No, you do not. The instructions on the Diceware page are usually enough to enable you to make and use your passphrase. But you may find some of the information here interesting and useful. Some topics covered include login passwords, Hushmail, legal issues, CipherSaber and tables for creating random strings. There is also a very important note of caution for users of Unix, Linux and Mac OS-X as well as one for Windows users.
Diceware is a technique that uses dice to produce random text for passphrases and other uses. The Diceware method provides an easy way to create strong passphrase that are easy to remember, for example: alger klm curry blond puck
To build your passphrase, you pick short words from a list that is indexed in a special way that makes it easy to select the words randomly using ordinary dice. See the main Diceware page for all the details.
I recommend five words for most users.
In their February 1996 report, "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security" a group of cryptography and computer security experts -- Matt Blaze, Whitfield Diffie, Ronald Rivest, Bruce Schneier, Tsutomo Shimomura, Eric Thompson, and Michael Weiner -- stated:
"To provide adequate protection against the most serious threats... keys used to protect data today should be at least 75 bits long. To protect information adequately for the next 20 years ... keys in newly-deployed systems should be at least 90 bits long."
A five-word Diceware passphrase has an entropy of at least 64.6 bits; six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits, four words 51.6 bits. Inserting an extra letter at random adds about 10 bits of entropy. Here is a rough idea of how much protection various lengths provide, based on updated estimates by A.K. Lenstra (See www.kelength.com). Needless to say, projections for the far future have the most uncertainty.
Pick your passphrase size based on the level of security you want.
Another way to think about passphrase length is to consider what security precautions you take to physically protect your computer and data. Here is a list of possible passphrase lengths and commensurate security precautions. The list of precautions is not intended to be complete. I am not trying to discourage anyone from using longer passphrases if they feel up to it, but the added strength without comparable physical security for your computer is of limited value.
Note: However I do encourage using six or more words on systems that use the passphrase directly to form a transmission key. Such systems include Hushmail, disk encryption (e.g. Apple's FileVault), Ciphersaber, and WiFi's WPA.
For people seeking long term data protection (greater than 10 years) I would recommend adding one word to the above suggestions.
Use a ten-word Diceware passphrase. For memory purposes, think of it as two 5-word passphrases.
Of course, if you are worried about an organization that can break a seven word passphrase in order to read your e-mail, there are a number of other issues you should be concerned with -- such as how well you pay the team of armed guards that are protecting your computer 24 hours a day.
This is a very important question. Most experts say never write down your passphrase under any circumstances. This approach comes from military doctrine, but military crypto systems are designed in such a way that one person forgetting a passphrase is not a calamity.
I believe most people are more afraid of forgetting their own passphrase than they are of having it stolen. As a result they tend to pick passphrases that are far too weak. I actually did a small survey on this question and the results support my view. See http://world.std.com/~reinhold/passphrase.survey.asc
Also many people need multiple passphrases for different programs and needs. Remembering them all can be difficult, particularly those that are used infrequently. For most people it is better to pick strong passphrases, write them down and keep them in a very safe place. There may be legal advantages to memorizing your key, however.
HushMail.com is a new free e-mail service that lets you exchange encrypted messages with other HushMail users. The HushMail folks seem to have done their homework and produced a system that is quite strong. (Cryptographers need a lot of time to analyze a new system, so the jury is still out.)
The security of Hushmail is totally dependent on the quality of the passphrases both you and your recipient select. The latest version of Hushmail is based on the OpenPGP standard and fixes some important problems in Hushmail 1.0. I strongly recommend you use Hushmail 2.0 or later versions rather than Hushmail 1. I also recommend you only use a 128-bit browser with Hushmail and that you install the Hushmail client program after checking its signature.
Pick the longest Diceware passphrase you feel comfortable remembering (preferably at least six words). Your HushMail passphrase might look like this:
hera steam slop aim join del
Note: When you tell your friends about HushMail, tell them about Diceware.com as well. Remember, the security of a message you send depends on the recipient's passphrase, not your own.
Change the password on that account and upgrade to Hushmail 2.0 if you have not already done so. Your new passphrase should be created with Diceware and be at least 5 words long, preferably 6.
