Diceware & Passwords - Computerphile
Vložit
- čas přidán 8. 02. 2018
- How do you pick a secure password that's memorable but truly random? Dr Mike Pound explains Diceware
The Diceware website: bit.ly/c_diceware
(Diceware is a trademark of A G Reinhold)
Another great thing to do with dice is play games :) -Sean
Password Cracking: • Password Cracking - Co...
How to Choose a Password: • How to Choose a Passwo...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
Here's an idea. We should change the word "password" to "passphrase" to subconsciously discourage people from using a single word.
Iwentotheparkto_day.
iwenttotheparktodie
I agree. I've changed my password to "passphrase" in solidarity.
Came here from Edward Snowden s recommendations?
"Passcode" would probably be even better then.
"I'm just looking at your collection of cubes"
"All solved. That's how I roll"
Hahaha
Knew this comment would be here to like, I just had to look for it :D
I'm going to glue all your dice to the table, just so you _can't_ roll. Mwaaaaaaa ha ha ha ha ha!
@@PeteMcDonald You stunningly subtle sophisticated psychologist, you!
The 12.9 bits he mentions comes from the fact that log2(7776) = 12.9.
I was wondering that, thanks!
My twinkle
Thank you!
But none of my dice have a 6 on them! They have a 9 instead! What should I do?
@@__Brandon__ Excuse me... my eleven-sided die has two number 9 s. Where is the missing number 6 ?
"We're talking nation-state level security - you can choose to protect against them, but they might just visit you instead." Haha this is the logical step that's been missing in so many conversations I've had with cybersecurity enthusiasts - they seem to think the FBI is reading their emails but pay no mind to physical security. True story, I had one friend who insisted on 20-character randomly generated passwords, but wouldn't even bother lock his front door when he left the house because we were going "just up the street."
That is not the point. The problem is nation states and criminal organizations. They both have access to cloud computing services. Also bitcoin farms and hacking farms can use the same technology. The same equipment a government uses a civilian can buy unless the equipment is classified.
You think there is a difference in terms of capacity? You are wrong. We're not talking petty theft. We are talking about criminal organizations who make a fortune off of your stolen data.
@@jamesedwards3923 I don't know, I think you're the one missing the point here. A high-entropy password is great, but you are vulnerable against a $5 wrench attack and if your adversary is willing and able to use that method, your secure password stops mattering.
@@xXx_Regulus_xXx In most states in the United States. Getting a 'legal' gun is easy. If a criminal organization comes with a $5 wrench. I can unload on them. Got to love the Castle Doctrine :) !
Although in my state and city in particular. Has stricter gun laws. Thinking they are going to stop criminals. Yet in a bunch of videos and articles I have read. Obviously not. The excessive gun laws in my state; city in particular. Are designed to keep lawful citizens from defending themselves.
Bet you know which state I am talking about. Even the city.
@@jamesedwards3923 wrench attack is just a catchy name. Believe it or not it would be possible for your attacker to be armed and a quicker draw than you. I won't be arguing semantics or investing how quick of a shot you claim to be. The point is someone who is better at violence than you might sidestep the password security issue entirely. Do you understand what I'm saying to you?
I know 🤣😄😄
"They may just visit you instead." Ha ha, great capper.
I cracked, lol
I hate when my tapir gets corrupted and I didn't make a backup
It gets currupted because it's rw. Maybe it's time to "chmod -w tapir"
Does your tapir often receive bribes ?
Alexander Robohm
Who corrupted it? Some guy from Libya?
I can't begin to imagine which random symbol Mike Pound uses.
@@abdulwahabjag #obvious
£ or #?
@@jasoncox5263 Not so obvious. A # isn't called a pound in Britain, it's called a hash.
@@abdulwahabjag TIL that Americans call a hash a pound sign... interesting!
...and for those who deal in slightly illicit substances which you smoke.... perhaps they don't like the hash sign.
I personally dislike Tapir backups, Iguana-based backups are just way more reliable.
I like chalupacabra
Wait... that's not right...
@@QBelly i like chawawaa
I made a program back in secondary school, where you type in random numbers, and it tallies them up. It really shows how not random you really are.
My passwords are generally random words, characters, number, uppers and lowers and also misspelled words and major length.... Then i write it down and stick it on my pc screen so I dont forget.
