2

It's "time to add a word" says Arnold Reinhold, the creator of Diceware, in his blog (3/2014). He advices to use 6 word sentences (or 5 words with one extra character chosen and placed at random) from now on. Reasons given include that he predicted the likelihood of a change in 2014 back in 1995, and that "Today criminal gangs probably have access to more computing power then the NSA"

There is evidence and there are hints (Wikipedia (On the other hand ..) and stackexchange (my comment on Goldberg's answer) that there are (slight?) weaknesses in the Diceware word lists (not in the method). Understanding the he evidence in "Improving the Diceware memorable passphrase generation system" is beyond my math capabilities. I do understand though that the average recovery time of a 4 word sentence can indeed be reduced because ~22 character sentences are the most likely ones. And if the passphrase character count is somehow known, even the exhaustive recovery time may be reduced.

However, Arstechnica mentiones 3/2014 (update) an email received from Gosney in which he would have written "Since there are no tools that currently combine three or more words, we don't really know for sure how much slower it would be compared to his 25 GPU monster cracks."

Are there really no tools and performance measurements available for cracking 3 word or larger Diceware passphrases? I have tried to find measurements and can only find grammar based proof of principle recovery of phrases.

Added in 2 steps after the answers of Thomas Pornin and Arnold Reinhold

Arnold Reinhold acknowledges one word list weakness (Diceware words can run together, “act” and “ion” form "action"). Arnold Reinhold: "I now recommend that users of Diceware put a space character between each word, which completely eliminates this problem." Yet, what is a new formula for calculating entropy of a passphrase when spaces are not used?

Dick99999
  • 525
  • 5
  • 8

2 Answers2

7

You cannot know what tools exist. Actually, if the attack pattern can be enunciated ("just use three random words from a list of common words") then it can be translated to code in a matter of minutes. That the already-compiled, ready-to-run tool is not accessible from a single Google search and a couple of clicks does not mean that it does not exist, only that the level-zero, pre-schooler attackers may have some trouble trying to crack your password. But would you consider your security goal achieved when you have defeated bored kids ?


Any assertion comparing computing abilities with that of "the NSA" should be dismissed as meaningless. You cannot use as the basis of a measure scale a quantity which is already unknown; it would be like describing your new truck as "longer than Nessie". A sentence like:

Today criminal gangs probably have access to more computing power then the NSA

really reads like:

I don't know what "criminal gangs" and "the NSA" can do or not, but I want you to get afraid and be crushed by the weight of your own fantasies at that point.

What matters is entropy: a mathematical, precise notion of what the attacker does not know. You should use a password generating process which allows you to not only achieve high entropy, but also lets you compute that entropy with the least possible assumptions; in particular, you don't want to have to suppose that some tools "are not available to the attacker", because that cannot be readily quantified. As for multi-word passphrases, see this answer for entropy calculations.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • I have not claimed that a tool does not exists,I merely quoted someone who is quoted a lot for SOTA in guessing. My question is guessing related, so in stead of [Entropy is a measure of the generation process](http://security.stackexchange.com/a/33915), I prefer your view [Entropy is a measure of the average cost of hitting the right password in a brute force attack](http://security.stackexchange.com/a/6096/26204). And then the word lists weakness references come in. If for example entropy leakage is true then the referred calculation is not right. So I have edited my question regarding this. – Dick99999 Jul 16 '14 at 15:58
  • To be fair, it _is_ a fact that "criminal gangs" (if that includes anyone who breaks the law) have more raw computing power than the NSA, simply because botnets can get really, really big. Now, that doesn't mean they necessarily have the ingenuity to put that processing power to _use_ as efficiently, but they certainly have it, since they're re-using others' resources. Of course, that doesn't mean someone is going to fire up every bot in a massive botnet just to get your passwords... – forest Sep 22 '18 at 10:44
5

There is nothing complicated about building a tool to crack Diceware passphrases assuming you have an oracle, such as a hash of the passphrase, that will tell you when you have the correct answer. The cracking tool would simply loop through all possible combinations of up to n words from the Diceware list. It is also straightforward to estimate how long such an attack would take: 7776 to the nth power times the time needed to test one candidate passphrase. That amount of time guarantees you’ll find the pass phrase, you have a 50-50 chance of succeeding in half that time. If multiple compute engines are used, divide by the number of engines. The strength of Diceware comes from the fact that 7776 to the nth power gets to be a very big number for n = 5 or more.

I am not trying to scare anyone. There are enough stories in the press about security breaches to serve that purpose for anyone who cares. When I first proposed Diceware in 1995, n=5 seemed to provide enough protection for most users security needs, at least for the next couple of decades. The computing power available for a given amount of expenditure has increased steadily since then, as expected, and achieving the same level of security today that 5 Diceware words provided in 1995, in my judgement, requires a sixth word. If all systems used techniques like key stretching to protect stored passwords, five words would still suffice, but unfortunately key stretching is more the exception than the rule.

If the Diceware words are run together, there is the possibility of two smaller words combining to form another Diceware word, for example “act” and “ion” combine to form ”action.” When this happens, the strength of the passphrase is reduced by one word. I now recommend that users of Diceware put a space character between each word, which completely eliminates this problem. When reports surfaced about password capture via acoustic analysis, I proposed eliminating the spaces. It has since become clear that doing this will not defeat acoustic analysis and there are other methods available to someone who can access your keyboard or get close to where you are typing your pass phrase, e.g. key capture software, a bugged cable, or video surveillance. So I am back to recommending spaces, which is more natural when typing a string of words. It also reduces the susceptibility of short Diceware pass phrases to brute force letter-by-letter attack, which is the most common threat in the wild.

Arnold Reinhold diceware.com

user52619
  • 96
  • 1
  • Welcome to Stack Exchange, Arnold. I recommend you to Change your display name and put a link to your website. You are also encouraged to provide any answer you may have :D – Ángel Jul 24 '14 at 19:23
  • Indeed the principle is simple, however, Gosney mentions that there is no GPU tool, to make that principle feasible on real hardware. Thomas Pornin contradicts that and mentions another approach: just take 5 random words over and over again (in a 'random' pattern) and try those. Both approaches would take an infeasible time for example for a wifi key of 5 words. – Dick99999 Jul 24 '14 at 20:22