6

Recently I discovered method of generating passwords with Diceware/EFF dictionary.

Look at my example, passphrase vs randomly generated password:

  1. rockstar reword gamma banker unwarlike (64,6 bits entropy)
  2. 9zbhL=HyWNV (65,7 bits entropy)

Both are considered as strong passwords.

  1. is easy to type and remember. You can spell it to someone else.
  2. is opposite: hard to type and remember, impossible to pronounce.

Password managers deals with typing difficult passwords.
But in the absence of password manager software at the workstation or in other circumstances where PM can't be used (login screen, decrypting system drive), passphrase is better.

I am curious:

  1. Should I create all my passwords with Diceware/EFF dictionary and only fallback to random characters if password policy forces me to include special characters and upper/lower case symbols?
  2. Why in IT systems we still use randomly generated gibberish when we could use words?
msanford
  • 817
  • 1
  • 9
  • 26

6 Answers6

3

As others have said, if you randomly generate your password and store it in a password manager, it does not matter one way or the other, security-wise. Diceware is more effective if you need to memorize the password or type it into a keyboard.

Long passphrases are the current recommended best practice.

However, there are many applications out there that still enforce arbitrary „complexity rules“, which were once in the old NIST standard, or have maximum password lengths of 16 characters or less. In those cases, you cannot use long passphrases.

For this reason I create 18-char random passwords most of the time, although I prefer passphrases. This usually gives me a valid password on the first try, whereas when I use a passphrases I often have to fiddle with the thing for minutes until I figure out the requirements.

For the second part of your question: IT systems (such as password managers) that create passwords for human consumption should generate diceware-type phrases or offer the option. This decreases the chance of the user changing it to something of their own choosing. However, for an initial password that is changed on first login it does not matter at all.

Also, if you are designing a system in this time and day, you should be aware that the whole concept of „memorized strings“ is essentially broken and push towards 2FA, hardware tokens or stuff like that.

Additional notes

There seem to be some misconceptions around about entropy and password "length", especially regarding diceware.

First off, diceware is a random password, and is as secure as it gets. It just uses more characters per bit of entropy than a random-character string. From a theoretical point there is no difference between a 5-word diceware phrase, 11 alphanumeric characters and a 20-digit number (other than length).

In other words, diceware maximises memorability, while a random string maximises "entropy per character". The former is often a more useful property than the latter (in which the OP is right). The latter is needed if you have a very limited amount of characters for your phrase - which shouldn't be the case in modern systems, but often is.

averell
  • 1,103
  • 7
  • 10
2

Should I create all my passwords with Diceware/EFF dictionary and only fallback to random characters if password policy forces me to include special characters and upper/lower case symbols?

As long as your systems support using passphrases you should use anything that is more comfortable for you. As long as it is secure enough. Please, when considering security, consider as many vectors as possible. It is easier to target users using social engineering to get their passphrase rather than password.

2) Why in IT systems we still use randomly generated gibberish when we could use words?

IMHO, mostly because IT guys are technical guys, who get their knowledge on the matter from the proven (meaning old) sources. Passphrases are a relatively new thing, and most of the places where IT security is considered business-critical (banks, government, etc) have still active old systems (i.e. AS400) that do not support passphrases. It is mostly a matter of habit and trust.

I would advise you to consult NIST standards, various frameworks and so on to have a better understanding on requirements to passphrases.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Rashad Novruzov
  • 678
  • 3
  • 13
1

In practice, passphrase passwords are a much more effective mechanism. Especially in a corporate environment when you have a lot of users.

Requiring users to several different types of special characters complicates passwords. Expecting all of your users to always use password managers also creates problems.

As long as your users have the option of using the full ASCII range, crackers are going to have a tough time breaking "rockstar reword gamma banker unwarlike". An attacker in the wild is likely going to need to assume that the character set will be constrained only by the operating system requirements which most attackers will assume to be Windows.

As Royce mentioned, you are almost always better with easier to remember long passwords than complex passwords that people will work around.