The Diceware method is secure even if an attacker knows that you used Diceware to pick your passphrase, knows how many words are in your passphrase and knows the word list you used. The security of Diceware comes from the huge number of combinations that an attacker must search through even with that knowledge . The Diceware word list contains 7776 words, so if you pick a five-word passphrase, there are 7776 x 7776 x 7776 x 7776 x 7776 combinations. That is over 2**64 (2 to the 64 power or 2.6 X 10**19) possibilities. A six word Diceware passphrase confronts an attacker with 2**77 (2 X 10**23) combinations; seven words 2**90 (1.5 X 10**27). (Click here for a longer explaination.)
Try making a mnemonic. First, make sure you know what each word means. Look it up if you have to. Then try to make up a story that uses those words. For example, here is a five word Diceware passphrase selected at random:
strop 17 aw tete karp
My dictionary defines strop as a strip of leather used to sharpen a razor. Tete, as in tete-a-tete comes from the French word for "head." So I imagine myself sharpening my razor knife seventeen times before cutting off the all wet head of a fish. It may sound hokey, but it works!
An important goal of Diceware is to keep passphrases short. Based on the limited survey I did, I concluded that most people simply will not accept a 50 character passphrase that they have to type in several times a day to read, send or sign e-mail. Peter Kwangjun Suk had the clever idea that short non-words like "abc" "456" or "dn" are about as easy to remember as regular words and reduce the average length of a randomly selected password.
The original Diceware word list is slanted somewhat to American English. Alan Beale has compiled an alternative list that replaces most Americanisms and many obscure words with more recognizable alternatives. You can find it at http://world.std.com/~reinhold/beale.wordlist.asc
There are some obscure words in both lists. If you passphrase includes a word you don't know, look it up in a good dictionary. Knowing the word's meaning will aid you memory and your vocabulary.
Tastes vary. Use your passphrase several times a day for a week. If you find you still cannot remember it, and aren't comfortable writing it down, try a different method. Follow the links on the Diceware page.
Powerful forces are trying to prevent you from using strong encryption. One way to stop them it to teach as many people as possible how to write strong encryption programs of their own. CipherSaber is a strong encryption method so simple that you can write the program yourself if you have elementary programming skills -- even if it is only a knowledge of Basic. CipherSaber is intended to demonstrate that banning strong cryptography is futile, but the program is also useful and a lot of fun to make. CipherSaber can use Diceware passphrases directly as a key. Find out more at http://ciphersaber.gurus.com
The first rule is not to panic. Don't erase that encrypted file. The human mind is unpredictable. You may remember the passphrase tomorrow in the shower or next week while watching a movie. If the passphrase you have written down does not work after repeated tries, copy it letter for lettter starting at the right. Or ask someone else to type it in. If you have it in your head that the third word is "cot" you will type it that way even if it planely says "cut."
Back in 1996 National Public Radio's All Things Considered program ran a great story about a woman who works for a data recovery firm as a "Data Crisis Counselor." (Click here for the Real Audio version) When her employer cannot recover data from a customer's damaged hard disk, it is her job to break the news and help the customer cope with the loss. She draws on her training in psychology and her experience counseling for a suicide hot line.
The Diceware page does not have a data crisis counselor, so I must give you the bad news straight. If you used a strong encryption program and then really lost your passphrase, you are out of luck. You data probably cannot be recovered. Sorry.
The moral is do not forget your passphrase! That's why I advise you to write it down.
All the words in the Diceware list are in lower case. The entropy values shown above are based on the passwords as generated, with no capitalization. You can increase entropy further by capitalizing some characters, but is it worth the effort?
Randomly capitalizing the characters in your passphrase adds one bit of entropy per character, raising the entropy from (roughly) 3 bits to 4 bits per character. However each capitalization requires pressing the shift key. Since, on the average, half the characters are capitalized, the number of key strokes will be increased by a factor of 1.5 so the entropy per key stroke will be 4/1.5 = 2.67 bits. This is less than the entropy per keystroke of the original lowercase password!
You could argue that the number of added keystrokes is less than half since you can hold down the shift key during runs of capitals, but the mental effort is still there. And, of course it is much harder to remember a passphrase like "rATIO Acts PR AsTOr" than "ratio acts pr astor."
