Diceware strong master password generation method

If it gets to be a pain, you could assign perhaps 3 of those Diceware words to a hotkey to make entry quicker and less error-prone.

 

Well that's interesting. I'm not going to worry too much about it, to say the least, even if the entropy levels off at ~60 if the circumstances you mention above come into play. It's still going to take trillions of seconds (centuries) to crack with present technology. Even a 50 level takes centuries. I doubt I'll still be around by then The Diceware page does mention that a 6 word passphrase is usually overkill, which it would be in my case.

What is rather amazing is that the technology for cracking passwords has advanced at a seemingly exponential rate over the last 5 yrs or so. The crackers are starting to make it look like veritable child's play against the typical 6-8 character passwords so many people have used and still use these days.

no not at all.

 

It depends on how the password is hashed. The 25 GPU system from post #19 can calculate ~180 billion hashes per second for "fast hash" algorithms. Here is the calculation for average number of days for it to crack a 5 Diceware word password, assuming the worst-case that the cracker has perfect knowledge of your Diceware scheme:
0.5 * (7776^5) / 180000000000 / 3600 / 24 = 914 days.

If a "slow hash" function such as PBKDF2 is used, then multiply that estimate by maybe 10,000. Since TrueCrypt and LastPass both use PBKDF2, I feel comfortable with 5 Diceware words (or 14 random lowercase letters) for use as a password in TrueCrypt or a master password in LastPass for protection against a small organization for the next few decades.

 

It can be shown in computer science that it's impossible to write a computer program that guarantees that a given password is strong (i.e. highly random). The best that can be done is show that certain passwords aren't strong. See How much entropy in that password? for more information.

 

I'm using it for truecrypt and bitlocker volumes, as well as my Lastpass master pw. I'm not sure if Bitlocker's cryptographic hashing algorithm, SHA-256 I believe, offers comparable hashing to PBKDF2? I guess not. From what I gather from the below link, PBKDF2 makes the cracker's job harder:

-https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/

 

REgarding LastPass, that's right.

Here are some links related to your BitLocker question:
http://community.spiceworks.com/topic/378549-how-secure-it-bitlocker
http://superuser.com/questions/2397...brute-force-attacks-on-the-48-character-recov
http://blogs.msdn.com/b/si_team/archive/2006/08/10/694692.aspx

Cracking speed of oclHashcat-plus against TrueCrypt using 2 AMD Radeon HD 6990 graphics cards: (from hxxp://hashcat.net/forum/thread-2301.html):

From Diceware FAQ:

That's assuming a "fast hash" function is being used. 5 Diceware words against a "slow hash" function is probably in the realm of crackability by large organizations now or very soon.

 

If using a physical source of entropy such as dice or coins is infeasible, the next best thing you could try is perhaps http://www.random.org/integers/.

 

I went with the 5 word passphrase because form the Diceware FAQ:

-http://world.std.com/~reinhold/dicewarefaq.html#howlong

I'll probably have to re-do the passphrases on both of our wifi wpa2 access points, although I believe they're pretty strong already. I get flack from my family for this type of behavior; they think I'm going overkill

 

That text hasn't been updated in awhile though, I think. It was probably true when it was written. You're probably ok with 5 Diceware words for WPA though, because it uses a "slow hash" function (see list at http://en.wikipedia.org/wiki/PBKDF2), unless you're trying to protect against a large organization.

 

The wording used in the FAQ hasn't changed in some areas since at least March 2001 - see http://web.archive.org/web/20010329234857/http://world.std.com/~reinhold/dicewarefaq.html.

My recommendations are at the bottom of post #17.

 

Okay I see what you're saying. I should still be ok going with your advice at bottom of post 17 I've even modified the phrase somewhat to give it apparently more entropy, whilst not making things more confusing for myself. I have to be careful, I'm getting old plus my sensitive data isn't going to interest serious organizations like the CSIS

 

It's a good idea to make one of your passphrase words a memorable non-dictionary word (such as jim52ben), just in case your passphrase is a combination of phrases that could be found in a cracking dictionary. There are cracking dictionaries out there with over 1 billion entries.

