8

I understand the basics of why diceware produces good security and why seven word passphrases are a good idea these days.

The EFF has helpfully produced updated diceware lists that eliminate lots of the hassle of memorizing diceware passphrases. (see https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases)

But a seven word passphrase even using the EFF's new long diceware list can still be hard to remember. Sure, over time, most people will remember it, but I wondered if there is not a simpler way to achieve security and memorability.

(Apologies in advance if this is a rehash of something much smarter people have already thought of.)

Since knowledge of the diceware list is irrelevant, because only the length of the list of unique words contributes to the entropy, then presumably choosing from multiple lists is as secure as choosing over and over from one list.

So why not create four separate lists, each with 7,776 words, but each strictly limited to either a) adjectives, b) nouns, c) verbs, and d) adverbs?

A diceware passphrase would be created normally, rolling 5 dice for each word.

But, assuming we are aiming for a seven word passphrase, we would choose:

word 1 from list a (adjectives) word 2 from list b (nouns) word 3 from list c (verbs) word 4 from list b (nouns) word 5 from list d (adverbs)

This would produce an English sentence of the form:

adjective noun verb noun adverb (e.g. blue fireplace eats dog briskly)

which would be probably bizarre but also easily memorable for most people (with no less entropy than a five word passphrase chosen from the standard diceware list or from EFF's improved long diceware list).

That's not long enough for security though, so we could continue and choose:

word 6 from list b (nouns) word 7 from list d (adverbs)

resulting in a 7 word passphrase of the form:

adjective noun verb noun adverb noun adverb (e.g. blue fireplace eats dog briskly television enough)

Slap an "and" between the 5th and 6th word and the sentence probably is as easily memorable. Presumably the "and" cannot decrease security because even knowing it, we still have 7776^7 word combinations in the sentence.

I assume the biggest problem with this scheme is there may not be 7,776 adverbs in the English language (or maybe there is?).

In that case, we can still use a similar scheme, using two sentences constructed only from lists of adjectives (of which there are probably an order of magnitude more than necessary in English), nouns, and verbs, like so:

word 1 from list a (adjectives) word 2 from list b (nouns) word 3 from list c (verbs) word 4 from list b (nouns) word 5 from list b (nouns) word 6 from list c (verbs) word 7 from list b (nouns)

Slap a semicolon or period between words 4 and 5 if you want and you get something like this:

adjective noun verb noun noun verb noun (e.g. blue fireplace eats dog; television flies pizza)

I speculate these types of sentences are more easily memorable for most people because they create action images which people can remember easily. In the example above, it would be of a blue fireplace eating a dog, while a TV is flying on a pizza.

An 8 word passphrase could be made by including an adjective in the second sentence too, obviously.

Is this a strategy already explored?

Does it have known weaknesses?

Are there published diceware lists of nouns, verbs, and adjectives? (And adverbs?)

Some Guy
  • 83
  • 5

4 Answers4

3

While they don't directly answer your question, I think that reading up some of the other password-related questions on this site will help you think through this process. I would start quite simply with this question, which is also the most upvoted question on this site. Together, the answers really break down the relevant security and usability concerns:

XKCD #936: Short complex password, or long dictionary passphrase?

The short of it (as you seem to understand) is that any password generation strategy ultimately boils down to entropy, which can roughly be understood as "randomness". Selecting 7 times from a word list with 7,776 words would give you a total of approximately 1.719e27 possible passwords, or approximately 90 bits of entropy. The fact that you switch between lists for the given word order doesn't really change the picture substantially (you technically have more words to chose from, but you switch between the list of choices in a predictable fashion). As a result, from a strictly-entropy standpoint, this isn't substantially stronger or weaker than a more standard diceware generation pattern. On the other hand, if it makes it easier to remember the password, it would at least be a usability improvement, and that is always a good thing.

That being said, both are certainly "secure enough" for the foreseeable future. Relevant would be this thread that talks about a password with 80 bits of entropy:

Is an 80 bit password good enough for all practical purposes?

And this looks at the practical limits for cracking password hashes:

https://security.stackexchange.com/a/13016/149676

All of which boils down to the same thing: cracking a password with 90 bits of entropy would likely cost more than the entire economic output of the USA, but you are still vulnerable to phishing, social engineering attacks, and the like.

Conor Mancone
  • 30,380
  • 13
  • 92
  • 98
1

as you say, i don't think you could come up with a nicely curated list of 7776 adverbs, for example.

another alternative is use smaller word lists, say 1296 words each (roll 4 dice instead of 5). this would give you ~10.34 bits of entropy per word instead of the ~12.92 bits per regular diceware word.

for equivalent entry, you'd have to memorize a longer passphrase but that may be easier because of the grammatical structure of the passphrase.

a more complex solution would be to actually get to 7776 curated adverbs by appending other characters or capitalizing, so instead of just

briskly

you'd have

briskly
briskly!
briskly?    
Briskly
Briskly!
Briskly?
BRISKLY
BRISKLY!
BRISKLY?

but again you have the tradeoff of complexity which goes against the goal of "easy to remember" passphrases.

you may be better off just inserting your own "filler" words into a regular diceware passphrase to make it easier to remember.

not22
  • 181
  • 4
1

Your analysis is correct. The only "weakness" is that choosing the same number of words from a single combined list (all the various part-of-speech lists combined into one big list) the entropy would technically be higher, but assuming an appropriate number of words that extra security is mostly redundant.

There is a "readable passphrase generator" plugin for KeePass that I think does something similar. I've used the "word sequencer" plugin with custom lists to do exactly what you suggest, although I did not find 7776 words for each list. I pulled my word lists from the Moby project which has a "parts of speech" list available.

Ben
  • 3,896
  • 1
  • 10
  • 22
1

Is this a strategy already explored?

Yes, grammatical passphrase generator was based on this idea. I had a few issues with that particular implementation, in particular: 1) its choice of random number generator (Math.random()) is not cryptographically secure, 2) its choice of wordlist is quite arbitrary, and 3) its strength calculation may be wrong, so the idea of grammatical diceware is not entirely new.

In fact, I had been mulling about doing my own grammatical diceware implementation for some time, though the biggest roadblock here is to generate a good wordlist like EFF's wordlist. I don't have the resources and knowledge that EFF had to generate their wordlist. While the choice of wordlist doesn't really affect security, a good wordlist makes the passphrase easier to type and remember.

Does it have known weaknesses?

The core idea of an entropy-based password generation method like diceware is to create a large number for a given strength and then to encode that number using a wordlist. The security of any scheme following this pattern relies primarily on the random number generation, while the encoding system is pretty straightforward and, with few caveats, doesn't really affect security of the system.

† the original diceware wordlist for example wasn't prefix-free, so it produces passwords with reduced strength if you do not have separators between words, this has been fixed in EFF's wordlist

Lie Ryan
  • 31,279
  • 6
  • 69
  • 93