The entropy added by having just one random capital in a typical five-word passphrase is 4.4 bits (log2 of number of characters in the average 5-word passphrase). By contrast, inserting one random character somewhere in the middle of your passphrase increases its entropy by about 9.5 bits (4.4 + log2 (36)). See the instructions on the Diceware page.
If all this seems like lily-gilding, just stick with the original passphrase you got from the Diceware word list.
Exceptions: This analysis does not apply to situations like Unix login passwords, where the length of the password is limited to 8 characters. There random capitalization is an important way to increase security. Also some systems insist that you use a mix of uppercase and lower case letters for passwords. For such systems we suggest you select one of your Diceware words at random using a dice throw and capitalize its initial letter.
It is probably better not to include the spaces. The space bar on most keyboards has a distinctive sound. Someone overhearing you could determine the length of each word you typed, which would aid significantly in an attack. Entropy is slightly reduced if you do not include the spaces. For example, the following two passphrase "airway ne" and "air wayne" both turn into "airwayne" if you take out the space. But the actual security impact is small. One solution is to select a key on the lower row of the keyboard that you will type instead of a space.
Whichever way you choose -- spaces or no spaces -- you must always enter your passphrase the same way.
You should change your passphrase whenever you change your PGP or Hushmail key. There is little advantage in changing it more often.
Change your PGP or Hushmail key and your passphrase.
Note: I am not a lawyer and cannot give legal advice. See a lawyer if you need legal advice. The following is the best information I have obtained on the subject.
As far as United States law is concerned, a key that is written down can be subpoenaed. As for a key that is memorized, no one seems to know for sure. There is an interesting paper on this question "Self Incrimination and Cryptographic Keys" by Greg S. Sergienko, 2 RICH. J.L. & TECH. 1 (1996), http://www.urich.edu/~jolt/v2i1/sergienko.html. At one point Sergienko says:
"In Doe v. United States (Doe II), the Court recognized that "be[ing] compelled to reveal the combination to his wall safe" would be testimonial compulsion, but suggested that the key to a strongbox containing incriminating documents would not be." -- "Doe v. United States, 487 U.S. 201, 210 n.9 (1988) (Doe II). The Court had earlier suggested that the privilege could exist with respect to a combination to a safe. Couch v. United States, 409 U.S. 322, 333 & n.16 (1973) (citing United States v. Guterma, 272 F.2d 344 (2d Cir. 1959))."
Sergienko points out that the Government might grant "use immunity" to force you to produce your cryptographic key. He concludes:
"Cryptography may provide a technical fix for Supreme Court decisions allowing the invasion of one's private papers. However, the effectiveness of that fix will depend on whether the Court holds that use immunity from the compulsory production of a cryptographic key extends to the incriminating documents decrypted with the key. Logic suggests that the Court should so hold.
However, the Court's inconsistencies in this area suggest the limits of logic. The Court has consistently reconstructed Fourth and Fifth Amendment precedents to move away from historical practice. This reconstruction is in part responsible for the Court's inconsistencies. ..."
Another good paper on the subject is http://www.law.miami.edu/~froomkin/articles/clipper1.htm#ToC78
These papers appear to be dealing with U.S. criminal law. In a civil case, as I understand it, failure to provide your key could result in a judgment against you. The laws of other countries vary greatly. Under the new Regulation of Investigatory Powers Bill in England, you could face a two-year jail term for failing to provide keys. The burden of proof may be on you to prove you don't remember the passphrase. For this reason, a passphrase consisting entirely of random characters may be a better bet for UK residents. Bert-Jaap Koops maintains a valuable Crypto Law Survey page with information on cryptography laws throughout the world.
Salt is a block of non-secret data that is appended to the passphrase before it is hashed. The salt data is transmitted in the clear along with the message. Salt prevents certain attack strategies, such as a dictionary attack.
A dictionary attack involves building a list of possible passphrases along with precomputed cryptographic information that lets the attacker check that passphrase faster. Salt prevents this by requiring a separate entry for each salt value. If you use 30 bits of random salt an attacker will need a billion dictionary entries for each passphrase.
Also, without salt, an exhaustive search attack could attack a large number of target keys at once. An attacker hashes each trial passphrase and sees if it works for any of the keys she is attacking. Salt prevents this because it is unlikely that two users will have the same salt.
