Dice-Generated Memorable Passphrases ftw

Started by Darren Dirt, January 03, 2019, 09:47:13 AM

Previous topic - Next topic

Darren Dirt

https://www.eff.org/dice

"Passphrases made of randomly-chosen words can be both easy to remember and hard for someone else to guess, which is what we want out of a passphrase."

Create strong passphrases with EFF's new random number generators! This page includes information about passwords, different wordlists, and EFF's suggested method for passphrase generation. Use the directions below with EFF's random number generator dice or your own set.

Why Use Passphrases?

The word "passphrase" is used to convey the idea that a password, which is a single word, is far too short to protect you and that using a longer phrase is much better.

The increased length can allow for a greater number of possibilities overall, even if you use a passphrase made of random words to help you remember it.

Passphrases made of randomly-chosen words can be both easy to remember and hard for someone else to guess, which is what we want out of a passphrase.

Computers are now fast enough to quickly guess passwords shorter than ten or so characters - and sometimes quite a few more.

That means short passwords of any kind, even totally random ones like nQ\m=8*x or !s7e&nUY or gaG5^bG, may be too weak, especially for settings where an attacker is able to quickly try an unlimited number of guesses. This is not necessarily true for an online account, where the speed and quantity of guesses will be limited, but it could be true in other cases (for instance, if someone gets ahold of your device and is trying to crack its encryption password).

_____________________

Strive for progress. Not perfection.
_____________________

Darren Dirt

Dice Passphrases - URLs

I found the EFF main article via https://ofaolain.com/blog/2019/01/03/better-answers-to-security-questions/ -- aka "why not use random passphrases for your TFA Security Questions"?

EFF's Long Wordlist [.txt], for use with five dice:
https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt

EFF's Short Wordlist #1 [.txt], featuring only short words, for use with four dice:
https://www.eff.org/files/2016/09/08/eff_short_wordlist_1.txt

EFF's Short Wordlist #2 [.txt], for use with four dice, featuring longer words that may be more memorable:
https://www.eff.org/files/2016/09/08/eff_short_wordlist_2_0.txt

The creator of our wordlists, Joseph Bonneau, has written a deep dive about passphrase security, and the mehodology and criteria he used to create our EFF wordlists:
https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases

You can also use Arnold G. Reinhold's Diceware word list, the original and still very popular list for using dice to create passphrases:
http://world.std.com/~reinhold/diceware.html
_____________________

Strive for progress. Not perfection.
_____________________

Darren Dirt

#2
Password cracking -- a surprisingly understandable "how to" (Ars Technica 2013 article)
(especially see the comments on page 3 by "epixoip / Password Expert")

https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/
https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/3/

comment: "Capital at the beginning, digits at the end, all lowercase in the middle. It's a poor password because it's using a common pattern. That was the point of the article."

Ev3n when y0u do stuff like th1s.

_____________________

Strive for progress. Not perfection.
_____________________

Darren Dirt

_____________________

Strive for progress. Not perfection.
_____________________