Strong passwords with Diceware (dkolf.de)

Abstract

With this article I would like to advocate for generating strong passwords using a method called Diceware.

Author: David Heiko Kolf, 2025-01-26.

Introduction

Passwords are often required for computer security. For many purposes such as website logins you can use a password manager such as KeePass to generate and store your passwords. But there are some situations where you need to remember and enter a password by hand: for example when logging in to your computer or for encrypting your password manager file.

The classic method for generating passwords, which unfortunately is still often required by (outdated) security policies, requires chosing a word and performing some changes to it, such as introducing special characters, numbers and capital letters. Unfortunately this leads to passwords that are easy to crack for a computer but are hard to remember for a human (relevant XKCD comic).

In 1995 Arnold Reinhold recommended creating passwords by using dice. Unfortunately at the time of writing this article his website appears to be down, so I will link to the Wikipedia article on Diceware instead. In summary you are using dice rolls for your password and looking up words in a list in order to memorise the dice results.

In 2016 the Electronic Frontier Foundation published their own article on dice-generated passphrases with improved word lists.

Example

I recommend the second short list from the EFF where each word starts with three unique letters so you only need to enter those three letters when typing in the passphrase (even without using a hypothetical auto-complete feature as described in Joseph Bonneau's article on dice-generated passphrases).

For this example I rolled the following numbers: 2415, 1124, 6625, 4524, 5266, 3354, 5453, 1411.

Looking up those numbers in the word list gives the following results:

Since I used the list where the first three letters are always unique, I only need to input those letters. The final password would be "eagabuwronuprargyrsanaty". Relatively short to type but still possible to remember if you know the original words. If you have to keep some archaic password policies happy (capital letter, special character, numbers), just extend it: "Eagabuwronup-25-rargyrsanaty".

The strength of the generated password can be measured as 82.7 bits (each die roll adds 2.585 bits of entropy and there were 32 die rolls).

Are improvements possible for touch?

For many people nowadays the primary interactions with computers is in the form of smartphones and tablets which only feature touch interfaces. I wonder whether it might be possible to have a user interface which makes entering those words easier than the usual touch keyboard.