Encrypted text file here.
But then you have to remember the encryption key.
Not if the encryption key is your password.
something like one pad vigenere cipher? that's very clever. it's not until you have to convey your secret password to customer service via the phone that it becomes a problem.
Joshelin recursion
I love that they knew that the Rand was our currency,that got me excited a lil bit.Great video as always.
I have stumbled on to this channel a few months ago, and find them quite fascinating. I found maths really challenging at school, but as I get older understand more and find maths is used in EVEN more places and things than I ever considered. Thank you for creating these short shows with great explanations.
It's the man, the legend, Dr. Mike Pound!!
I'm really diggin' the series. An episode about password managers would be great!
I think web developers need to be more educated in this. I hate it when I'm forced to come up with all sorts of crazy passwords with this symbol and that case and this number in that position. I mean, popsiclegoldfishigloobulgaria is a far stronger password than g41@9S. Guess which one my bank does and does not accept?
On the other hand. I've seen a website just on the last week which allowed me to use only letters and number in the password. I cannot say which one is more rediculous out of these two.
What if we combine the strengths of those two to have
Password: $7N7e@6MwoB/,@*
Its much stronger than those both.
Although, right now Im on mobile, so it takes some time to switch between symbols and letters. Thats why you can see an altering symbol/letter and uppercase/lowercase pattern. On Desktop this shouldn't be a problem.
I've seen a site that only allows 6 to 8 character passwords, and THEY ARE NOT CASE SENSITIVE.
Mostly because these developers are too lazy do write sophisticated software. But they still need to comply with standard security tests. And these tests will include "are secure passwords enforced" and the devs will say "yeah we check them before accepting". Point done. And then it comes to stuff like you can't use spaces, you can't use ; or ' or " and other characters, that could be used for command injection (no, and santinizing escaping the characters is way too much effort to implement for the lazy devs), you need uppercase, lowercase, numbers... And so people will chose something like "BankName" as passwords, which is among the weakest password you could chose.
Or even better: "Your password must be between 8 and 20 characters" - "But mine has 45..." - "meep! computer says no!"
I even have seen a service that turncates your password if you wrote more than 12 letters... m(
Pointing the blame at web developers is generally wrongheaded. Your bank's developers didn't decide the password restrictions. Management handed them a set of requirements, and they implemented them. For all you know, the developers did push back, because even if they did, it almost certainly wouldn't have made any difference.
I love that after the great talk on the finer details of password security he alludes to the possibility of a wrench attack.
Mike's videos are always informative. More of him please...
The last video on the subject had lots of comments about KeePass, so I started using it. I absolutely love it. Now every website gets its own password, and I have no idea what they are! The only password I know is the one for KeePass, which is five words that spell another word as an acronym, with a symbol and spaces.
my problem is that at my work i have literally 17 different passwords (i just counted). They all have different requirements of min/max length (lots are 20 chars max), upper/lower case, special characters, numbers etc. and they expire every month or 3 months or never. If i get one wrong 3 times it gets locked out. In one system it took me 2 months to get a new username set up because the password was locked and there was no other way to resolve this and in another system if i lock my password (or don't use it for 3 months) i have to go on a half day course (every time) about basic use of that software in order to get a new password. All this means everyone uses the same short passwords for everything and so security is made worse because of the measures introduced to increase security.
sounds like you need a password manager.
Some systems have strange and specific requirements, like the first character has to be an uppercase letter and the last character has to be a number, or stuff like that. Why? That requirement is public information, so it makes passwords _less_ secure. And the systems that force you to regularly change your password are very annoying.
@@perimiter I do.
It's best to use an offline password manager with completely random characters of at least 15 characters, and not trying to remember them. Offline is essential since often hashed password files are stolen from cloud servers. Personally I use a simple text file for all my longins, encrypted with a 64 character pseudo-random password by 7Zip AES-256 method. Let's just say, it's pretty darn secure. ;)
@@BillAnt 15 to 20 characters is the statistical average for password length. Bad idea for any important password. Where you control the length and complexity limit.
I learn a lot a watching this channel. Thank you guys, keep up the good work.
The videos with Mike Pound are always good and funny. xD
I enjoyed the little addition at the end that unless you are being directly targeted a simple password (4 words in this example) is good enough, and if you are being directly targeted there are more physical methods than brute forcing a password.
