Diceware

Last updated November 21, 2023

Diceware is a method for creating passphrases, passwords, and other cryptographic variables using ordinary dice as a hardware random number generator. For each word in the passphrase, five rolls of a six-sided die are required. The numbers from 1 to 6 that come up in the rolls are assembled as a five-digit number, e.g. 43146. That number is then used to look up a word in a cryptographic word list. In the original Diceware list 43146 corresponds to munch. By generating several words in sequence, a lengthy passphrase can thus be constructed randomly.

A Diceware word list is any list of $65 = 7776 unique words, preferably ones the user will find easy to spell and to remember. The contents of the word list do not have to be protected or concealed in any way, as the security of a Diceware passphrase is in the number of words selected, and the number of words each selected word could be taken from. Lists have been compiled for several languages, including Basque, Bulgarian, Catalan, Chinese, Czech, Danish, Dutch, English, Esperanto, Estonian, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Latin, Māori, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Slovenian, Spanish, Swedish and Turkish .$

The level of unpredictability of a Diceware passphrase can be easily calculated: each word adds 12.9 bit s of entropy to the passphrase (that is, $\log _{2}(6^{5})$ bits). Originally, in 1995, Diceware creator Arnold Reinhold considered five words (64.6 bits) the minimal length needed by average users. However, in 2014 Reinhold started recommending that at least six words (77.5 bits) be used.^[1]

This level of unpredictability assumes that potential attackers know three things: that Diceware has been used to generate the passphrase, the particular word list used, and exactly how many words make up the passphrase. If the attacker has less information, the entropy can be greater than 12.9 bits/word.^[2]

The above calculations of the Diceware algorithm's entropy assume that, as recommended by Diceware's author, each word is separated by a space. If, instead, words are simply concatenated, the calculated entropy is slightly reduced due to redundancy; for example, the three-word Diceware phrases "in put clammy" and "input clam my" become identical if the spaces are removed.

EFF wordlists

The Electronic Frontier Foundation published three alternative English diceware word lists in 2016, further emphasizing ease-of-memorization with a bias against obscure, abstract or otherwise problematic words; one tradeoff is that typical EFF-style passphrases require typing a larger number of characters.^[3]^[4]

Snippet

The original diceware word list consists of a line for each of the 7,776 possible five-die combinations. One excerpt:^[5]

... 43136 mulct 43141 mule 43142 mull 43143 multi 43144 mum 43145 mummy 43146 munch 43151 mung ...

Examples

Diceware wordlist passphrase examples:^[3]

dobbs bella bump flash begin ansi
easel venom aver flung jon call

EFF wordlist passphrase examples:^[3]

conjoined sterling securely chitchat spinout pelvis
rice immorally worrisome shopping traverse recharger

The XKCD #936 strip shows a password similar to a Diceware generated one, even if the used wordlist is shorter than the regular 7,776-words list used for Diceware.^[6]

Notes

↑ Brodkin, Jon (27 March 2014). "Diceware passwords now need six random words to thwart hackers". Ars Technica. Archived from the original on 30 September 2017. Retrieved 14 June 2017.
↑ Antonov, Petar; Georgieva, Nikoleta (2020). "Security Analysis of Diceware Passphrases". Information & Security. 47 (2): 276–282. doi: 10.11610/isij.4719 . ISSN 0861-5160. S2CID 222234719. Archived from the original on 2023-09-20. Retrieved 2023-08-28.
1 2 3 "Change Your Password: This New Word List Makes the Diceware Method User Friendly". Observer. 22 September 2016. Archived from the original on 6 October 2022. Retrieved 4 December 2016.
↑ "EFF's New Wordlists for Random Passphrases". Electronic Frontier Foundation. 19 July 2016. Archived from the original on 28 June 2023. Retrieved 4 December 2016.
↑ "Diceware wordlist". world.std.com. Archived from the original on 5 December 2016. Retrieved 4 December 2016.
↑ "explanation of the webcomic and the differences with regular diceware". explainxkcd.com. Archived from the original on 2014-01-25. Retrieved 2021-12-19.

Related Research Articles

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key can be different sizes and varieties, but in all cases, the strength of the encryption relies on the security of the key being maintained. A key's security strength is dependent on its algorithm, the size of the key, the generation of the key, and the process of key exchange.

<span class="mw-page-title-main">Brute-force attack</span> Cryptanalytic method for unauthorized users to access data

In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.

A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control both access to, and the operation of, cryptographic programs and systems, especially those that derive an encryption key from a passphrase. The origin of the term is by analogy with password. The modern concept of passphrases is believed to have been invented by Sigmund N. Porter in 1982.

In computing, a hardware random number generator (HRNG), true random number generator (TRNG), non-deterministic random bit generator (NRBG), or physical random number generator is a device that generates random numbers from a physical process capable of producing entropy, unlike the pseudorandom number generator that utilizes a deterministic algorithm and non-physical nondeterministic random bit generators that do not include hardware dedicated to generation of entropy.

In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.

In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system in scrambled form. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.

S/KEY is a one-time password system developed for authentication to Unix-like operating systems, especially from dumb terminals or untrusted public computers on which one does not want to type a long-term password. A user's real password is combined in an offline device with a short set of characters and a decrementing counter to form a single-use password. Because each password is only used once, they are useless to password sniffers.

