I strongly advocate the use of password managers. In October I will be reviewing and providing tutorials for a number of password managers as part of my National Cyber Security Awareness Month posts. Even with password managers, however, you still need to remember – and be able to manually enter – at least a few passwords. Your like full-disk encryption and password manager require passwords you know and remember. Diceware passwords are cryptographically sound passphrases that are easily remembered and easily created. This technique is quickly becoming one of my favorite for creating good passphrases.
Creating diceware passwords requires two things, the first of which is a word list. The word list is easy to obtain: it is available HERE (it is available in languages other than English HERE). It consists of 7,776 words, each with a corresponding 5-digit number. Next, you will need one six-sided dice. Using online dice generators greatly reduces the cryptographic integrity of the resulting password, and is strongly discouraged. Finally, you will need a pen and paper to record your dice rolls.
Roll the dice. Record the result. Repeat six times. When you have five digits (31121, for instance), compare that number with the word list (31121 = giddy). Record the resulting word. You have now created the first word in your passphrase. Repeat this entire process to create the next word in the passphrase. The result should look something like this:
- 31121 = giddy
- 34216 = iris
- 12416 = arcana
- 62511 = utah
- 53642 = shrub
- 35443 = knew
The resulting final passphrase is giddyirisarcanautahshrubknew. This is a significantly stronger password than most people use. How many words from the word-list should be in your diceware passwords? Leading experts recommend at least six. I recommend starting with six and work your way to eight, nine, or even ten. Using gradual complexity you can add a word per week, permitting you to memorize the password in manageable chunks. If you are protecting something incredibly sensitive, you may wish to add some further complexity by inserting numbers, special characters, and spaces.
If you don’t have the time, energy, or equipment to make your own diceware passwords, you can purchase them. Mira Modi, a sixth-grader in New York offers diceware passwords online. She creates each (in pairs), records it, then mails it via USPS to the purchaser. She has been featured in Ars Technica and several other media outlets.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.