Yup, there's a great comic about this somewhere. If they're going to brute-force your password, they are going to *brute-force* your password, if you get what I'm saying. How many fingers can they break/cut off before you decide maybe the data isn't worth protecting *that* much.
awesome. I have been using your scheme for all my passwords ever since you suggested it. love the explanation.
Dice on the floor is always a reroll!
Absolutely great video. Had an amazing time learning this new concept. Thanks.
After watching the other password videos you made, I made a new password. When you mentioned that 5-6 words is nation state level of security, I realized that my new password is very secure and I shouldn't need to change it for a long time.
I love this content! Speaking of password security, could you make a video on key stretching, i.e. CPU and possibly memory hard password hashing functions. Legacy schemes include MD5Crypt, bcrypt (which were and to some extent still are widely used on UNIX) and PBKDF2, then there are more modern ones like scrypt and Argon2. CPU hard hashing is also built into the SCRAM protocol. Speaking of which, I'd also love to see a video on challenge response authentication. :-D
Either way I'll be recommending your videos to my (IT) coworkers since security is important and your videos are really accessible.
My passwords requires you to solve riddles and travel all across the globe writing algorithms and finding patterns in scattered around notes, take 16 randomly chosen characters encrypted with a custom encryption scheme appended to a salted hash of my favorite dog race bitwise xored with the name of the cat of the neighbors 20 years ago and 64 digits of pi randomly selected in sequence either forward or backward prepended with 5 words with substitutions from a chinese character set based on the pseudo random number generator built in my nintendo 3ds.
Bravo :) >Sean
Luckily my trusted sidekick can make you talk, Agent M!
Watch out! He's, shall I say, rather bitey!
Travel across a ball? I don't understand, you cannot stand on a ball!
Hey, that’s the same way like I do . 🤔😨
@@santoshpss you must be using translation software. He said globe, as in a map that is projected onto a sphere. Not a ball, as in the round thing that children play with.
I like the mention of rubber-hose cryptoanalysis at the end
And then some random website enforces a character limit of max 10 symbols, no spaces, a special character, a capital letter and a number
Tiavor Kuroma In those sites you can use password "secretlol" and don't use/put anything valuable to those accounts. Use your spam email etc.
Do you mean the email that I use for getting spam or the one for sending it? Oops...
That's why you should have a tiered password schemes, and Diceware should probably be reserved for the highest level, like a password manager or encrypted hard drive/OS. Lower level passwords can rely on your password manager.
"They may just visit you instead." Wow, what a great ending! XD
I love this type of video :3
Mike Pound for king of computerphile!
Brian A he's more princely in my opinion.
I suggest Tom Scott as his... queen?
:3
Sassy The Sasquatch nmm
Thanks, I didn't have a dice so I used the password you created ;) finally I have a secure password for all my accounts
here's what i did: tossed a coin three times and added the value i got. Three coin tosses = 1 dice roll. Now repeat that 5 times.
I had a password so secure, I literally can't remember it unless I have a keyboard in front of me.
I know what you mean. It's just muscle memory for us when we go and type it.
Same! I once tried logging into my PC remotely from my tablet and couldn't do it, because the keyboard layout is slightly different. My password is a pattern that's muscle memory now - I don't even know what the actual characters are anymore.
Yep! I know that pain, I can't log into anything from my phone x) I don't remember my passwords... I can just type them...
Is it "1234567890-=qwertyuiop[]asdfghjkl;'#zxcvbnm,./" ?
@highks Same :/
If you would like that way to make a password more secure you just need to translate of or two of your word I to in other language. Most people understands two languages. For me I can translate all or some of them to Swedish and suddenly I have doubled the word list. 😊
Doubling the word list increases entropy by only one bit per word. It doesn't hurt, but the benefit is negligible.
Yeah. But the wordlist dubbles and but you don't know what language I have used. In my case you know but you need to translate that list to every language to brute force it. Just adding swedish dubbles the list. Adding all of Europe languages... that's about 25. And so on. And that's my point. Not that everyone take a Swedish word.
Hope you hanging on. My phone got in to this discussion and messing with my text... xD
Bra plan synd bara att Tapir = Tapir
Diceware word lists are available in multiple languages (they contain different words) so you could roll the dice one more time to choose your word list.
