0

I finished reading the Code Book by Simon Singh, I'm interested in playing with some of the ideas in the book to help increase my own understanding. I don't intend to implement the following in any consequential settings; I'm only interested in exploring the security implications.

I want to generate alternate diceware lists that have quirks, like each word is typed with the left hand only, or keystrokes alternating hands when typing. Assuming I can generate 7776 different strings, and am able to follow all of the other guidelines of diceware, are all diceware lists equally secure?

In the German Enigma Machine no letter could be encoded to itself (ex, a cannot be encoded to a). This detail helped crack the code. However I don't think this applies here, the strength of the password doesn't rely on a cipher. I don't see why 6 or 7 strings randomly chosen from a list of 7776 wouldn't have the same entropy, no matter the list. Theoretically, it could just consist of 7776 different binary lines couldn't it?

I understand that additional rules to password generation sometimes decrease security. If an attacker knows my diceware list, does it matter if every entry consists of only 15 unique characters of the left hand? Is there less entropy?

bbenz
  • 15
  • 5

2 Answers2

1

Creating a length 10 string of characters randomly chosen from an alphabet of 7776 unique symbols will have a bit entropy of log(7776^10,2) or almost 129 and a quarter bits.

However as noted by Arnold G. Reinhold, 7776 is a lot of words and you tend to run out quickly when you start to talk about words that you can remember while presumably avoiding risque words when it's a password at work or possibly used to encrypt something you're going to send to someone else.

IMO: Both lists could use some work as typing out 10 randomly chosen words from either is quite the exercise in dexterity, and in practice copy/paste has issues with apostrophes, ellipsis and other annoying punctuations/emoji

Gregor y
  • 139
  • 4
1

Assuming I can generate 7776 different strings, and am able to follow all of the other guidelines of diceware, are all diceware lists equally secure?

The security of Diceware comes down to this:

  • Each distinct sequence of dice roll results is equally probable as all the others.
  • Each distinct sequence of dice roll results is mapped to a distinct passphrase.

This requires that all 7,776 items in the dictionary be distinct, but also that their concatenations be unambiguous; e.g., if dis, inter, national, disinter and international are all in the dictionary, then there would be dice roll results (although of different lengths) that produce passphrases that could collide. The degradation in security, though, is minimal for each individual such collision.

Note that there's a lot of concepts in information theory about this, e.g., prefix-freeness.

Luis Casillas
  • 10,181
  • 2
  • 27
  • 42