Unfortunately most IT departments haven't embraced this.

flyerhawk
  • 41
  • 3
0

As you have found, you can make a passphrase of equivalent entropy to a fully randomized character-based password. Using Diceware, it takes about half the number of words in the passphrase to reach the equivalent strength of a fully random character-based password of a given number of characters.

The drawback, unfortunately, is that you'll have about 5 or so characters per word in your diceware passphrase. This means if a given login has a maximum number of characters in their password (unfortunately still common, and still relatively short limits, e.g. 30 characters maximum). This means that while you may be happy with the password strength of a 14-20 character password, you cannot achieve equivalent strength for this login using a passphrase, simply because this specific login system won't allow enough characters to create a long enough passphrase.

Ben
  • 3,896
  • 1
  • 10
  • 22
-1

You have a false comparison and odd benefits. You can't compare them like that.

  1. 38 characters vs 11 characters - work out entropy for a random 38 char string ...
  2. random passwords are not supposed to be easy to type - "easy to type" means lowered entropy
  3. why would the benefit of "telling it to others" be mentioned at all?
  4. "in the absence of password manager software ... passphrase is better" - false, passphrase is easier. Your definition of "better" is not security-based.
  5. In IT systems, without password or connection managers, should we use long phrases instead of short random strings? Yes. Length is key along with randomly generated output (even if it is words). But we should be using long random strings.

Your focus is on convenience, not security, though. You can't make a false comparison like that. It seems like you have a restriction in your IT environment that makes managing random strings difficult. Don't roll that condition into some kind of generic opinion of entropy and password strength.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 2
    A longer (in character count) passphrase made up of real words *with the equivalent entropy of a random-character password with fewer characters* can be much easier to type - both *during the password practice phase*, and in practiced use - because the fewer chunks mean that more can be typed from memory. I can type - and can *learn to type*, and can *reliably type with fewer errors* (both mechanical-movement errors and memory-activity errors) - "correct horse battery staple" **much** faster than I can "K^ – Royce Williams Jan 24 '20 at 15:56
  • 1
    Also, the OP is correctly calculating the *actual* entropy of a randomly-generated passphrase *when taking Kerckhoffs' Principle into account*. We *must* assume - and Diceware takes as a deep assumption - that the attacker knows the method used to generate the passphrase, including the length of the source dictionary. Five EFF words = 7776^5 = 2.8*10^19, **not** 95^38 (1.4x10^75). The example passwords given are within a couple of orders of magnitude of complexity. – Royce Williams Jan 24 '20 at 16:07
  • I agree with everything you've said in your comments. – schroeder Jan 24 '20 at 17:50
  • The context is: why not use long passphrases instead of short random strings? I'm saying: use long random strings and manage them properly. The OP makes a false comparison between a long password and a short one, the difference being perceived ease. – schroeder Jan 24 '20 at 17:53
  • 3
    The ease of use, or UX, actually **is** an important security property. If you use a password manager, doesn’t matter. If you don’t, it is **impossible** to use a string of random characters. Which means that people will fall back to something much less secure. Even if you have a password manager, you will have to type the pw every once in a while, often on a phone. For random passwords this is so annoying these folks will often be tempted to reset it to something „easier“. – averell Jan 25 '20 at 14:54
  • @averell the context is not end users but an IT department. As I have said, the question is asked and reasoned backwards – schroeder Jan 25 '20 at 14:55
  • @averell The agency I work for has instituted a password manager for certain types of accounts. Despite it being "impossible" to use a string of random characters, that is what we're doing on a daily basis. The string is 16+ characters long consisting of all four character classes. Using a password manager is forbidden. – doneal24 Jan 25 '20 at 17:01
  • 1
    @doneal24, yes it is possible to memorize a 16+ character string with the right techniques. It can also be "used". I would be very surprised if the majority of a group of people would do so without cheating. And memorizing a 9-word diceware phrase would still be easier for the same entropy. – averell Jan 25 '20 at 17:20
-2

A password easy to remember is a password easy to guess.