In computing, the term munge means to attempt to create a strong, secure password through character substitution. "Munge" is sometimes backronymmed as Modify Until Not Guessed Easily. The usage differs significantly from Mung, because munging implies destruction of data, while mungeing implies creation of strong protection for data.

In Unix-like operating systems, /dev/random and /dev/urandom are special files that serve as cryptographically secure pseudorandom number generators. They allow access to environmental noise collected from device drivers and other sources. /dev/random typically blocks if there was less entropy available than requested; more recently it usually blocks at startup until sufficient entropy has been gathered, then unblocks permanently. The /dev/urandom device typically was never a blocking device, even if the pseudorandom number generator seed was not fully initialized with entropy since boot. Not all operating systems implement the same methods for /dev/random and /dev/urandom.

CipherSaber is a simple symmetric encryption protocol based on the RC4 stream cipher. Its goals are both technical and political: it gives reasonably strong protection of message confidentiality, yet it's designed to be simple enough that even novice programmers can memorize the algorithm and implement it from scratch. According to the designer, a CipherSaber version in the QBASIC programming language takes just sixteen lines of code. Its political aspect is that because it's so simple, it can be reimplemented anywhere at any time, and so it provides a way for users to communicate privately even if government or other controls make distribution of normal cryptographic software completely impossible.

Key generation is the process of generating keys in cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted.

The security of cryptographic systems depends on some secret data that is known to authorized persons but unknown and unpredictable to others. To achieve this unpredictability, some randomization is typically employed. Modern cryptographic protocols often require frequent generation of random quantities. Cryptographic attacks that subvert or exploit weaknesses in this process are known as random number generator attacks.

A random password generator is a software program or hardware device that takes input from a random or pseudo-random number generator and automatically generates a password. Random passwords can be generated manually, using simple sources of randomness such as dice or coins, or they can be generated using a computer.

Random number generation is a process by which, often by means of a random number generator (RNG), a sequence of numbers or symbols that cannot be reasonably predicted better than by random chance is generated. This means that the particular outcome sequence will contain some patterns detectable in hindsight but impossible to foresee. True random number generators can be hardware random-number generators (HRNGs), wherein each generation is a function of the current value of a physical environment's attribute that is constantly changing in a manner that is practically impossible to model. This would be in contrast to so-called "random number generations" done by pseudorandom number generators (PRNGs), which generate numbers that only look random but are in fact pre-determined—these generations can be reproduced simply by knowing the state of the PRNG.

In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable enough to allow password cracking, and key stretching is intended to make such attacks more difficult by complicating a basic step of trying a single password candidate. Key stretching also improves security in some real-world applications where the key length has been constrained, by mimicking a longer key length from the perspective of a brute-force attacker.

Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

OTPW is a one-time password system developed for authentication in Unix-like operating systems by Markus Kuhn. A user's real password is not directly transmitted across the network. Rather, a series of one-time passwords is created from a short set of characters and a set of one-time tokens. As each single-use password can only be used once, passwords intercepted by a password sniffer or key logger are not useful to an attacker.

The PGP Word List is a list of words for conveying data bytes in a clear unambiguous way via a voice channel. They are analogous in purpose to the NATO phonetic alphabet used by pilots, except a longer list of words is used, each word corresponding to one of the 256 distinct numeric byte values.

OpenPuff Steganography and Watermarking, sometimes abbreviated OpenPuff or Puff, is a free steganography tool for Microsoft Windows created by Cosimo Oliboni and still maintained as independent software. The program is notable for being the first steganography tool that:

References

Internet Secrets, 2nd Edition, John R. Levine, Editor, Chapter 37, IDG Books, 2000, ISBN 0-7645-3239-1

External links

English diceware page has the complete description and word lists in several languages.
A client-side diceware multi-wordlist password generator with complete source code
Web-based diceware app that uses the cryptographically secure getRandomValues() function
English Diceware wordlist from the Electronic Frontier Foundation
diceware on GitHub

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[ars6words-1] Brodkin, Jon (27 March 2014). "Diceware passwords now need six random words to thwart hackers". Ars Technica. Archived from the original on 30 September 2017. Retrieved 14 June 2017.

[2] Antonov, Petar; Georgieva, Nikoleta (2020). "Security Analysis of Diceware Passphrases". Information & Security. 47 (2): 276–282. doi: 10.11610/isij.4719 . ISSN 0861-5160. S2CID 222234719. Archived from the original on 2023-09-20. Retrieved 2023-08-28.

[observer-3] 1 2 3 "Change Your Password: This New Word List Makes the Diceware Method User Friendly". Observer. 22 September 2016. Archived from the original on 6 October 2022. Retrieved 4 December 2016.

[4] "EFF's New Wordlists for Random Passphrases". Electronic Frontier Foundation. 19 July 2016. Archived from the original on 28 June 2023. Retrieved 4 December 2016.

[5] "Diceware wordlist". world.std.com. Archived from the original on 5 December 2016. Retrieved 4 December 2016.

[6] "explanation of the webcomic and the differences with regular diceware". explainxkcd.com. Archived from the original on 2014-01-25. Retrieved 2021-12-19.

[1]

[2]

[3]

[4]

[5]

[6]