"Most people understand two languages"
Spoken like someone who has never left Sweden.
You could also choose a synonym for each word after you roled the dice. "True Thoroughbred Accu Principal" in the XKCD case.
"all solved, that's how I roll" - Dr Mike Pound
Can you do a video on vulnerabilities on PGP/GPG protocol? It's in the news right now.
I use the first letters of the words of the second verse of an obscure poems. Easy to remember or to reconstruct from a hint, if you forget.
Look up "The Subway Piranhas" by Edwin Morgan. It's a short and slightly startling poem.
When you have to create an account on a website that requires a password between 8 and 12 characters long, have at least one lower case letter, upper case letter, number and other character in order to be accepted, this video helps so much! :P
There are so many ways to do it, it is insane.
Unfortunately, yes there are so many services. That have not even attempted to update their security. Would not surprise me if sites using such character limits are using MD5.
One of the easiest yet secure passwords I once had (before yahoo forced me to change it) was a 6 character password when the minimum was 8 characters
I love that thumb position ABS shine on your spacebar :)
Such a likeable character Mike Pound
Hon much more secure would it be you added an extra dice roll(1-6) after each word?
Seems like setting operating systems, web sites, etc., with a default delay (10 minute, 30 minute, whatever) after 5 password misses on login would solve a lot of password guessing problems. I doubt most people use such settings/tools available to them. Of course there are many places where passwords are used other than operating systems and web sites, but it would be a great start. Thanks for the video. Great topic!
You can only impose retry limits on authentication systems, but not on encryption systems.
Great point.
If you own the system, you can key stretch to a silly amount though. Try brute forcing when each iteration of your KDF takes up megabytes of memory.
Great video. I have a question on how entropy was calculated. Where did the 12.9 bits come from?
2^12.9 = 7643.40626667 which is approx the 7776 word choices in the list
At first i thought well this is still terrible but its actually a lot better than it seems at first glance.
If you run 80bil (educated) guesses p/s you will on average crack a password every 1 hour. And if i remember correctly you had an 8bil guesses p/s in your last video. So even for much stronger computers this is challenging. Not considering the fact that there are other password types you might want to dedicste processing power to as well. Great job. Really nice video explaining this :)
Buy 5 dice next time! Then it's one roll (of 5 dice) for each word!
clearly you have not seen the prices on proper, unstamped casino dice.
It's a fun way to generate a password so why not do it number by number...
Is your hand big enough to hold five dice at once? ;)
How do you decide which dice to take for which digit?
It can be biased. It's more random to roll a single dice 5 times.
The first time I used diceware I didn't have ANY dice, so I flipped about 20 coins together a bunch of times...
One other great use for something like this would be if you need a secure password for telephone access to sensitive accounts. The fact that they are words makes would make them very easy to express orally over the telephone while still being secure (provided you don't go blabbing them in earshot and such).
3:42 That a Panasonic Lumix DMC-lx100? I have one of those, neat little 4k cameras
Yeah, it's amazing :) >Sean
I learned from XKCD that Correct Horse Battery Staple is a really secure password so I use that everywhere.
This guy is an absolute BOSS.
Excellent video.
A variation of this theme is used in BIP39, a bitcoin/blockchain standard, where everyone uses a published list of 2048 words with some special characteristics. Since it's a smaller list, you choose more of them to be a passphrase, sometimes 12 or 18 or 24 of them, to avoid brute forcing. Its purpose is a sort of passphrase which (1) gets used exceedingly rarely, and (2) should be statistically guaranteed to be globally unique for all time like a GUID.
I would like to know your view on password managers like 1password. Combined with a hardware password or security token.
Which password generator app you are using for generating ur password? In some video ou mentioned the name of the application
I know this is a bit of an older video, but I have learned a lot watching this series from computerphile, some of my passwords are trash (despite me knowing how important security is) but really some of the sites I log into, I really do not care if someone gets into it, but if I do care about it, I do attempt to make it a more secure password, usually involving an uppercase/special character, and number in it, but aye I am realizing how insecure that is. I have always tried to keep my social media posting to a minium because I never wanted anyone to be able to social engineer my more precious passwords. (Yes I will admit that my most secure passwords belong to my games, and anywhere my private info is stored in one way or another... i.e banking, etc.)