If you can use passphrases of arbitrary length, you can compensate for any lack of salt by adding your own. If you are using a security program that you aren't sure uses salt, pick the longest Diceware passphrase you feel comfortable remembering (preferably six words) and then add on something that is not secret but is unique to you, such as your user name or your telephone number. So your final passphrase might look like this:
hera steam slop aim join del 5552368
The Diceware instructions themselves are available in Japanese and Chinese. There is a Finnish and a German word list. If someone knows of any others please let me know and I will be glad to add link to it in the Diceware page. If you would like to create a word list in some other language, check out the Diceware Kit, which contains instruction on how to build one. Let us know if you do and we will add a link to your list.
The English lists are PGP signed by Arnold Reinhold, but all you really have to do is inspect the list. All words should be in alphabetical order and there should be no duplicates. As long as all the words are different, the list will provide full security. A substantial number of duplicates would have to be introduced to materially weaken the Diceware list's security, so a quick scan of the list is all that is needed.
One way someone might use to find your passphrase is to write a computer program that tries all combinations of characters up to some length. If your Diceware passphrase is very short, such a program would come up with you passphrase eventually. Using a passphrase that is at least 14 characters in length, including the spaces between the words, makes such an attack as difficult as searching all five word Diceware passphrases. By the way, it is very unlikely that the dice will give you a passphrase that short.
If you use a four-word passphrase, it should be at least 11 characters in length, including the spaces between the words; for six words, at least 17 characters; for seven words, at least 20 characters.
If your passphrase is too short, you could just select another word to make the short passphrase longer, but since the passphrase will consist almost entirely of two letter combinations, and therefore will be very hard to remember, I recommend selecting a new passphrase from scratch. Since such short passphrases are very rare, rejecting them does not materially reduce the entropy of the Diceware approach.
Entropy is a measure of the uncertainty or randomness of a system. The concept is a difficult one to grasp fully and is confusing, even to experts. Strictly speaking, any given passphrase has an entropy of zero because it is already chosen. It is the method you use to randomly select your passphrase that has entropy. Entropy tells how hard it will be to guess the passphrase itself even if an attacker knows the method you used to select your passphrase. A passphrase is more secure if it is selected using a method that has more entropy.
Entropy is measured in bits. The outcome of a single coin toss -- "heads or tails" -- has one bit of entropy.
This is an important question that unfortunately does not have an easy answer.
If a passphrase is selected from a universe of N possibilities, where each possibility is equally likely to be chosen, the entropy is log2(N). The symbol "log2" stands for the base-two logarithm. Most calculators don't have a button for base-2 logarithms, but you can use the formula:
log2(N)=log(N)/log(2).
If the passphrase is made out of M symbols, each chosen at random from a universe of N possibilities, each equally likely, the entropy is M*log2(N). For example, if you make a passphrase by choosing 10 letters at random, the entropy is 10*log2(26) = 47.0 bits.
If the passphrase is a phrase in a natural language, the problem is much more difficult. There is a famous estimate due to Shannon that the average entropy of written English is about 1.3 bits per letter. See Schneier's Applied Cryptography, 2nd Ed. p.234. However, applying this estimate to a passphrase is questionable. People are much more predictable than they think they are. In general, it is very hard to give a good estimate of entropy for a passphrase when any human judgment is involved.
If you really want security, select your passphrase in a way that is truly random. One good way to do this is to use Diceware. The entropy offered by Diceware is 12.9 bits per word (log2(7776)), so a five-word passphrase has an entropy of 64.5 bits.
The figures I give regarding the quality of Diceware passwords are not affected by English language redundancy.This issue confuses many people, so a longer explanation is called for.
To understand what is going on here, it would help to think first about a different way to construct a passphrase that is also valid: selecting letters at random from the ordinary English alphabet:
abcdefghijklmnopqurtuvwxyz
There are, of course, 26 letters in this alphabet. There are many ways to select random letters. I describe a few in the Diceware FAQ. Let's not worry about how for now, but assume we have selected a passphrase consisting entirely of random letters, say ten of them. How strong is this passphrase? Well, first we should count how many possible 10-letter passphrases there can be. There are 26 possibilities for the first letter, another 26 for the second letter and so on ten times. So the number of possibilities is:
26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 X 26 = 141167095653376
Mathematicians refer to that as "twenty six to the tenth power." and usually write is as the number 26 with a superscript of 10. Since we don't have superscripts in e-mail, we write it here as 26**10, which is the way it is written in many computer programming languages.
