Entropy: the randomness and unpredictability of data
The consensus among security experts today is that strong passwords rely on high entropy and length, the more random and longer a password is, the harder it will be to crack. I’ve just been reading about a lass who has setup her own website (dicewarepasswords.com) selling strong passwords for $2.00 a pop. Mira Modi, an 11-year old sixth grader from New York, creates her passwords using the ‘Diceware’ method which she then sends to customers on a piece of paper in a sealed envelope via snail mail. Ms. Modi is obviously a very bright young lady as well as a budding entrepreneur.
Diceware is a well known established system for creating strong passwords utilizing common 6-sided dice and a special Diceware word list. To create a password you simply roll the dice until you have a five number sequence, then match that sequence to the corresponding word in the Diceware word list. Repeat this process according to the number of words required – 6 words is the recommended minimum.
The rolling of the dice ensures both randomness and unpredictability resulting in a high degree of entropy, while an adjustable word count takes care of length requirements. According to Micah Lee, technologist for The Intercept, who has written extensively about the Diceware method, a 6-word passphrase created this way would take 3,505 years to crack at a trillion guesses per second.
While I concede that 6-word passphrases created via the Diceware method are certainly very strong, I remain unconvinced they would be all that easy to remember, especially for an old geezer like me where anything past 18 seconds ago is a fading memory. Here are several examples; cap liz donna demon self bang, vivo thread duct knob train orb, and brig alert rope welsh foss rang, none of which appear to be all that memorable to me. Although, I guess they would certainly be easier to remember than something like As#$thJ&*9(lM?Oq.
In fairness, Mr. Lee does not actually say the passphrases are easy to remember, rather that they are “very possible to memorize”:
Diceware a method for generating passphrases that are both impossible for even the most powerful attackers to guess, yet very possible for humans to memorize.
- Check out Micah Lee’s in-depth and very interesting article here: Passphrases That You Can Memorize — But That Even the NSA Can’t Guess
Considering strong passwords play a critical role in today’s online security, the Diceware method is certainly worthy of consideration.
I’ll close by asking you to participate in a sort of poll – the question is this: Given that you follow Micah Lee’s advice on how to memorize passphrases, which is as follows:
I recommend that you write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn’t take more than two or three days before you no longer need the paper, at which point you should destroy it.
Do you believe you would eventually be able to easily remember a Diceware created 6-word passphrase… yes or no?