 

Okay done. This time no more changes

The entropy level on the drop box test is a ridiculous 123! The one word I used as a replacement in the passphrase is a few characters longer than what was there but very easy to remember and not in the dictionary. It's probably overkill but I trust your advice implicitly

 

I've changed the generation/revealer method from post #21:

Here is the new generator/revealer method that you should write down (you'll need a new password card too):

Question 1: (fill yours in)
Question 2: (fill yours in)
Question 3: (fill yours in)
Question 4: (fill yours in)
Question 5: (fill yours in)
Question 6: (fill yours in)
Question 7: (fill yours in)
Question 8: (fill yours in)

Grid position:
1 2 3
4 Center 5
6 7 8

Function that maps letters in your questions to start center letter in grid:
aa-ah: Z
ai-ap: Y
aq-az: X
ba-bz: W
ca-cz: V
da-dz: U
ea-fl: T
fm-gz: S
ha-hl: R
hm-hz: Q
ia-in: P
io-kz: O
la-lz: N
ma-mz: M
na-og: L
oh-oz: K
pa-pz: J
qa-sj: I
sk-sz: H
ta-tf: G
tg-tl: F
tm-tr: E
ts-tz: D
ua-we: C
wf-wq: B
wr-zz: A

Function that maps letters in your questions to grid movement method:
aa-al: move up, jump 1 center letter with every move; if already at topmost row, then go to bottommost row of adjacent column to the left; if at center letter A, then go to center letter U
am-az: move right, jump 1 center letter with every move; if already at rightmost column, then go to leftmost column of adjacent row to the bottom; if at central letter Z, then go to central letter A
ba-cz: move down, jump 1 center letter with every move; if already at bottommost row, then go to topmost row of adjacent column to the right; if at central letter U, then go to central letter A
da-dz: move left, jump 1 center letter with every move; if already at leftmost column, then go to rightmost column of adjacent row to the top; if at central letter A, then go to central letter Z
ea-eh: move up, jump 2 center letters with every move; if already at topmost row, then go to bottommost row of adjacent column to the left; if at center letter A, then go to center letter U
ei-ep: move right, jump 2 center letters with every move; if already at rightmost column, then go to leftmost column of adjacent row to the bottom; if at central letter Z, then go to central letter A
eq-ez: move down, jump 2 center letters with every move; if already at bottommost row, then go to topmost row of adjacent column to the right; if at central letter U, then go to central letter A
fa-gz: move left, jump 2 center letters with every move; if already at leftmost column, then go to rightmost column of adjacent row to the top; if at central letter A, then go to central letter Z
ha-hs: move up, jump 3 center letters with every move; if already at topmost row, then go to bottommost row of adjacent column to the left; if at center letter A, then go to center letter U
ht-ik: move right, jump 3 center letters with every move; if already at rightmost column, then go to leftmost column of adjacent row to the bottom; if at central letter Z, then go to central letter A
il-kz: move down, jump 3 center letters with every move; if already at bottommost row, then go to topmost row of adjacent column to the right; if at central letter U, then go to central letter A
la-lz: move left, jump 3 center letters with every move; if already at leftmost column, then go to rightmost column of adjacent row to the top; if at central letter A, then go to central letter Z
ma-nh: move up, jump 5 center letters with every move; if already at topmost row, then go to bottommost row of adjacent column to the left; if at center letter A, then go to center letter U
ni-nz: move right, jump 4 center letters with every move; if already at rightmost column, then go to leftmost column of adjacent row to the bottom; if at central letter Z, then go to central letter A
oa-ol: move down, jump 5 center letters with every move; if already at bottommost row, then go to topmost row of adjacent column to the right; if at central letter U, then go to central letter A
om-oz: move left, jump 4 center letters with every move; if already at leftmost column, then go to rightmost column of adjacent row to the top; if at central letter A, then go to central letter Z
pa-rh: move up, jump 6 center letters with every move; if already at topmost row, then go to bottommost row of adjacent column to the left; if at center letter A, then go to center letter U
ri-rz: move right, jump 5 center letters with every move; if already at rightmost column, then go to leftmost column of adjacent row to the bottom; if at central letter Z, then go to central letter A
sa-so: move down, jump 6 center letters with every move; if already at bottommost row, then go to topmost row of adjacent column to the right; if at central letter U, then go to central letter A
sp-td: move left, jump 5 center letters with every move; if already at leftmost column, then go to rightmost column of adjacent row to the top; if at central letter A, then go to central letter Z
te-tn: move up, jump 7 center letters with every move; if already at topmost row, then go to bottommost row of adjacent column to the left; if at center letter A, then go to center letter U
to-tz: move right, jump 6 center letters with every move; if already at rightmost column, then go to leftmost column of adjacent row to the bottom; if at central letter Z, then go to central letter A
ua-wd: move down, jump 7 center letters with every move; if already at bottommost row, then go to topmost row of adjacent column to the right; if at central letter U, then go to central letter A
we-zz: move left, jump 6 center letters with every move; if already at leftmost column, then go to rightmost column of adjacent row to the top; if at central letter A, then go to central letter Z

