Is Diceware a good password method?

Recently, I was wanting to make better passwords, and I happened upon the Diceware method. For those unfamiliar with the method, what you do is roll some dice, and the dice rolls correspond to different words, numbers, and symbols from a list. An example might be: “super low chard oy boom hast.” They look similar to bitcoin seed phrases, oddly enough.

What I’d like to know is if the community thinks this is a good password method. I also use BitWarden and KeePassXC to store them, but I find this method helpful in general because it takes the human equation out of it (plus it’s done offline). Even if an attacker knows that you use Diceware, it would still take a lot of tries for them to find your exact passphrase (or so I would think).

EDIT: The only difficulty I’ve had with this method (at times) is remembering the passphrases, especially if they’re long! I theoretically tested some of these on a “strength checker” (I know they aren’t always accurate, yes) and most said “Very strong” or “overkill.”

Bitwarden also offers the same method in its password generator.

1 Like

When it says overkill, but you’re just sitting there like:

3 Likes

Oh cool! I hadn’t tried their generator, actually.

I was thinking that KeePass did something similar as well, although maybe that was just random strings of characters.

:rofl:

My password manager has this built-in, seems secure enough. I usually use a randomly generated password, but I’ll use a diceware/word password for things I’ll need to type in manually a lot. And I store them both in my password manager regardless of course.

2 Likes

OK, here’s my password (kidding).

As far as I know, it is a very good method as long as you have a minimum amount of words. Let’s say you have a 7 word passphrase generated with the Diceware method.

Each word is codified with 5 digits that go from 1 to 6, that is 6^5 = 7776 different words. A brute-force algorithm would have to find the 7 correct seven words, so that is 7776^7 = 1.7 * 10^27 different combinations (approximately). Which, with logarithms you can check that it is the same (approximately) to 2^90, so your password would have an entropy of 90 (which is the same as saying you need 2^90 operations at most to crack the passphrase with brute-force).

If you want a different amount of words, just keep in mind each word adds 12.9 entropy to the passphrase, so if you want a 5 word passphrase, it would have 12.9*5 = 64.5 entropy (approximately).

All of this, assuming the attacker knows the list of words used and the amount of words. You can find more information on Wikipedia.

PS: ^ refers to exponentiation and * to multiplication, I couldn’t find any math mode.

1 Like

Thanks - I knew what the symbol meant (math is one of my many interests)! And OK, considering if you have a large amount of words (and/or symbols), this sounds like a good method to use - that is, until someone makes a program capable of cracking even these passphrases!

Unless they can check what your die roll was, cracking it would mean a brute-force algorithm, so it’s not about a program, it’s about if the attacker has enough computational power to try 2^90 different combinations (in a 7 word passphrase).

2 Likes

I knew I should’ve installed MathJax

3 Likes

I’m a little confused by this since you said you use KeePassXC and Bitwarden to store your passwords. It doesn’t matter if you can’t remember a password to a site or not because the password managers do that for you. The nice thing about KeePassXC is that the desktop version also has TOTP built into it, so you don’t even need another app to do 2FA.

diceware… https://xkcd.com/936/
and- https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength (see “People who don’t understand information theory and security” since the below links do come from Schneier.
and- https://www.eff.org/dice (at least use long list, and 6 word min, better would be 10 words- which is over 100 bits entropy iirc)
then…this- https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
( a lot of comments worth reading thru too)
also- https://www.schneier.com/blog/archives/2012/03/the_security_of_5.html

edit to add, each diceware word adds ~13 bits entropy, not 10 as i mentioned.

Diceware is the recommended way to generate passphrases that you need to recall from memory. Good examples are your password manager’s master password or your QubesOS login.
As you mentioned it is more secure than making up a passphrase by yourself because it is truly random. People tend to use words which could be easily guessed by an attacker who knows that person well.

1 Like

That doesn’t sound very practical! I’m thinking that they would move on to an easier target. :wink:

I don’t have a problem remembering them on this computer, but sometimes if I need to sign in on a different device, that’s when it’s an issue. I guess you need to install the same password manager on all your devices, eh?

Which password manager do you use? KeePass?

i read somewhere that ‘password’ is a virtually unbreakable password :blush:

if you want easy to remember passwords, you might consider something like this…

easy to remember: catbox
convert using a phonetic alphabet…
charlie alpha tango bravo oscar xray
or
charliealphatangobravooscarxray

i’m really not sure how secure that method is - you’d have to research

I currently use KeePassXC and I am loving it
It even has it’s own in-built password generator!

1 Like