-
One thing I wonder after watching these, and something I have suggested/thought of in the past is just using shorthand to make a password more secure, and I wonder how secure it would actually be, I know they could still brute force it due to a small number of possible inputs, but at least it wouldn't be a common word used in the dictionary.
So for example:
My password is not password 54
would be this:
Mpwinpw54
----
It should be fairly easy to remember and should be a bit harder for someone to just outright brute force their way in.
Your mistake was.Posting your ruleset. Now hackers will add it to their attack models.
To save people the effort of using wolfram alpha, there are 6^5 words (7'776), 7776P5 is 2.839E19 combinations from that list - which is about as secure as a 10(.85) digit password that contains A-Za-z0-9 (62 different characters).
No extra bit. I live for the extra bit. I'd also love a book shelf pass for all the guess you have. It's where I find new books the read. lol
what's the reason behind maximum password lengths? is it just for space/storage or is it related to hashing?
Question... sorry if it was already answered, I need to watch the video again.
But regarding entropy and passwords made out of random words, would a dictionary attack significantly lower the entropy of it?
I imagine it'd be hard figuring out the correct length of the password, and then you'd need a whole lot of word combinations and recombinations to the to the correct length.
I'm currently using just random alphanumeric with a password manager, but in the future I'd like to switch to an offline password manager and combinations of words in different languages, significant numbers and symbols thrown around.... that I imagine would be plenty. xD Still relatively memorable at least for the most used stuff, and the rest would have to be recovered using the offline password manager.
The entropy calculation is *assuming* the attacker is using a dictionary attack *and* knows what dictionary to use. It would be more accurate to say that if the attacker doesn't do a dictionary attack, the entropy would greatly increase.
the way is was tought to choose passwords is pick a obscure phrase you really like, so something you will remember, take the first charactere of each word (i sometimes add the last ones as well if the phrase is to short) swap out a few charecteres for capital numbers or special charecter.
Instead of using words to create passwords, I determined that it would be really hard to crack a password where each letter made a name but each individual character is stepped forwards or backwards on the alphabet (so if you have Johns, it would turn into Knimr as each letter is moved in a specific way forwards or backwards) as well as using underscores instead of spaces (because I’m a geek with an affinity with secrecy) or you could just generate a password with the computer automatically remembering it. Dashlane fills in passwords for you so you don’t have to remember them, so that is how I’d improve on that.
It's like having a 5 letter password but from an alphabet of 7776 letters!
That's an interesting idea. I generally just look at all the labels on anything on my desk and use the first letter from each label until I think it's decently long scramble a number in with it that is familiar to me but doesn't have anything to do with me jumble in a couple symbols and upper case and call it a day. Then I clean off my desk.
Edit: Maybe I'll continue to do that and bookend the one I generate in that way with a couple random words from the OED selected this way.
I love how he uses an asterisk as a multiply symbol.
You can use a dice with a dictionary. 3 rolls for page, and word number then choose the closest 4 or 5 letter word. Certainly seems more random than that list, but still a nice scheme until next year when computers are 10 times faster. :)
Would it be more secure to remove the spaces between the words? Or would having the spaces be "less" secure because an attacker then would know the size of each word? My Passphrase has ( 4 ) words but no spaces should I add the spaces to make it more secure or does it matter?
It could help increase security if they don't know spaces are in your password, but if they know you are using diceware it's the same either way. It also elevates your character count and character set. As Mike said, you can make those spaces anything you want to make it more difficult for bruteforce and diceware attackers.
When I decided to update my important passwords, I used a method very similar to this.
I just found an online dictionary of English words and uploaded them into a spreadsheet, then wrote a small bit of code that would select 5 random words from that list of 10s of thousands and concatenate them together. This ensures the words I chose were random.
However, they weren't totally random, because I did this several different times until I got a password that I found easy enough to remember.
I assume what you mean buy "important passwords" means stuff you have to remember. Most people make the mistake of keeping all their passwords in their heads.
@@jamesedwards3923 Important passwords, like for email or a password manager. The sort of thing you need to remember, but also that could be devastating if someone nefarious got access to it.
There are some less important passwords I really don't care too much about, because they're for inconsequential websites or something that nobody else could really benefit from hacking into.
Everything else can be a string of 16+ random characters, and memorized by a password manager. That keeps everything pretty secure.
