Talk:Diceware

Dialdice

• Dialdice: Attemt at an easy-to-dial-on-a-phone version. Maybe it should be peer-reviewed for some statistical weakness beyond my (very superficial) understanding, but anyway - here it is

When I looked at that web page today, I saw a standard Diceware word list -- it has 7,776 unique words, so it's just as statistically secure as any other Diceware word list. It doesn't say anything about telephones, so I'm mystified as to why it's called "Dialdice" and why the original poster thought it had somthing to do with telephones. --DavidCary 04:40, 19 May 2005 (UTC)

This is zzzen (the original poster of the dialdice reference):

Dialdice does not use words from original diceware list. The words were chosen to satisfy various criteria (e.g. they were recognized by many non-english speakers), but the most important one is this:

No word contains 2 successive letters residing on the same key on a phone key-pad (avoiding long and annoying timeouts to wait for). There's still a chance of "keypad collision" between last letter of a word and first letter of next one, but chances are 1/9 for that so you usually have <=1 "keypad collision" on a 7 or 8 word long passphrase. Try dialing some words from the list into your sms text editor and you'll feel the smoothness (as opposed to "aaaa" which is a standard diceware word ;)

Dialdice was designed for the d.o.p.e project that does ciphersaber on the client side in javascript (for browsers) or wmlscript (if client is a wap phone)

Although next release of dope (whenever) won't support wap (inherent security hole: phone providers can easily install trapdoors during wmlscript compilation), there are machines with a phone keypad that support javascript, so dialdice is still handy as long as you disable wap ;)

Variable length word lists leak entropy?

A section was added that begins:

"Diceware passphrases yield less entropy than the ideal 64.62 bits when used with dictionaries containing variable-length words. This is because the length of the resulting passphrases "leak" information about their composition."

Unless I am missing something, I don't believe this is correct unless the attacker has some way to learn the length of the passphrase. While it may be true that a five-word, 27 character passphrase from the Beale wordlist has 57.13 bits of entropy, 7.49 bits less than the theoretical strength of a five-word Diceware passphrase, that is exactly matched by the 0.553 % probability of such a passphrase occurring (log2(.00553)=-7.4985). The claim is analogous to saying all passphrases beginning with the word "ball" are weak since there are only 7776^4 possible five-word passphrases that begin with "ball".

There is a risk that someone who observes you entering your passphrase can count the number of characters entered. One could press and release a few keys that have no effect, such as "shift" or "control" when being observed to prevent this, but there is a greater danger that someone could record the clicking sounds of your keyboard and simply recover you passphrase. See acoustic cryptanalysis.

There is a separate problem with very short Diceware passphrases. An attacker who was simply trying all character combinations might recover these in a reasonable amount of time, so a 14 character minimum is recommended. --agr 00:10, 8 September 2005 (UTC)

I think they might infer that entropy is being leaked by way of attackers trying all the shorter-word combinations first. But I agree this is dubious, since whatever combinations the attacker tries first will render some passwords weaker than others. For example, even a fixed-length word list can be cracked in alphabetical order, rendering any words that start with "a" ~26 times weaker. But should the attacker come in reverse alphabetical order, any word-symbols starting with "y" will appear to leak entropy.

It's like being a sheep hiding in a herd of password-guess-permutations, the larger the herd the greater the potential safety because it will take longer for a wolf to attack every sheep before she finds you. But if you're "on the side of the herd" facing where the wolf enters the pen, (near the beginning of the attacker's trial-space), then you are at greater risk.

But you're not in control over where the wolf enters the pen, you can only guess where possibly ingress points might be. While attackers might focus on depth-first traversal of shorter words first, they'd only gain a few bits of advantage and then only against whoever picked a shorter password, sacrificing those bits to the end of the trial-space.

It's all very fairies-dancing-on-the-head-of-a-pin to me. :3 JesseT77 (talk) 23:39, 18 February 2012 (UTC)

But Why?

This whole method seems flawed and cumbersome. Why bother? It's not very easy to use, it's not all that secure (compared to other options).

Is anyone even using this invention? Why have this in wikipedia if no one is using the technique.

I've changed "major advantage" to just "advantage". Coverage of diceware was specifically requested some time ago. See Talk:Password. As for its popularity, type "passsphrase" into Google and see where it comes up. What is your basis for "it's not all that secure (compared to other options)"? --agr 12:23, 3 February 2006 (UTC)

I've used it. Hrm, should the "alternate" (UK variant) wordlists be mentioned? Alphax ^τεχ 09:03, 9 February 2006 (UTC)

I use it though I generate the phrases with a program rather than physical dice. There is a client side Javascript implementation here. Phr 22:47, 18 February 2006 (UTC)

With an incorrect MIME type, no less. If it wasn't for that, I would've added it to the external links. 24.61.106.84 20:45, 10 January 2007 (UTC)

Not to mention I wasn't logged in. My bad. :P — SheeEttin {T/C} 20:46, 10 January 2007 (UTC)

Shouldn't it be mentioned that the famous correct horse battery staple comic is based on the Diceware's method, event though using a 2048 (unknown?) word dictionary, not prescribing how to choose the words at random and not mentioning that the strength of 11 bits is only achievable by random choice of the words. I use it, that is Diceware! Dick99999 (talk) 06:01, 17 July 2014 (UTC)

it's not all that secure (compared to other options). Is that so? This is one of the few ways I know of to generate a password with any desired number of bits of entropy that is completely invulnerable to keylogging. Please tell me about any other option that is more secure. --68.0.120.35 17:14, 15 August 2007 (UTC)

It's not clear to me how this system is "invulnerable to keylogging". Do you mean it's less obvious what is a password, just from inspecting the log file? I guess it's *less* vulnerable, since all the words in the password are in the dictionary, but the username for the login is not likely to be a dictionary word, so it would stand out, and other clues could be used to figure out what phrase is the password.

