Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
Scripps Employees Called 'Hackers' For Exposing Massive Security Flaw
Diceware lets you generate random passphrases by rolling dice
Diceware is another tool by Iain Lamb, the maker of Typograph. It answers a simple need by letting users create passphrases with a roll of the dice.
You are supposed to roll five physical dice on your desk and enter the result into the text box on the page as one string of digits (say, 14352). The JavaScript tool then searches a list of words that associates each word with a unique number. It locates word number 14352 (which happens to be "blitz") and puts it on your passphrase.
You are now expected to roll the five dice again and enter the new result. Repeat this process for as many random words as you wish to have on your passphrase. If you wish to have no spaces, click "collapse," and the tool will remove all of the spaces between the words.
While I find this interesting as an experiment, I would advise against using it for anything serious since the passwords it generates are cryptographically weak. They contain no uppercase letters, no digits, no symbols, and they are entirely composed of dictionary words from a limited, publicly available list (that is right on the tool page).
If Iain Lamb added random capitalization, a digit separating each word, and a couple of special symbols surrounding the password, that would go a long way to providing a truly secure passphrase. Until that time, Diceware remains an interesting experiment in generating random passwords/phrases.
Comments
2
Subscribe to commentssome guyAug 5th 2010 4:03PM
Dude, please don't write crap about stuff you don't understand.
It doesn't matter that the word list is public, the point is that there are 7776 (6^5) possibilities for each word, generating a certain amount of randomness. You could replace the words with the corresponding numbers, but then they wouldn't be as easy to remember.
To add strength to the passphrase, you add words, as many as you like. 6 words equals 6^30 (a 24-digit number) possible combinations, which is plenty, and the "sentence" is a lot easier to remember than a corresponding sequence of random characters.
What you SHOULD have mentioned, instead, is that the javascript thingy is the weakest part of the system. To be secure, you're supposed to download the word list, roll the dice, and look up the words from the list. NOT generate your passwords with a random tool from the net.
Rich DudleyAug 6th 2010 11:36AM
A few years ago I put together a .NET app that creates two-word phrases and a two-digit number at the end, based on Diceware. The article and code is at http://aspalliance.com/703_A_Simple_Passphrase_Generator.