@@sk8rdman At least you had the common sense to do it. So many I meet and talk to. Do not care until they get hacked. Or spoofed. You would be surprised how lazy people are with cyber security. How could you 'understand' the situation? Yet not take basic efforts to deal with it?
I have one interesting question regarding this video.
When users apply this scheme they sometimes will be "cherry picking" the "random" words.
For example, if I don’t like one word, i could roll that word or the whole phrase out again.
In my opinion that could become dangerous because it lowers the security by making words pseudorandom again.
An attacker could try to find out the most liked words and do some kind of dictionary attack with the statistically most liked words.
My argument is that many users would prefer "sunny car day love" over "wrong cold roach stink" and roll again in the second case.
What is your opinion regarding my apprehensions?
you aren't wrong. I've been using diceware passwords for about 6 years and noticed that I am more likely to rotate passwords that are hard to type after 3 months than I am for passwords that are easy to type which I will sometimes keep as long as 6 months. I think that you could probably build a probabilistic distribution of diceware passphrases that is a slight improvement on the advertised value against users who misuse the list. However, it is unlikely that will strongly affect any users who use the list correctly.
@Brendan Hart-Nutter
First thanks for your reply. Yes if you use the list right that doesn't matter. The point is that I believe many maybe even most user don't use it correctly and non of the systems addresses this topic by saying don't roll multiple times.
neumde neuer The Diceware website actually addressed this problem, emphasizing that you should accept every word generated in order.
Chenfeng Bao thanks for your input
thx for the list.
A niffy method when you have a password with no length maximum is to set your password as an excerpt from a ebook. Then copy and paste the password when you need to use it. That way you can have a password that is a paragraph or even a page long. Of course you can put a symbol in the middle of a key word and that would make it more difficult.
Also, may I suggest a video on plausible deniability? TrueCrypt (sadly defunct) used to have that feature, and I'd like to know how secure such a method is
VeraCrypt picked up where they left off.
one way for pw is use someone's phone number>transfer it to a symbol number mix>put it in b/w a word >repeat the same process
that give u at lease 16+ pw with upper/lower case character mixed with nonsense
but at the same time easy to remember
If you use this system to generate a password, but then only use the first X characters in each word, wouldn't that increase the security level of the password since it reduces the meaning behind it, still making it easy to remember because you know the words it comes from?
Can you please do a video about Password-Managers and their security?
how will adding a few unicode characters affect the password "strength"?
Sounds cool, but wouldn't words at the start of the list be less secure than ones at the end of the list? Assuming all the words are spread out through the list, sure, it would be fairly secure, but if you got unlucky and had a bunch of words, say, on the first page, then wouldn't those be easier to crack with a brute force attack?
What about using slow encryption of long pass phrases?
Thanks for existing
you could also take a dictionairy and then roll in which sixth your word is. repeat around 7 or 8 times for the oed and you get any word
any recommendations for password managers ?
Could you make a video about keychain and its security?
For anyone curious, Let's compare this 5 word password to a more traditional 10 character password pulling from a pool of 74 random characters. 74^10 = 5E18 possibilities. Compared to the example shown in the video, 7776^5 = 3E19. So this method is slightly better than 10 purely random characters (which is very hard to remember)
10 purely random characters are not that hard to remember. And they are faster to type.
Anyway, I don't get why people aren't using password managers and still try to remember all their passwords. My passwords are all at least 16 random characters (letters, numbers, special) which is way more secure than what is shown in this video. I don't know any of them by heart but then again I don't need to - i copy and paste them directly from my password manager (which makes me immune to keyloggers as well).
@@teeds88 doesn't make you immune to clipboard sniffers
LOL, that is the point is it not. Diceware or Leetspeak - Taking something easy to remember for you. However for a computer it is insanely complicated.
Some people put down leetspeak. I logically disagree.
As we all know, the longer and more complicated your password. The harder it is for a 'computer' to figure it out. Also, if a person can not figure out. If a human and a computer can not figure out what you did. That makes it all the better as a password.
@@jamesedwards3923 I build password cracking dictionaries. And leet speak is easy to crack. Actually combining words some with leet speak and some with out. While sharing vowels is best. "!l1kEtHr3epeoPLE" is hard to crack
i use diceware for every account that doesn't have 2 factor authentication available. I have about 4 i use daily, all six words, and it's surprisingly easy to remember and distinguish them.
