Diceware strong master password generation method

Discussion in 'privacy technology' started by MrBrian, Dec 22, 2013.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, many sites use MD5 or two MD5 hashes. MD5 is implemented incredibly fast and therefor is not safe for password storage.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here's a simpler alternative to the methods of posts #21 and #39:

    We'll once again use https://ssl-account.com/meine-passwortkarte.de//form_type1.php. I'll demonstrate by encoding whsswiomjfreab.

    First, list some personal questions that you know the answers to but few others know the answers to. See http://goodsecurityquestions.com/examples.htm for some ideas. As an example, I'll use these questions:
    1. What are the first 4 letters of my mother's maiden name?
    2. What are the first 4 letters of the last name of the teacher of my 10th grade World History class?
    3. What are the first 4 letters of the last name of the star of my favorite childhood comedy?
    4. What are the first 4 letters of my first wife's nickname for me?
    5. What are the first 4 letters of my childhood nickname?
    6. What are the first 4 letters of my oldest sibling's middle name?
    7. What are the first 4 letters of the city I was born in?

    Suppose the answers to the above questions are:
    1. zimm
    2. ande
    3. whit
    4. tudd
    5. bozo
    6. wils
    7. tusc

    Concatenate the answers above in order:
    zimmandewhittuddbozowilstusc

    The masterpassword field at https://ssl-account.com/meine-passwortkarte.de//form_type1.php cannot have any repeating letters, so eliminate repeated letters from left to right:
    zimandewhtubolsc

    The masterpassword field needs to be only as long as the password that you're encoding. whsswiomjfreab is 14 characters long. So I can drop the last two characters. The masterpassword field is now zimandewhtubol.

    Now alter your questions in light of the masterpassword field:
    1. What are the first 3 letters of my mother's maiden name?
    2. What are the first 4 letters of the last name of the teacher of my 10th grade World History class?
    3. What are the 1st, 2nd, and 4th letters of the last name of the star of my favorite childhood comedy?
    4. What is the 2nd letter of my first wife's nickname for me?
    5. What are the 1st and 2nd letters of my childhood nickname?
    6. What is the 3rd letter of my oldest sibling's middle name?

    Now go to https://ssl-account.com/meine-passwortkarte.de//form_type1.php and use Masterpassword=zimandewhtubol. On tab #1, enter Password=WHSSWIOMJFREAB. I used uppercase letters because some lowercase letters look a lot alike.

    Here's my generated password card:
    card.png

    Notice that you can fit 7 more passwords on the same password card.

    If you're leery of sending your passwords over the internet, you instead could have generated the same card as follows:
    Masterpassword=abcdefghijklmnopqrstuvwxyz
    Tab #1 Password=SETIOXXJHPMBSWADQJOFRZMJRW (i.e. just read the letters off from left to right on the grid)

    -----------

    Maximum number of possibilities for a cracker to try when bruteforcing this card = 26*25*24*23*22*21*20*19*18*17*16*15*14*13 = ~ 840,000,000,000,000,000, which is about 1/40 as many possibilities compared to the 14 character password in the method in post #39.

    Maximum number of possibilities for a cracker to try when bruteforcing a 16 character card = 26*25*24*23*22*21*20*19*18*17*16*15*14*13*12*11 = ~ 110,000,000,000,000,000,000, which is about 1/208 as many possibilities compared to the 16 character password in the method in post #39.

    These calculations don't take into consideration that some letters occur more frequently than others. An attacker could try more frequently occuring letters first. To overcome this, you could use a random letter sequence generator (such as http://www.random.org/strings/) to generate a Masterpassword field first, then write the questions that form the Masterpassword field afterwards.
     
    Last edited: Dec 31, 2013
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I changed the movement method function in post #39. If you already printed the older version of the movement method function, your existing password card will still work fine with it.
     
    Last edited: Dec 31, 2013
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I added to the last paragraph of post #52.

    ---------

    I deleted a few posts that had some bad advice about how to encode Diceware words in a grid. Here is what I recommend now:

    Use the method from post #39. Split your Diceware passphrase amongst the 8 grid positions as equally as possible. For example, suppose your Diceware passphrase is correct horse battery staple. This passphrase has 25 characters, excluding spaces. 25/8=3.125. So make sure that each grid position has at least 3 characters. You could split the passphrase amongst the 8 grid positions as follows:
    1: corr
    2: ect
    3: hor
    4: seb
    5: att
    6: ery
    7: sta
    8: ple
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Myphrase: Passwords from your Own Words:
    Myphrase software/services
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Spelling-Error Tolerant, Order-Independent Pass-Phrases via the Damerau-Levenshtein String-Edit Distance Metric:
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  9. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    Expanded password dictionary?

    I understand the Diceware concept but I think it would be too cumbersome for daily use. The Myphrase concept seems better but I would be concerned about the limited scope of the dictionary. My thinking is that you should force an attacker to expand their dictionary as much as possible.
    Everyone has some non-mainstream experience. College classes, friends from other cultures, work experience, etc... If you take some time to think about those experiences, you can start adding very unusual words that are never the less familiar to you. If you studied chemistry for example, open a chemistry textbook and pick out oddball words. (chirality and zwitterion for example)

    If your password can only be guessed by including dictionaries from multiple languages, plus academic words from physics, mathematics, chemistry, psychology, medicine, and so on, yours will not be one of the 90% that are found when someone steals a bunch of hashes.
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I just checked over my LastPass settings. I had been using only 1 iteration for PBKDF2 o_O.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,440
    Location:
    Canada
    -https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/

    ...still, one is ridiculously low especially when 5000 is default o_O
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I'll hope, for LastPass' sake, that this was my own fault.
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,440
    Location:
    Canada
    I checked mine and it's at the default 5000.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.