Criticism of Diceware for Secure Passphrases |
See the official Diceware homepage and the Diceware FAQ page for background information and downloads. The overall method proposed by Arnold G. Reinhold is useful and secure. The throwing of dice is sufficiently random, and a word list of 7776 entries provides enough combinations to make a passphrase secure with a modest number of words in the phrase. The number 7776 is the result of using a base-6 number system. Dice have only six digits (1-6) and no zero, so 5 dice provide combinations from 11111 to 66666. In the base-10 number system, that would be 6^5 (six to the 5th power), which is 7776. Choosing a passphrase can be done entirely offline, making the method pretty darn secure against a wide range of software and hardware attacks. You print out a word list, which includes a 5-digit number beside each entry. Throw 5 dice, and read the number. Look up the corresponding word and write it on a piece of paper. Another throw of the dice provides the next word in the phrase. 5 words (out of 7776) is ~ 2.8E+19 combinations (2.8 times 10 to the 19th power) 6 words is ~ 2.2E+23 combinations 7 words is ~ 1.7E+27 combinations 8 words is ~ 1.3E+31 combinations 9 words is ~ 1.0E+35 combinations 10 words is ~ 8.0E+38 combinations (~128-bit security) How many words should your passphrase include? Reinhold says: "A five word passphrase provides a level of security much higher than the simple passwords most people use. We recommend a minimum of six words for use with GPG, wireless security and file encryption programs. A seven, eight or nine word pass phrase is recommended for high value uses such as whole disk encryption, BitCoin, and the like." Criticisms The reason for using a passphrase instead of a set of random characters is the former is easier to remember. But many of the entries in the Diceware word list are more or less like random characters. They are not actual words, and so they are difficult to remember. For ease of retention, each word in the list should be: * familiar * easy to spell * easy to pronounce (since pronunciation aids memorization) * an actual word Some of the words in the Diceware list are obscure; others are difficult to spell or pronounce. Many entries are not actual words. These types of entries reduce the advantage of a passphrase. A passphrase word list should include as many familiar, simple, easy-to-spell words as possible. Non-letter characters should be excluded or kept to a minimum. An alternate version of the Diceware word list, by Alan Beale, is really not an improvement. It adds entries that could easily cause problems with any software program, spreadsheet, or database that attempts to use the list. Some of the entries are "reserved words", which are sets of characters that function as code in programs, rather than as text. For example, the Beale list includes four double-quote marks as one of its entries (""""); quotes are used in many programs to specify text input. The list also includes the symbols for addition (+), subtraction (-), and percent (%), as well as a double percent entry (%%); these might be interpreted by some programs as mathematical operations, rather than "words". The Beale list includes a symbol which means "nine to five" (9-5), but which the spreadsheet program Excel interpreted as "5-Sept". The list includes fractions (e.g. 1/2, 1/3, 1/4, 1/8) which might be treated as numerical values in decimal notation by some programs. It includes times (e.g. 11:00, 11:30), which Excel automatically changed to "11:00:00 AM". The Beale list also includes individual punctuation marks as entries (e.g. ; : ! ?) as well as parentheses: a pair as one entry, and each individual parenthesis, open and close, as individual entries. Then there are three entries, a letter or two in parentheses -- (TM) (C) (R) -- which MS-Word automatically changes to the symbols for trademark, copyright, and registered copyright. Use of reserved words, punctuation, and various mathematical and chronological terms as entries for a passphrase is royally stupid. Do not use the Beale version of the Diceware word list!! Here's a humorous explanation of this problem: xkcd: Exploits of a Mom There is also a (mostly theoretical) security weakness in the official Diceware word list. Single character and double character entries weaken the security of the passphrase because it is easier to brute force the entry by trying every character than by trying every entry in the word list. I'm not sure if this theoretical weakness is of much practical value to an opponent. But let's suppose that a passphrase is comprised mainly or entirely of the one and two character entries from the word list. The passphrase could be brute forced by trying every character more easily than by trying every word in the list. And that is not what you want. Now if a passphrase contains a minority of these 1- or 2-character entries, perhaps this weakness is of no advantage to an opponent. But then again, we cannot claim that a system is secure, merely because we cannot see how an opponent could take advantage of a known weakness. Therefore, the minimum number of characters for a secure word list is 3. At 26 characters raised to the 3rd power (17,576), this length is secure because there are more possible character combinations than entries in the word list. One and two character entries are not secure. Assuming a simple character set with lower case letters only, 26 characters to the 2nd power is only 676 possibilities, plus 26 more for single letter entries. Adding numbers and a few common symbols brings the character set up to about 40 for only 1640 possibilities for a one or two character entry. Whenever the number of possible combination for an entry is less than 7776, the entry is possibly not secure, and so should be excluded. Another issue is the decision to limit entries to no more than 6 characters. There is a trade-off here. Shorter words make the passphrase faster to type. The average word length is 4.25 characters. But when you have a word list of 7776 entries, and you limit the length to 6 characters or less, you run out of familiar, easy to spell, and easy to pronounce words. My take is that a long passphrase should not be frequently used. It lowers the security of the passphrase, regardless of its length and complexity, if you are repeatedly typing it out several times a day. For online passwords, use a password manager. For infrequently used passwords that require high security, take the extra time to type longer words. This will enable a word list with entries that are easier to remember. It is worth the trade-off. I've put together a couple of new word lists for Diceware. The Combined list is the official Diceware list, plus the Alan Beale list, minus: * one or two character entries * non-letter characters * anything that is not a word * obscure or difficult to remember words The result is a 7776 word list that may be a little more secure and a little easier to remember. The Improved word list is a new list, which accepts the trade-off of using longer words, which are more familiar and easier to remember. * Diceware official word list (7776 entries) * Alan Beale alternate Diceware list (7776 entries) * Combined Diceware list (7776 entries) - Official list plus Beale list minus: entries with non-letter characters, abbreviations, obscure words, entries too similar to other entries, and anything shorter than 3 letters. * Improved Diceware list (7776 entries) - New list - longer words (3 to 10 letters) that are more familiar and easier to remember. Diceware: All Four Versions (7776 x 4) - a tab-delimited database file, numbered in base 6 from 11111 to 66666, with the Official list, Beale list, Combined list, and the Improved list. Return to: Secure Password and Passphrase Resources |