Concatenate the following in order without any additional characters (convert resulting password to lowercase letters):
Grid position 1: letters to use for start letter function=first two letters of answer to question 1; letters to use for movement method function=4th and 5th letters of answer to question 1; length=(fill in number of password characters that grid position 1 generates)
Grid position 2: letters to use for start letter function=first two letters of answer to question 2; letters to use for movement method function=4th and 5th letters of answer to question 2; length=(fill in number of password characters that grid position 2 generates)
Grid position 3: letters to use for start letter function=first two letters of answer to question 3; letters to use for movement method function=4th and 5th letters of answer to question 3; length=(fill in number of password characters that grid position 3 generates)
Grid position 4: letters to use for start letter function=first two letters of answer to question 4; letters to use for movement method function=4th and 5th letters of answer to question 4; length=(fill in number of password characters that grid position 4 generates)
Grid position 5: letters to use for start letter function=first two letters of answer to question 5; letters to use for movement method function=4th and 5th letters of answer to question 5; length=(fill in number of password characters that grid position 5 generates)
Grid position 6: letters to use for start letter function=first two letters of answer to question 6; letters to use for movement method function=4th and 5th letters of answer to question 6; length=(fill in number of password characters that grid position 6 generates)
Grid position 7: letters to use for start letter function=first two letters of answer to question 7; letters to use for movement method function=4th and 5th letters of answer to question 7; length=(fill in number of password characters that grid position 7 generates)
Grid position 8: letters to use for start letter function=first two letters of answer to question 8; letters to use for movement method function=4th and 5th letters of answer to question 8; length=(fill in number of password characters that grid position 8 generates)

------------

Note #1: I tried to divide the 26 possible inputs into the start center letter mapping function into 26 roughly equal size "buckets" using "Relative frequencies of the first letters of a word in the English language" at http://en.wikipedia.org/wiki/Letter_frequency.

Note #2: I tried to divide the 24 possible inputs into the movement method mapping function into 24 roughly equal size "buckets" using "Relative frequencies of letters in the English language" at http://en.wikipedia.org/wiki/Letter_frequency.

Note #3: this advice from post #21 no longer applies to the method in this post: "Since the letters j, q, x and z occur infrequently, try to make sure that you choose one question that results in a start central letter of j, q, x, or z if there isn't one already."

------------

How to calculate the number of possibilities for a person bruteforcing this method itself (or yourself if you forget some of the answers to your questions):
Start with 1; for each forgotten/unknown answer to a question, multiply by either 26 if the given question generates 1 password character (because there are 26 possible starting center letters)
or (26*24) if the given question generates 2 or more password characters (because there are 26 possible starting center letters and 24 possible movement methods).

Examples:
Let's suppose that I am using a 16 character password, with each grid position generating/revealing 2 characters. Let's suppose the attacker knows none of the answers to my 8 questions. Number of possibilities to try = (26*24)*(26*24)*(26*24)*(26*24)*(26*24)*(26*24)*(26*24)*(26*24)= ~22,900,000,000,000,000,000,000. Assuming a "fast hash" function and a guess rate of 180,000,000,000 guesses a second (that's the rate from the 25 GPU system mentioned in a previous post), the attacker would take on average 0.5*((26*24)^8 ) / 180000000000/3600/24 = ~739,000 days. Multiply that estimate by around 10,000 if a "slow hash" function is being used.

Let's suppose that I am using a 16 character password, with each grid position generating/revealing 2 characters. Let's suppose I forget the answer to 1 of my 8 questions. Number of possibilities to try = (26*24) = 624.

Let's suppose that I am using a 14 character password, with each grid position generating/revealing 2 characters, except two grid positions that generate 1 character apiece. Let's suppose the attacker knows none of the answers to my 8 questions. Number of possibilities to try = (26)*(26)*(26*24)*(26*24)*(26*24)*(26*24)*(26*24)*(26*24)=34,000,000,000,000,000,000. Assuming a "fast hash" function and a guess rate of 180,000,000,000 guesses a second (that's the rate from the 25 GPU system mentioned in a previous post), the attacker would take on average 0.5*(((26*24) ^ 6)*26*26) / 180000000000/3600/24 = ~1090 days. Multiply that estimate by around 10,000 if a "slow hash" function is being used.

Note: the above calculations don't take into consideration the frequency correlations of the 1st and 2nd letters of a word with the 4th and 5th characters of the same word. If this bothers you, you could use an additional 8 questions for your movement letters questions.

Note: there are some movement methods that can produce identical results for a given start center letter. So in some cases there are less than 24 unique movement method results for a given start center letter. My calculations above don't take this into account.

 

Here's why:
There are cracking dictionaries with over 1 billion entries. Let's suppose that your passphrase unfortunately consists of two concatenated entries in a cracking dictionary. Let's assume a cracker tries a combination attack, using every entry in a 1,000,000,000 item cracking dictionary concatenated with every entry in the cracking dictionary. Let's do the average cracking time math, assuming we're using the 25 GPU system from a prior post: 0.5 * 1,000,000,000 * 1,000,000,000 / 180,000,000,000 / 3600 / 24 = 32 days (for a "fast hash" function). Multiply that estimate by maybe 10,000 for a "slow hash" function. If you're using a word that's not in a standard dictionary, then you really throw a monkey wrench into such a crack attack.

