Over Easy: Snowden Explains Passphrases
Most of us are now aware of the need to create secure passwords/passphrases to protect our online lives, as much as that is possible. There has been a lot of discussion in the past couple of years about password security, and the warning that we should use longer, complex passphrases, rather than short passwords. Unfortunately, most people still use a password or phrase that may seem complicated, but is easily guessable — and then use the same password for email, bank accounts, and other personal information.
Many websites still limit us to 8 character passwords, because their underlying databases can’t handle longer ones, but they aren’t keeping our information safe. We should no longer create or use a password, but should attempt to create a passphrase we can remember that would be difficult for hacking algorithms to crack. Once we’ve created strong passphrases, we can use password manager software to keep track of them so we don’t resort to writing them on sticky notes affixed to our computers. I use LastPass, and it is excellent.
No less an expert than Edward Snowden, in the interview above with John Oliver on Last Week Tonight, discussed the importance of passphrases. If you can’t watch the ~3 minute video, Snowden explains to John Oliver that even a complex password with letters and numbers, mixed case, and special characters, can be cracked in seconds. He guides Oliver to the realization that a clever phrase is both memorable and more secure. But if you use a common or familiar phrase, it is useless. Many people who try to create a passphrase use well known phrases from books, popular movies, memorable quotes, sports teams, or other proper nouns, and those are easily guessed.
If you don’t think you can come up with a memorable passphrase like Snowden’s margaretthatcheris110%SEXY, there’s a way to create a passphrase using the Diceware passphrase method.
Diceware™ is a method for picking passphrases that uses dice to select words at random from a special list called the Diceware Word List. Each word in the list is preceded by a five digit number. All the digits are between one and six, allowing you to use the outcomes of five dice rolls to select a word from the list.
Here is a quick summary of the directions at the Diceware website. You need one or more ordinary dice. Download the complete Diceware word list which has 7776 short words, abbreviations and easy-to-remember character strings, each preceded by a 5 digit number. Decide how many words you want in your passphrase. Now roll the dice and write down the numbers resulting from each roll in groups of five. Make as many of these five-digit groups as you want words in your passphrase. Finally, look up each group of five rolls (numbers) in the Diceware word list by finding the number in the list and writing down the word next to the number. It takes a bit of effort to memorize the phrase, but there are suggestions to help. You also can use a password manager as mentioned above.
The Intercept recently had an article featuring Diceware: Passphrases That You Can Memorize — But That Even the NSA Can’t Guess (my bold)
The strength of a Diceword passphrase depends on how many words it contains. If you choose one word (out of a list of 7,776 words), an attacker has a one in 7,776 chance of guessing your word on the first try. To guess your word it will take an attacker at least one try, at most 7,776 tries, and on average 3,888 tries (because there’s a 50 percent chance that an attacker will guess your word by the time they are halfway through the word list).
But if you choose two words for your passphrase, the size of the list of possible passphrases increases exponentially. There’s still a one in 7,776 chance of guessing your first word correctly, but for each first word there’s also a one in 7,776 chance of guessing the second word correctly, and the attacker won’t know if the first word is correct without guessing the entire passphrase.
This means that with two words, there are 7,7762, or 60,466,176 different potential passphrases. On average, a two-word Diceware passphrase could be guessed after the first 30 million tries. And a five-word passphrase, which would have 7,7765 possible passphrases, could be guessed after an average of 14 quintillion tries (a 14 with 18 zeroes).
I think I like those odds! It seems worth a bit of extra effort, doesn’t it?
Note: Effective today, I am stepping down from my regular Friday Over Easy duty. I am not leaving FDL; I will be around in the comments and available to help fill in, or bail someone out who has run into posting difficulty, as I have been doing. But I’ve just added a new personal obligation to an already full plate, and available hours and brain cells are seriously stretched. I do hope someone will step up to take my place and add a new voice and perspective to the lively mix here at Over Easy!