Now 141167095653376 is a pretty big number, but we run into a lot of big numbers in cryptography, so to compare them we ask how many binary digits (bits, for short) it would take to represent this number. It turns out that 26**10 = 141167095653376 almost fits in 47 bits (just misses by a hair), so we would say 141167095653376 is a 47 bit number and your ten random character passphrase has a strength of 47 bits.
If you have been following discussions about PGP, you probably are aware that 47 bits is not considered very strong. You might want to have a stronger passphrase. One way to do this would be to pick more random letters. You might get an idea that since 10 letters gave us 47 bits of randomness, each letter is worth 4.7 bits. Turns out that is almost exactly correct. So, for example, a 20 random letter passphrase would give you 94 bits of security, which is pretty strong.
Suppose you don't want a passphrase that long, for some reason. One way to allow a shorter passphrase to be strong is to use more symbols in the alphabet. You might choose at random from uppercase letters, lowercase letters, the digits, and a couple of special characters:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqurtuvwxyz0123456789=+
That is a total of 64 symbols and it turns out that gives you exactly 6 bits of randomness per symbol. So a 15 letter passphrase chosen from this list of symbols would have 90 bits of randomness.
Now suppose Susan is fluent in Chinese and wants an even shorter passphrase. She might pick at random from a list of 1000 common Chinese characters. In such a situation each character would have 10 bits of randomness, so a password with 90 bit strength would take only 9 Chinese characters. Susan might worry, however, that not all computers allow easy entry of Chinese characters. So she may use some method that represents each Chinese character as 3 English letters. Her passphrase would now be 9 X 3 = 27 letters long, but she still might find it easier to remember just 9 Chinese characters.
Note that in the three situations described above, the strength of the passphrase did not depend on keeping the alphabet or list of symbols secret. It only depended on the number of possibilities that someone who wanted to guess the passphrase had to contend with.
The same is true of Diceware. The Diceware word list contain 7776 words. You can think of the Diceware word list as a giant alphabet of 7776 symbols. If you pick seven words from the list, there are
7776 X 7776 X 7776 X 7776 X 7776 X 7776 X 7776 =
1719070799748422591028658176
possibilities. That works out to a little more than 90 bits of strength, or about 12.9 bits per word. Note, by the way, that each of the passphrase selection methods we just talked about above, -- random single case alphabet letters, random upper and lower lower case letters and digits, random Chinese characters and Diceware -- are equally secure, as long as the number of symbols selected give the same number of bits of strength. The only advantage of Diceware is that it is more user friendly: the passphrase is easier to remember and perhaps easier to type accurately.
So where does redundancy in English figure into all this? Let's go back to the first example, picking random letters from the alphabet. Remember we needed 20 random letters to get 94 bits of strength. Picking 20 letters at random is a tad tedious. Lets say Bob is lazy and not too up on all this crypto stuff. So instead of picking 20 letters at random, he closes his eyes, picks out a book at random from his book case, opens to a random page and stabs his finger onto some place on the page. Bob then opens his eyes and writes down the first 20 letters starting to the right of his finger. He figures that will be random enough, right? Absolutely not! There are predictable patterns in English (and all other human languages). Certain letters occur more frequently than others, for example. People who have studied this estimate that random English text has about 1.5 bits of randomness per letter. That is a lot less than the 4.7 bits for each letter selected one at a time using a random method like dice. Bob's passphrase, by this estimate, would only have 30 bits of strength.
But, you might ask, Diceware is made up mostly of English words. Doesn't that redundancy affect it at all? Well, it does. The seven word Diceware passphrase we talked about above would average about 30 letters in length (36 if you count the spaces between the words). If those letters were selected randomly, you would get 4.7 bits of strength per letter. That would work out to a lot more than the 90 bits Diceware claims for a seven word passphrase. The difference is the redundancy of English at work. However English redundancy does not affect the calculation that each Diceware word has 12.9 bits of randomness, which is based entirely how many different words there are in the Diceware list. You can rely on that number.
Casino dice are precision made, translucent dice for use in gambling establishments. The added uniformity over toy dice is probably not significant for creating passphrases, but might be important if you want to use dice to directly generate random numbers for statistical purposes. Guy Macon writes:
"This is a bit of overkill for what your web page is about, but I did manage to get some interesting (and useless!) information on dice.
