36

Everyone knows the words used in Diceware passwords (all 6^5 = 7776 words are published) -- they're all common words. Everyone seems to know that we're not supposed to use dictionary words for passwords because the "dictionary attack" can rapidly guess a single dictionary word. So it seems reasonable to leap to the conclusion that a dictionary attack can also guess a Diceware passphrase pretty quickly.

Can a dictionary attack mounted now (2012) crack a Diceware passphrase before 2033?

In particular, is the claim on the Diceware page "A seven word pass phrase is thought to make attacks on your passphrase infeasible through 2033." accurate?

Is that still true even if the attacker knows that I always use Diceware passphrases, and knows which language I use?

How does a five-word Diceware passphrase compare to the common recommendation of 9 "completely random-looking gibberish" characters?

(I'm asking a very specific question about the recommendations on the Diceware page, since related questions passphrases - lowercase and dictionary words and XKCD #936: Short complex password, or long dictionary passphrase? seem to get sidetracked onto things that are not really Diceware passphrases).

Community
  • 1
David Cary
  • 2,720
  • 4
  • 19
  • 20
  • 2
    Looking at the xkcd question - the answers there appear to cover off this question completely, especially danbeale and dr jimbob's answers. – Rory Alsop Jan 03 '12 at 08:59
  • 3
    Diceware *assumes* that everyone is doing a known dictionary attack when they calculate how long it takes to crack. If you aren't doing a dictionary attack, it's far *more* secure. – endolith Feb 06 '16 at 15:30
  • When you're evaluating the strength of a password generation scheme, what you are really evaluating is how much entropy is involved in generating the password, and how much of that entropy is preserved in the final output. Good generation method like Diceware preserves 100% of the entropy generated by the random number generator and, given some assumptions, the amount of entropy involved in diceware is quite trivial to calculate and fyi compare with other password generation methods. – Lie Ryan Aug 10 '16 at 02:27
  • What about a classic deciphering technique, using letter frequency gleaned from the Diceware list or from English? You can even do it positionally: the first letter is most likely to be this, and the second is most likely to be that. If you know there are five words, you can add the space in as a possible character. Of course, this suggests you know its a Diceware phrase - and the number of words. – Mei Sep 08 '16 at 18:23
  • That would be *even harder* than just combining the actual words. – Ben Jul 06 '17 at 14:40

4 Answers4

40

5 Diceware words = 77765 = 28430288029929701376 possible equiprobable passphrases.

9 random characters = 949 = 572994802228616704 possible equiprobable passwords.

The 5 Diceware words are 49.617 times better than the 9 random characters. On the other hand, 10 random characters would be almost twice as good as the 5 Diceware words (but the Diceware words are probably much easier to remember). (I assume that your "gibberish characters" are ASCII printable characters, excluding space.)

With seven words, the number of possible and equiprobable passphrases is a bit higher than 290, which is indeed quite high; even if the employed password hashing scheme has been horribly botched (no salt, simple hashing), this still exceeds by a comfortable margin what can be done with today's technology.

The important word is equiprobable. This is what makes the analysis above possible and accurate. This assumes that both your Diceware words, and the 9 "random-looking gibberish characters", are chosen with a truly random uniform process, such as, for instance, dice. And not at all by a human being in the privacy of his brain, imagining that he can make random choices out of pure thought (or, even worse, witty non-random choices). Humans are just terrible at randomness.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
10

I think the easiest way to convince yourself of the security of Diceware is not to get hung up on the dictionary and instead focus on the dice rolls. The idea of Diceware, seen from this angle, is the following:

  • If you have an algorithm that can crack an n-word Diceware passphrase, then the same algorithm can be trivially adapted to guess the results of the user's n × 5 consecutive dice rolls in the same amount of time. Why? Because a Diceware passphrase is really just a mnemonic for the outcome of those dice rolls. If you guess their passphrase successfully, the public dictionary allows you to infer what they rolled.
  • The converse is true as well: a dice roll guessing algorithm works equally well for cracking Diceware passphrases. If you can guess the user's dice rolls, the public dictionary means that you can infer their passphrase as well.

So we don't need to bother thinking about dictionary attacks or anything of the sort, because we can tell that cracking a n-word Diceware passphrase is exactly as difficult as guessing the outcome of n × 5 consecutive dice rolls. And this is assuming an attacker who already knows quite a lot:

  1. That the passphrase was generated with Diceware;
  2. The exact dictionary that was used;
  3. The exact number of words in the passphrase.

So how hard is it to guess dice rolls? Well, there is just no clever way of predicting sequences of dice rolls, because they're uniformly random—all possible outcomes are equally likely. So all you can do is try all combinations. And playing around with the order of the guesses—which is effective when guessing human-selected passwords—will not increase your chances of early success against dice rolls.

Or in other words, a dictionary attack works against human-selected passwords because it puts more likely passwords ahead of less likely ones, which decreases the average time until you hit the correct guess. But if all passwords are equally likely—as Diceware guarantees—the dictionary attack doesn't help at all.

Luis Casillas
  • 10,181
  • 2
  • 27
  • 42
2

Think of the Diceware list as a list of 7776 characters. Would you rather choose from a list of 7776 characters or 94 characters? (94 is about the numbers of characters on typical keyboards.)

When you think about the Diceware list at a long list of characters and the length Diceware words provide is a tough system to beat. As computers become stronger and faster, just add a word or two.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
Mark Brandyberry
  • 29
  • 1
1

According to this article, even if we have a password cracking mechanism optimized only for random passphrases, a.k.a. "passphrase token attack", it's still way more secure than the alternatives.

ZenVentzi
  • 111
  • 3
  • 1
    +1. Thank you for the article. Alas, that article describes something that is not really a Diceware passphrase -- it never mentions the 7776 words in a Diceware word list, and never mentions any of the details of how the words are selected. As Luis Casillas points out, it's the dice rolls that give Diceware its provable security. – David Cary Jul 07 '21 at 03:39