07:53
12.9*5=64.5 log2(6 sides per dice^5 dice)*5 words
Shouldn't the size of the word list be anywhere in there? If the word list has only 100 words, shouldn't that affect the entropy?
the number of words in the list is exactly equal to 6^5
I think you're probably intended to buy 5 dice lol
It's possible that your password and 1 or more passwords hash to the same value? And a brute force attack would have less operations on avg than 2^63 Or is this so unlikely that it doenst comer into the picture?
It's possible, but they'd be two vastly different passwords. You should google what instances people have found.
But just where can you get sweaters like Dr Mike?
Somebody smarter than me can probably tell me if I am wrong or not
Isn't there an obvious weakness with creating many passwords with Diceware, whereby x dice will create an average range to specially target, then when working with a large database of passwords you could make the process quicker as you hash more words? Would 2^64 become a smaller number of operations over time?
Would it make any difference if the words were misspelled? Like having two i's in Tapir?
You are affectively talking about leet speak. I had an interesting debate with somebody. We agree and disagree. He said that leet speak was a bad idea. I said no it is not.
Here were my reasons why:
1) The longer and more complicated your password is. The harder it is to attack by both dictionary and brute force methods.
2) Given how most brute force and dictionary attacks work:
- It has to figure out which words.
- Which variant of the word.
- Then get them all in correct order.
Some people can remember very long passwords for their primary password. Like for a password management file. It would make sense after all. It is one stop shopping for your online life. If picked twenty five words. Or fifty words. Is that not a full paragraph or so?
3) Hence why pass phrases are just as useful as passwords. Leet Speak is like hashing.
Both in common sense and in math. Even if you use common substitutions. The entropy of the password increases. So to both a human and more importantly a server farm. Each with five of the most advanced graphics cards on the planet. Is going to take time to hack your encrypted password. Especially if you used up to date algorithms.
Don't know whether I'm watching because of the content or Mike anymore...
Also about the nation state thing, eh im not sure. the thing about passwords is that its possible for that pastebin to be sat there for years and yeah a 5 word password is out of reach today but give it ten years and who knows. Maybe a flaw is found in the hashing algorithm which massively speeds it up or something similar. With my password I don't just want it to be secure today I want it to be secure in perpetuity. Rotating passwords every couple of years at minimum is good practice but the more passwords I have to generate the weaker they are likely to be.
Out of curiosity, if the attacker knew you were using Diceware, and also knew how long your password was (maybe they heard you type it once?), how does that change the probability of breaking it? It seems like even with 7776 words, there are going to be limited ways to generate a string of X characters.
Even if the attacker knows the word list, how many words you use and even the separator character, it won't change anything. The number of combinations is finite, but is huge! It's ~ 20 billion billion possibilities for 6 words.
"All solved!" Love it
Brilliant!
the extra word can be a word that are not on the list?
That last sentance translates as:
"My associate here will now begin to hack your password. He is going to hack your kneecap with this tire iron until the password comes out of your mouth."
I'm probably just doing some statistical fallacy but, could you semi-eliminate possibilities based on the fact that your odds of rolling a specific number several times in a row are low? For whatever reason dice tend not to fall that way, though if it's truly random the odds of getting 1,1,1,1,1 should be the same as getting, say, 3,2,1,5,3. I feel like if an attacker assumed no number appeared more than 3 times consecutively, they'd eliminate a significant portion of the possibilities and they'd almost always be correct.
Yes, it's a fallacy, though an interesting one. The odds of 11111 is the same as any other 5-digit number. It's 1/7776. The reason 11111 seems to have a lower probability of appearing than, say, 32153 is this: 11111 is a memorable number, so we notice how infrequently it occurs. 32153 is not particularly memorable, so we don't notice how infrequently this exact number appears.
There's another way to think about it. What's the probability of five rolls all of the same digits? There are six such numbers (11111, 22222, etc.). So probability is 6/7776. What's the probability of five rolls each with a different digit? 7770/7776. This creates a false perception that repeating numbers are less likely than non-repeating numbers, because we forget that we're not comparing the same thing.
arent there password cracking botnets?
those could probably crack your password faster as what you said at 10:20 (naven state?)
No, they can't. Most passwords are easily crackable because they're short / common / just bad. That five random words are much much harder to crack than you'd think.