[One gambling site on the 'net once claimed that] to beat the house with crooked dice, you need at least a 0.3167% edge, so I must assume that crooked dice must have at least that much bias. Probably a lot more if the cheater wants to make money before the dice at the table are changed."
http://www.diceman.net is the web page of a serious Casino dice collector. Lots of interesting info here, including a claim that "Dice used in board games are crudely manufactured and always favor the higher numbers (4, 5, and 6) because more material is drilled out of those sides."
http://www.gamingip.com is a web page full of patents concerning gambling.
http://www.gamingip.com/patcats/random.htm is a very interesting list of gambling/lottery related RNG patents.
Sources that carry Casino dice:
Crooked dice are made by adding weights, making the sides non- parallel, making one dimension smaller, making the edges asymmetrically rounded, or varying the smoothness of the sides. Here is one web site on the topic. You can buy "trick" dice at http://www.casinosupply.com/.
No! Unless you know how the electronics generate the randomness and can evaluate its strength, stick to old-fashioned real dice.
Generating truly random numbers using a computer is very tricky. The so-called random number generators that come with most programming libraries are nowhere near good enough. For most users dice is by far a better way to select passphrase words.
However if you do know what you are doing, have access to a strong method for generating random numbers (e.g. Java's secureRandom class) and really need to generate passphrases using a computer, then, to insure a uniform distribution of words, it is best to using a list of words that is a whole power of two in length. I have created such a list and it is available at: http://world.std.com/~reinhold/diceware8k.txt. There is also a version designed for the C programming language. http://world.std.com/~reinhold/diceware8k.c The C version can easily be adapted for Java and many other programming languages.
To increase the size of the Diceware list to a power of two, I added pairs consisting of a digit and a letter. (e.g. 5t, u3, 8q, etc.) No such pairs are in the original list. If we do not include the digits 1 and 0, which are easily confused with letters, then there are 2*8*26 = 416 such pairs. The present Diceware list has 6**5 = 7776 words. Adding these letter-digit pairs creates a list of 7776 + 416 = 8,192 = 2**13 words.
One way is to select two words using Diceware. Then select a special character using the special character table below. Stick the special character between the two words instead of a space. Drop characters off the end of the second word if the resulting password is too long for your computer system.
Example:
base<threw which truncates to the 8-character password base<thr
Such passwords are suitable for systems that limit the number of bad login attempts an attacker can make and protect the file containing the encrypted passwords (this is called password shadowing on Unix-based systems). Unless you are sure this is the case pick a stronger password following the advice below.
We are not experts on Windows, but at least one source we found says password hashes are not fully protected in Windows systems. If an attacker obtains the password hash, they can test millions of trial passwords in a matter of minutes. As a result, you should use a strong passphrase or string random characters.
Windows 2000 and XP allow up to 127 character passwords. On such systems we recommend a four-word Diceware passphrase with a random special character inserted. In high security applications, add a fifth Diceware word.
If you are limited to 14 characters, a regrettable practice in earlier Microsoft systems including NT, truncate a four word Diceware passphrase by eliminating the spaces between the words and dropping the last letter in each word if necessary. Or you can use a random string of at least 8 characters, preferably more.
Many Windows installations use a filter to require you to pick a password that is strong by Microsoft's standards. This means your password must contain characters from at least three of the following sets:
To meet these criteria and strengthen your passphrase, add a random special character selected using the special character table below, and capitalize the initial letter of one Diceware word. Use dice throws to select where to insert the special character and to select which word to capitalize.
International users should be aware of the following issue, pointed out by a reader:
"One thing that has caught me out with login passwords on Windows (don't know about other systems, I suspect there are similar problems) is that some special characters are different on the US keyboard from my usual UK keyboard. When you log in, the system assumes a US keyboard, and so you will never get your password right unless you know where the hash key (for example) is on the US keyboard. This limits the number of special characters that a non-US user can use."
Mac OS-X 10.1 and 10.2 have an effective 8 character password limit and allow access to the file containing the encrypted passwords. On these systems follow the advice in Caution for users of Unix and Linux, below.
