on your competitors, maybe. For the right price, naturally, but that’s business!
Your security is important to us. We love security!
cf • November 10, 2015 12:46 AM
I’m intrigued at the possibility that someone would be interested enough to get a randomly generated password but not interested enough to randomly generate their own.
@blake, prepare to have your mind blown by two amazing facts that are both strange and true…
Believe it, or don’t…
Slavo • November 14, 2015 5:02 AM
Well, “Diceware Good” is pretty much right. In the case of Casino dice (multiple dice if you’re paranoid as hell) – the 7 word DiceWare is pretty strong, and “almost impossibly strong” for a random attacker who is not aware of DiceWare and is running plain alphanum brute-force. Also, guys – if you’re already on Bruce’s page – then please stop suggesting to use [whatever progr. language] built-in PRNGs – this will hardly end you up with a good pass.
And, it’s actually really cool to see even kids being aware of the importance “of choosing a good password” these days. Thanks Bruce!
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
rgaff • November 5, 2015 2:57 PM
Just because a letter can’t be “opened” legally without a warrant, doesn’t mean its content isn’t collected… have you ever held up an envelope to a light source? No “opening” technically necessary to read every single word.
You gotta think like NSA wordsmiths… i.e. Obama’s announcement “nobody is listening to your calls” means they’re just reading the transcripts instead, obviously. He was not lazy in how he chose his words, he was very careful to technically tell the truth while intentionally implying an outright lie. This is the way every politician and large company operates nowadays.
Add to this: since when have laws constrained our government? They’ve proved over and over that they’ll do whatever they jolly well please, and when finally caught, they’ll just delay delay delay while they pass laws to make it legal after the fact.