Example:
Your password is: blue squirrel engine red tin. Seems pretty good, right? However, Google finds results for "blue squirrel" as well as "engine red tin", so I wouldn't want to use this password.

 

@Wat,

Just to be clear,

PBKDF2 takes SHA and iterates it multiple times, adding a random salt on each iteration. Essentially, if your SHA2 hash takes 2 seconds to compute and you add one round of PBKDF2 it will instead take ~4 seconds to computer. If you add 10,000 rounds, it will take 2,000 seconds.

LastPass goes up to 256,000 rounds, which makes bruteforcing very difficult, even on cracking arrays.

edit: And in the case of LastPass and other services that offer 2Factor Authentication, your best bet is to pick what feels like a strong password and to implement 2FA. It's not good to rely purely on it, but it will be more effective in many scenarios than a strong password.

 

Reminder: see post #29 .

Any password entropy calculation has to assume that certain password templates are being used. If the cracker is using other password templates, then the entropy could be (much) lower, or higher.

 

Follow up to post #40:

The entropy of any password that's the result of the concatenation of two items in a 1,000,000,000 item cracking dictionary with respect to this template (the dictionary concatenation method) is ~59.8, because 2^59.8 = ~ 1,000,000,000*1,000,000,000.

 

Thanks! I've read in the Ars Technica article quoted earlier that some websites are, or at least were, using very weak hashing algorithms, such as Linkeden and eHarmony, to name a few. I suppose this would make it incumbent upon the end user to come up with quite strong pass phrases to counter-act that weak hashing.

I know. One test site ( http://rumkin.com/tools/password/passchk.php ) gave it a 158. Even if a template's used to reduce the 123 I quoted earlier by 60% I'm still @ > 50. I'm quite confident that if my pass phrase puts me in trouble then the majority of mankind using website passwords is in equal or probably far worse trouble. Let's just say the total number of characters it uses is >25 but <40 and it follows the Diceware method with a couple minor twists.

That Ars Technica article summarizes with advice to make, in particular, every website password unique (no duplicates) and to use at least 9 characters. EDIT 12/31/13 also to avoid words that might be found in a dictionary attack list. It seems now mostly hybrid attacks and brute forcing are primary attack types, especially because many people are using 6-8 character passwords? Maybe dictionary attacks? Rainbow tables look to be effective mostly against 7-8 character passwords. My goodness if I'm over 25 characters where I know for sure one of the words is not a dictionary listing, then I can't be too concerned about getting breached

I guess our biggest concern is with sites like those I alluded to earlier that utilize weak salting. I don't deal with either of those, but I suppose there are probably a few that I deal with that do use weak salting. I know I don't have anything of overly sensitive or valuable nature on them, so that at least minimizes my concern. As long as my bank uses strong hashing (it's one of the "big banks" so I'm confident it does) then that eases my mind.

All I can say is I'm far better off than I was a few days ago, and even then the majority of my passwords across the web were 9 or more. We'll see but I'm not going to sweat things for now

I've done a thorough overhaul of all the sites in my LastPass vault. Things are far better than they were.

 

Note: made a correction to generator in post #39. (Brain said one thing and fingers typed something else.)

I skipped a "move 4 center squares" method on purpose because moving up or down 4 squares is often the same as moving left or right one square.

 

The other thing is to make sure each of your passwords is different, so that a breach in one place doesn't affect you in other places. That's why it's nice to use a password manager to generate strong pseudo-random non-memorable passwords for you .

Update: I see you wrote that already.

 

Due to laziness I had duplicate passwords all over the place. That's all since been fixed up as part of my overhaul

 

Does anybody know a different system for writing down master passwords other than encrypting the master password file (or master password hint file) using an "answers to personal questions" password, or the method in posts #21 and #39? Also not including using steganography or NTFS Alternate Data Streams. And not including "write it on paper and put it in your wallet."

 

One of these was generated by http://www.random.org/integers/, while the other was generated by a math function. Can anyone tell which one is provably non-random?

175240713510594624943316481956934187683
387151428082408927585787729519437765561

If you're wondering what the point is, please see post #29 .

 

Follow-up from post #40:

I tested these 4 phrases to see if they're in the 1 billion+ item list mentioned in https://www.wilderssecurity.com/showpost.php?p=2320938&postcount=1:
blue squirrel: no
bluesquirrel: yes
engine red tin: no
engineredtin: no

You can compute hashes by using sites such as http://www.miraclesalad.com/webtools/md5.php.

I tried these also:
in the game: yes
little red corvette: yes
has a penchant for: no
went up the mountain: no