With Mac OS-X 10.3 (Panther), Apple introduced password shadowing, which stores the encrypted password in a separate file with restricted access. Panther also allows passwords to be meaningfully longer than 8 characters, so you can use a Diceware passphrase as you login password.
If you upgraded to Panther, you should enable shadowing and longer passwords. To do this you just have to change your password. If there is more than one user, everyone should change their password. If your computer came with 10.3 or later installed, you are all set.
We recommend that Mac OS-X users upgrade to 10.3 or later and keep their operating system up-to-date.
Many Unix-based systems allow access to the file containing the encrypted passwords (/etc/passwd) and limit you to 8 character passwords.
This is a serious security flaw, since it allows an attacker to test millions of trial passwords in a matter of minutes. Unfortunately, many Unix programs assume this approach and it is therefore widespread. (See The Ambitious Amateur vs. crypt(3) by Kurt Hockenbury. Since this paper was written, in 1997, computers have become much more powerful, increasing the threat.)
If you have to use such systems, your sole defense is to pick a good password. Only a completely random string of 8 characters, preferably chosen from all possible printable characters, provides strong protection against attacks, and even that may be vulnerable to an attacker with a very large budget. In particular, Unix "root" passwords should always be constructed in this way! You can use dice to select a string of 8 random characters using the tables below. If you install Unix systems frequently, we suggest you learn our method for creating a strong password using only coins and a computer keyboard. You might also consider our password generating applet, PassGen2. Select the "MMMMMMMM" template from the pull down list.
If security is important, ask your systems administrator to switch to more modem login password system that allows longer passwords and shadows the password file. Even better is a safer authentication method like Stanford University's Secure Remote Password Protocol SRP. If you are accessing a Unix or Linux system remotely, always use SSH.
Remembering passwords containing special characters can be easier if you use nicknames for the special characters. Here are some suggestions (let me know if you have others):
`
Ding
{
Sneer
~
Twiddle
}
Smirk
!
Bang
[
Uh
@
At
]
Duh
#
Hash
|
Pole
$
Bucks
\
Back
%
Ears
:
Eyes
^
Hat
;
Wink
&
And
"
Quote
*
Star
'
My
(
Frown
<
Mouth
)
Smile
>
Nose
_
Under
,
Tear
-
Dash
.
Dot
+
Plus
?
Huh?
=
Equals
/
Slash
So for example, remembering &{^WEz_t is easier as "and sneer hat W E z under t" than "ampersand left-brace caret W E z underscore t."
The following are a series of table to aid you in producing random strings of characters or digits using dice. While the effort is a tad tedious, the result is random quantities of the highest quality.
To create passwords of maximum strength for a given number of characters, you must use all available symbols. This is especially important for most Unix systems where passwords are limited to eight characters from the 7-bit ASCII printable character set. The following set of three tables allows you to create such a password.
Roll a die three times (or roll three dice) for each character and then select one of the following three tables, based on what the first roll says:
If first roll=1 or 2 3 or 4 5 or 6
Second Roll Second Roll Second Roll
1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6
T 1 A B C D E F a b c d e f ! @ # $ % ^
h 2 G H I J K L g h i j k l & * ( ) - =
i 3 M N O P Q R m n o p q r + [ ] { } \
r 4 S T U V W X s t u v w x | ` ; : ' "
d 5 Y Z 0 1 2 3 y z ~ _ sp < > / ? . ,
6 4 5 6 7 8 9
Note: Roll all three dice again whenever you get a blank. The table entry "sp" means a space character. If you do not want spaces in your password, roll all three dice again whenever you get "sp."
Repeat this procedure eight times to get a maximal strength Unix password. Each random character adds 6.55 bits of entropy. Eight characters provides 52.4 bits of entropy.
224 T
131 C
553 }
215 Y
465 ,
334 u
326 roll again
535 /
364 x
The password is then:
TC}Y,u/x
Easy to remember? Hardly, but it is the only type of password that provides adequate security on many Unix-based systems. Only such full strength passwords should be used for root and administrative accounts or high security user accounts.
Our table of nicknames for special characters can make these paswords a little easier to remember. And if you do not have dice or these tables available, you can also create full strength passwords using a keyboard and coins, so there is no excuse for weak passwords.
