-1

The Diceware method of password generation is simple, secure and easy to use

When registering an account on a website

  • Why do websites not suggest to their users to use the diceware method?
  • Why do websites not include a diceware based password generator?
  • What other reasons make this a bad idea?
schroeder
  • 123,438
  • 55
  • 284
  • 319
user922367
  • 11
  • 1
    "It's good so everyone should use it. Why don't they?" This is not so much a security question. Telling people how to secure themselves goes beyond typical responsibility. Also, there are liability issues for recommending something that is not also recommended by authorities. – schroeder Mar 22 '20 at 16:08
  • 2
    Websites generating passwords for users has inherent security issues. – schroeder Mar 22 '20 at 16:09
  • "Websites generating passwords for users has inherent security issues." Could you expand on that? – user922367 Mar 22 '20 at 18:24
  • "Telling people how to secure themselves goes beyond typical responsibility." People are not educated on password strength. Providing an easy to use tool and/or educating them seems like an obvious way to improve security. – user922367 Mar 22 '20 at 18:36
  • Websites are not supposed to know your password. If they ***generate*** it for users, you defeat the purpose. – schroeder Mar 22 '20 at 19:59
  • "People are not educated. This is is a way to help!" does not address my point at all. The ***target website*** doing this goes beyond. Educate? Sure. But as a generic awareness campaign, not at point of registration. – schroeder Mar 22 '20 at 20:00
  • "Websites are not supposed to know your password. If they generate it for users, you defeat the purpose." You can generate them in the users browser using the WebCrypto API or another crypto library like sodium. This way the website never knows about the generated password. – user922367 Mar 22 '20 at 20:43
  • "The target website doing this goes beyond. Educate? Sure. But as a generic awareness campaign, not at point of registration." Where else would users get the relevant information? If they were interested in security they would have educated themselves about it and the problem would not exist. – user922367 Mar 22 '20 at 20:50
  • 1
    Yes, you could generate them client-side in the browser, but that's far too close for comfort. Those processes need more than just a Chinese Wall. Just because it is technically possible does not make it a good idea or something that people would ok with. – schroeder Mar 22 '20 at 21:16
  • 1
    Again, not at the point of registration. It would be like the ATM offering financial advice when you withdrew cash. It's not the appropriate place and it creates liabilities for the company if people follow it (or follow it poorly) and things go badly. – schroeder Mar 22 '20 at 21:18
  • Could you expand on the liability issue? – user922367 Mar 23 '20 at 10:45
  • "Do this and you will be more secure" The person does it and the password is still exposed. "I did what you said and I still got hacked! You said I would be more secure!" Now the specific advice becomes a problem. That's why companies only offer advice that is industry standard or provided by an authority. – schroeder Mar 23 '20 at 10:47
  • Am I correct in assuming that the problem is phrasing and that it can be done in way that avoids liablity issues? Also: Could you point me to other resources that elaborate on this kind of liability issue or give me a name/phrase that describes them so I can read more on that? – user922367 Mar 23 '20 at 10:54
  • The details on liability will depend on jurisdiction and is more of a legal question if you want to get into it. – schroeder Mar 23 '20 at 10:56
  • @schroeder, those liability issues are still a mystery to me. How does every security professional deal with that then? And don't antiviruses or any security software actually tell you or imply that you will be more secure? I once checked the terms of service of a security service, and it said the service was provided "AS IS" without any warranty. And that was a very popular security service. So I'm still puzzled. – reed Mar 23 '20 at 10:56
  • @reed how each professional deals with it depends on context (and the contract). No security software will tell you that you will be "more secure". Software says that it will do specific, measurable things. In marketing, they will say things like "help secure" or use "secure" as a verb and not an end state. – schroeder Mar 23 '20 at 10:59

2 Answers2

1

It might not be a bad idea, but it's not worth it anyway. Here's a few reasons I can think of:

  • Implementing a secure password generator is not trivial, so that would be one more problem for the site developers to think about.
  • Recommending strong random passwords on every website means that the user will end up having a different strong random password for every website. But to manage them they will need a password manager, because they can't remember all those passwords. And password managers usually already include a strong random password generator, so what's the purpose of implementing another one on the websites?
  • Very strong passwords are not even needed for online services, because bruteforcing is relatively slow and it's pretty easy to detect. So detecting attacks, throttling and banning are a better investment.
  • Using online password generators that you can't trust is considered bad practice by many security professionals. Even if the risks are mitigated by only using the password on the same website that generated it, it would still feel wrong. And I don't think it's a good idea to implement something that to many experts is going to "feel wrong". So it's yet another reason to stick to the common best practices and generate your own passwords offline.
reed
  • 15,398
  • 6
  • 43
  • 64
  • "Implementing a secure password generator is not trivial" Implementing a [Cryptographically secure pseudorandom number generator](https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator) is not trivial. But as a developer you do not have to implement one yourself. From within the browser you can use the [WebCrypto API](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) and elsewhere a library like [Libsodium](https://download.libsodium.org/doc/generating_random_data). – user922367 Mar 23 '20 at 11:06
  • 1
    @user922367, yeah, probably. But let me tell you, if you had a website with a password generator, I would not use your generator. I would just feel like it's against the best security practices I've learned, and I'd stick to my offline method of generating new passwords. I'll just add a related point to my answer. – reed Mar 23 '20 at 11:12
  • "Even if the risks are mitigated by only using the password on the same website that generated it, it would still feel wrong." I have not thought about that. Would you distrust a website that suggests a generated password or just not use the suggestion? And since it is subjective do you know if there is material that elaborates on that? Like studies or people writing/speaking from experience about it. I would like to know if that feeling is a common reaction, that could scare people off or if it is limited to few. – user922367 Mar 23 '20 at 11:34
  • @user922367, I don't know. All I know is that your methods are not common, so people might be confused. I don't think people in general would be scared though. But security professionals might be like "hmm WTF". I personally would not stop trusting your website only because of this, but I'd use MY generator anyway. So it's not a mortal sin IMO, but at the same time it still "smells" a bit. This is just my opinion anyway. – reed Mar 23 '20 at 11:48
0

Because it doesn't solve the issue of password re-use, which is one of the biggest issues with less savvy internet users. People can still only remember so many passwords unassisted.

However, most password management solutions (other than a paper notebook) offer both the ability to store passwords by site, and thus avoid re-use, and the ability to generate suitable long and random passwords that meet various site password requirements, rendering the need to Diceware somewhat obsolete.

Also, given the number of websites that still keep getting caught out with bad basic password hygiene (not salting, not hashing, or inappropriate hashes), would you really trust everywhere that much to do this securely? If this becomes common practice we'll have a whole new vector of math.random() fun to enjoy.

Jack
  • 187
  • 1
  • 8
  • "it doesn't solve the issue of password re-use" It can significantly reduce the negative impact of password re-use, because if the password itself is strong and properly [stretched](https://en.wikipedia.org/wiki/Key_stretching) even when the websites database is compromised, for the foreseeable future the hashed password will most likely not be recovered. – user922367 Mar 23 '20 at 10:42