As for the question about whether the technique should be here, I don't think the number of worldwide users is important. I think the article is worth being here for completeness and reference. (I searched for it after seeing the term on the a CAcert (certificate authority) page - http://wiki.cacert.org/wiki/FAQ/GeneratingMyPassword - so people are at least *referring* to it, regardless of how many use it. —Preceding unsigned comment added by 99.160.9.186 (talk) 15:10, 2 June 2009 (UTC)

I never touch a keyboard while using the Diceware method to generate a passphrase.

Nor do I touch a keyboard while I write that passphrase down on paper and put it in my wallet, as recommended by Bruce Schneier ([1]) and David Shaw (Trusted paper key).

Therefore "generating a passphrase" using the Diceware method is invulnerable to keylogging and other malware.

At a later time, actually using a Diceware-generated passphrase is no more vulnerable to keylogging than using a passphrase generated by any other method, right?

Or is there some "other option" (as rumored above) that is less "flawed" and more "secure"?

--68.0.124.33 (talk) 21:45, 20 July 2009 (UTC)

Our point is, there aren't any methods to *generate* a password which are any more vulnerable to keylogging, either. Alternate methods involve either a user dreaming up a password in their head, or having one generated by the computer and printed on the screen for them. Perhaps what you meant is that diceware is invulnerable to weakened-entropy attacks? It's also possible, using an offline, printed wordlist to generate an easily remembered password of fixed, high quality entropy without interacting with a computer at all. JesseT77 (talk) 23:46, 18 February 2012 (UTC)

external link

I have written a small Perl script to bring Diceware some new features. I call it the Dice Road Dictionary. It offers three words for each dice roll: A dictionary word, an apg word and a 6 byte word from /dev/urandom. The main thing it brings to the table is the ability to create dicware lists in other languages and to mix words, FIPS-180 words and a random string to form a password.

As to why bother ? It offers a low tech way to generate passwords that is intrinsically trustworthy. It is still useful for off-line activities where a strong password is needed.

As to writing it on paper and keeping it in your wallet-- if your junk is getting checked, what about your wallet ? — Preceding unsigned comment added by Chiefoperator (talk • contribs) 00:38, 17 January 2011 (UTC)

And I have removed it, per WP:EL, WP:SPAM, and WP:COI. Please refrain from adding links to websites you are affiliated with. - MrOllie (talk) 13:29, 17 January 2011 (UTC)

Is the link to an Android app appropriate? Aside from the fact that the link is promotional in nature, any pseudorandom generated output would also be inherently less secure--which flies in the face of the very point of diceware itself. — Preceding unsigned comment added by 107.4.22.36 (talk) 23:19, 20 February 2014 (UTC)

Word list collisions

On the other hand, the construction of passphrases from thusly selected words needs consideration. Simply concatenating randomly chosen words may form words that are already in the word list, e.g., "in" and "put" form "input"; all three words can be found in the above mentioned word list. This decreases the entropy. A simple remedy could be to put spaces or other characters between the words, with the added benefit of increasing the entropy.

I wonder how serious the impact of wordlist collisions is on the entropy of pass phrases. I have analyzed 5 word lists. The original Diceware list has > 2700 collisions, such as:

agee	ag	ee	age	e
abode	ab	ode	abo	de
acetic	ac	etic	ace	tic
acton	ac	ton	act	on
ampere	amp	ere

Most of them occur because Diceware includes all single characters and most combination of 2 characters as 'words'. But there are other collisions as well. It may imply that my 4 word phrase is as strong as a 3 word if the attacker uses the word list in the 'right' sequence. I have not included single character and most 2 character combinations words in my Netherlands Diceware word list. Dick99999 (talk) 18:14, 16 July 2014 (UTC)

There are 7776 x 7776 = 60,466,176 possible word pairings in the Diceware list, so 2700 does not suggest a high collision likelihood, even with 5 or 6 opportunities per pass phrase. Still, I now suggest that users of Diceware put a space character between words, which eliminates the problem. That was the original intent, but when reports surfaced about password capture via acoustic cryptanalysis, I suggested eliminating the spaces. It has since become clear that doing this will not defeat acoustic cryptanalysis and there are other methods available to someone who can access your keyboard or get close to where you are typing your pass phrase, e.g. key capture software, a bugged cable, and video surveillance. So I am back to recommending spaces, which is more natural when typing a string of words. It also reduces the susceptibility of short Diceware pass phrases to brute force letter-by-letter attack, which is likely the most common threat in the wild. (WP:COI note: I am owner of web site in question.)--agr (talk) 15:38, 24 July 2014 (UTC)

Suppose I use the following scenario to attack the space insertion. I know which words collide with other words. Words like 'acton' formed by 2 words in sequence 'act' and 'on'. I put a space character between act and on. Then brute force that with and without the space. That will catch both: users inserting a space between the words and users that do not insert a space. This will just double the attack time, in stead of a factor 7776 if considered 2 non-colliding words. So it is almost like the strength of a pass phrase existing of one word less.

Dick99999 (talk) 14:01, 30 July 2014 (UTC)

The formal weakness that the lack of spaces causes is a De Bruijn sequence. This Stack overflow post talking about "password knocking" explains why its weaker in a way that might be more understandable than the more complex examples produced by Diceware, but fundamentally, it is the same. http://security.stackexchange.com/a/82102 Gaijin42 (talk) 21:55, 26 March 2015 (UTC)