If security is less of a concern for user accounts, then eight characters from the following table can be used, preferably with a random special character thrown in. Never use passwords of seven characters or less.
Just roll dice twice for each character and then use this table:
First Roll 1 2 3 4 5 6 S 1 A B C D E F e 2 G H I J K L c 3 M N O P Q R o 4 S T U V W X n 5 Y Z 0 1 2 3 d 6 4 5 6 7 8 9
Each random character adds 5.17 bits of entopy. Eight characters give 41.3 bits of entropy.
If you only want letters, roll the dice again when ever you get a digit. Each random letter adds 4.7 bits of entropy.
Roll a die twice for each digit and then use the following table:
First Roll 1 2 3 4 5 6 S 1 1 2 3 4 5 * e 2 6 7 8 9 0 * c 3 1 2 3 4 5 * o 4 6 7 8 9 0 * n 5 1 2 3 4 5 * d 6 6 7 8 9 0 *
Roll the first die again when ever you get a *. Each random digit adds 3.3 bits of entropy. Note: You really don't need the table to use this method: Just roll a die until you get a number that isn't 6. Then roll the die again. If the second result is even, add 5 to the first number you got. Treat a ten as a zero. That's it.
Roll dice twice for each hex digit and then use the following table:
First Roll 1 2 3 4 5 6 S 1 0 1 2 3 4 5 e 2 6 7 8 9 A B c 3 C D E F 0 1 o 4 2 3 4 5 6 7 n 5 8 9 A B C D d 6 E F * * * *
Roll the dice again when ever you get a *. Each hex digit adds 4 bits of entropy.
One novelty store sells16-sided (d16) dice with markings in Hexadecimal:
There are also d16 dice marked 1 to 16, but you have to remember that 10 is A, 11 is B, 12 is C, 13 is D, 14 is E, 15 is F and 16 is 0. One source is:
You can make a paper d16 die using this template:
You still If you are stuck without dice, you can also use four coins.
Some computer systems insist that a special character be included in your password. Here is how to make them happy. Roll the dice twice and then use the following table:
First Roll 1 2 3 4 5 6 S 1 ! @ # $ % ^ e 2 & * ( ) - = c 3 + [ ] { } \ o 4 | ` ; : ' " n 5 < > / ? . , d 6 ~ _ 3 5 7 9
If you only want special character, roll the dice again when ever you get a digit.
You need to do this if you want to insert one random character in your passphrase for added security, as mentioned in the main Diceware page. Here is how this is done. Pick the column in the table below that corresponds to the number of characters in the chosen word. Then roll one die and look up the number you get on the left hand side of the table. Insert the random character after the selected letter. Zero means put the random character at the beginning of the word.
Number of characters in the word D 2 3 4 5 6 i e 1 1 1 1 1 1 2 2 2 2 2 2 R 3 0 3 3 3 3 o 4 1 0 4 4 4 l 5 2 * 0 5 5 l 6 0 * * 0 6
Roll the dice again whenever you get a *.
Take three different coins (e.g. a U.S. penny, nickel and dime). Shake them up in a cup and dump them on a surface and then look in the following table to get an equivalent die roll (H = Heads, T = Tails).
Results of Coin Toss Penny Nickel Dime D 1 T T T i 2 T T H e 3 T H T 4 T H H R 5 H T T o 6 H T H l * H H T l * H H H
Flip all the coins again when ever you get a *.
One could make a Diceware table indexed by coin tosses. That was my original idea, but 5 dice tosses are a lot more practical for selecting a word than 13 coin tosses. Get some dice!
You can use coins and a standard computer keyboard in lieu of the tables. Take four identical coins. We will use the coin values to form binary numbers, with the coin on the right or bottom being the low order bit and Heads = 1, Tails = 0.
So if the right-most coin is heads, write down a 1, if it's tails write down a zero. If the next coin is heads, write down a 2, heads zero. If the next is heads write down a 4, if heads 0. If the fourth coin is heads write down an 8, otherwise zero. Now add up the numbers you wrote down.
Follow these steps for each character:
Example:
First flips: Coin on the left = H , coin on the right = T: Select row 2 (QWERTYUIOP...)
Second flips: Coins from left to right: HTTH: Select key number 9 which is "P" (remember to count "Q" as zero)
Third flip, T, Use the lowercase version: Final character is "p".
|