Instead of your methods (1) and (2), I would suggest you to use one of the following methods:

  • (3) spb)"'EI"]2SE+4l;p4-6Wooe (randomly generated among the 96 printable ASCII characters)
  • (4) H3dkot-3QW9Ff-szjhwm-BX3Xqn (without look-alike characters, into blocks)

Which are both over 128 bits of entropy. You should never have to remember nor type them because they should be stored into a password manager, but if in some rare cases you really have to, then (4) is easier to type or to copy by hand on paper.

By the way, 64 bits of entropy is very weak to protect a password manager, you would need to remember and type 10 dicewords without mistakes to achieved the recommended 128 bits. Just use whatever passphrase that is easy for you to remember to unlock your password manager, as long as it's long enough and it's not a citation.

A. Hersean
  • 10,173
  • 3
  • 29
  • 42
  • Your entropy comparison calculation is incorrect; see my reply to schroeder. Shannon entropy is an upper bound for password entropy, but true *password attack entropy* is usually far less. To demonstrate this, presume the attacker knows which dictionary was used, and calculate the passphrase "keyspace" - the number all possible passphrase combinations. A passphrase of sufficient entropy can be constructed using ordinary words, as long as the dictionary length and number of words are sufficient to put the number of combinations beyond the reach of the attacker's computational power. – Royce Williams Jan 24 '20 at 16:28
  • @RoyceWilliams The Shannon entropy of (3) is log2(96^25)=164.6 and the entropy of (4) is log2(51^24)=136.1. Because they were randomly generated, the fastest attack against those passwords is brute-force (randomly or sequentially), there are no clever ways around it. Thus, the average number of tries to guess them, is 2^163.6 for (3) and 2^135.1 for (4). Your *password attack entropy* is thus 163.6 for (3) and 135.1 for (4). – A. Hersean Jan 24 '20 at 17:03
  • Oh, I don't dispute your calculations for (3) and (4) at all! What I dispute is the implied comparison with the passphrase calculations - and more broadly, the implied need for this amount of entropy. Even if you assume a terribly fast hash (like MD5), that the attacker has private computational ability exceeding that of the global Bitcoin hashing network that improves with Moore's Law, a 50-year attack time, and a hash quantum-grade weakness that improves attack speed 1M times, a 24-character randomly-generated password is overkill. – Royce Williams Jan 24 '20 at 17:19
  • @RoyceWilliams The passphrase locking a database (password manager) is a symmetric key: it's indeed a secret used to symmetrically encrypt a message (the database). Most standardization bodies (https://www.keylength.com/) recommend a length of 128 bits for symmetric keys. I guess your definition of a security margin does not align to the definition given by cryptographers. – A. Hersean Jan 24 '20 at 17:25
  • 2
    If the password was used directly as a raw key, I'd agree with you. :D As I understand it, in the password-manager case, the effective strength (resistance to attack) of the key is derived not just from the raw entropy of the human-entered password, but also the native strength of the hash itself and the high number of rounds/iterations - such that the effective resistance to cracking is amplified far beyond that raw entropy of the human-entered password. If these systems made the human responsible for all 128 bits, they'd be unusable. But I'm a bit out of my expertise here. :) – Royce Williams Jan 24 '20 at 23:00
  • @RoyceWilliams The strongest password-based key derivation algorithms, like argon2, increase the computation effort by around 30 bits. Using such an algorithm, one still need a password of at least 98 bits. If one is taking the trouble to have a passphrase of 98 bits, one could also take just one step further to go to 128 bits and be assured that the strength of the key is not dependent of an algorithm and its settings. – A. Hersean Jan 27 '20 at 09:25
  • Given that modern algorithms like argon2 have customizable numbers of rounds/complexity, I don't think that an absolute bit value can be assigned to a given modern algorithm. But for the general topic, for passwords that must be memorized (password manager, core interactive login (AD domain, etc.)), I do not think that ordinary users should be expected to memorize 98 bits, let alone 128, from a UX perspective - nor do I think that it is necessary, neither from a mathematical nor a threat-model perspective. We'll have to agree to disagree here. – Royce Williams Jan 27 '20 at 21:48