Diceware

Ask questions and give answers about computers, mobile devices, game boxes, PC security and all manner of geeky stuff.
Post Reply
User avatar
yogi
Posts: 4407
Joined: 14 Feb 2015, 15:49

Diceware

Post by yogi » 18 Aug 2016, 15:38

Given the number of database breakins on large corporate computer systems, there seems to be a big push to create and use more robust passwords. While that is not bad advice, I've always thought the better approach would be to make the databases more secure instead of burdening the users with ridiculous requirements for password credentials. There is no standard and it seems that every serious minded website has it's own ideas about what is weak and what is robust.

The best passphrases and passwords have a lot of built in entropy, i.e., randomness. Surprisingly, all those crazy combinations of upper and lower case letters mixed in with numbers and special characters are not necessarily robust. The length of the phrase is the key to success, and now there is a way to generate nearly fool proof pass phrases that can easily be remembered. Enter Diceware.

Diceware is simply a list of 3700 simple words that are indexed by five digit numbers. The range of the numbers is exactly what you would have on cubes of dice, 1-6. Thus all those five digit numbers refer to unique words on the Diceware list. The generation technique is simple, if not slightly time consuming. Roll a die and write down the number. Repeat five times. You now have a five digit number to look up in the Diceware list. That would be the first word of your passphrase. Repeat the process six times and you end up with a combination of words that would take the average super computer a few billion years to guess. The reason for that is the true randomness of the dice rolls. Plus, six easy to recognize words would just be a matter of a few days to memorize. The article suggests using this technique when trying to come up with an encryption key as opposed to logging into BFC. It's more than you need for most web sites, but of course you can do it there too.

I'm liking the idea and will test it out on some of my encrypted hard drives to see how cumbersome the technique really is. All I have to do is get my hands on a set of dice. :grin:

https://theintercept.com/2015/03/26/pas ... ant-guess/

User avatar
Kellemora
Posts: 1994
Joined: 16 Feb 2015, 11:54

Re: Diceware

Post by Kellemora » 19 Aug 2016, 14:54

Sounds like just another gimmick to me Yogi!
It's still only a list of six words, which any hacker could figure out if they had a large enough sampling, such as by obtaining the log-in data sheet from a website.

User avatar
yogi
Posts: 4407
Joined: 14 Feb 2015, 15:49

Re: Diceware

Post by yogi » 19 Aug 2016, 18:40

And a five-word passphrase, which would have 7,7765 possible passphrases, could be guessed after an average of 14 quintillion tries (a 14 with 18 zeroes) ... At one trillion guesses per second — per Edward Snowden’s January 2013 warning — it would take an average of 27 million years to guess this passphrase.

The odds of brute force cracking a six-word passphrase are exponentially higher than that. Those are the same odds you can apply to the likelihood of anybody in the universe having the same passphrase as yours. Thus, there would never be a list of previously decrypted Diceware generated passphrases available to hackers. Without that list hackers would need to use at least half of those 27 million years to guess yours.

It might be a gimmick, but it's a damned good one.

User avatar
Kellemora
Posts: 1994
Joined: 16 Feb 2015, 11:54

Re: Diceware

Post by Kellemora » 20 Aug 2016, 13:25

Maybe I misunderstood a previous post you made?
If a hacker gets the log-in list from an encrypted server.
Once they have a few of the shorter passwords figured out they know they broke the encryption.
The next logical step would be to figure out the passwords themselves.
I know it's not like breaking a combination lock, since you must have ALL the characters correct.
But even so, it seems once you get to a certain point, the rest might become obvious if not totally random.

LeweyHeweyDeweyMickeyMinneyGoofySacramento

There, six characters and one capital, hi hi...

Seems to me it would be easier to hack into the persons personal computer, and let the unknown memorized password inject itself into the log-in request, hi hi...
By the way, this is one reason I don't SAVE my passwords on a portable computer which could get lost or stolen.
I could get hit by a hacker on my desktops though. Except, I must physically add one more character to all of my passwords to log in.

User avatar
yogi
Posts: 4407
Joined: 14 Feb 2015, 15:49

Re: Diceware

Post by yogi » 20 Aug 2016, 20:01

Your six character (sic) passphrase would be among the easiest to crack because it is not random at all. In fact it would be easy to predict. Virtually zero entropy exists in your list. Let's say that the hacker knows for some reason that you used the Diceware list of words to compose your passphrase. That means it consists of a combination of 6 out of the 7,776 possible words. It's a lot of words, but overall it's a very limited list. The hacker does not know which six (or even if you used six) words you chose, nor does he know the order in which you arranged them. He only knows you picked from that list. How long do you think it would take to figure out which six and in what order? Correct, if you guessed 27 million years - assuming he was a terrible guesser. A good guesser would get it in half that time. :rolleyes:

Encrypted password lists are highly sought after by hackers. Let's say a list was stolen from a server at a major corporation with 10,000 employees. They are all using Windows and the passwords are encrypted by the NT algorithm. That's a well known and easily busted scheme but my point is that this list of 10,000 encrypted passwords along side their decrypted equivalent can be sold to somebody who likes to break into Windows NT machines. He will not have to figure out anything. All that hacker will do is compare the list he has against the one he bought and well over half the time he will find the word/decryption he is interested in.

It's not only the encryption that is valuable. Just knowing what people use for passwords in a large corporate environment is enormously helpful. If you have a list of one trillion passwords used by people, then according to Snowden it takes all of one second to scan your target password and come up with the answer. That is where Diceware techniques come in handy. The passphrases generated there are unique and do not appear on any previously decrypted list of passwords stolen from any company or government organization.

I don't know of an encryption scheme where you can only get a partial decryption. But, even if that is possible and the hacker gets one of the words from your Diceware list, he still has to guess the rest of the words and the order in which they are arranged. We are talking millions of years even then. Of course if you use simple characters, as you did in your example, the guessing time is reduced significantly. That's the reason why you want to introduce entropy into your passphrases.

User avatar
Kellemora
Posts: 1994
Joined: 16 Feb 2015, 11:54

Re: Diceware

Post by Kellemora » 21 Aug 2016, 12:00

Seems like it would be easier for a hacker to go completely around the password or passphrase and use a back door to get to the data they are after.

I have some public info on a website owned and operated by others.
When I first set up my page, I had to use a password I shared with them, so they could do their work on my page.
Now, although I have to use a password to get to my page, they changed things in such a way they no longer need a password to get to the public area of my pages, which is basically all of them.

What this tells me is there is a way around needing to know the passwords of the users, at least to the public pages anyhow.

User avatar
yogi
Posts: 4407
Joined: 14 Feb 2015, 15:49

Re: Diceware

Post by yogi » 21 Aug 2016, 17:19

I've been using the terms passphrase and password interchangeably in this discussion, but they are basically intended for different purposes. You may recall from posts about encryption that there are two purposes behind the idea. One is the obvious to obfuscate the data while the other is to verify the integrity. Passwords are primarily attempts to verify the integrity of the person using it for whatever purposes. If the data being sought is not encrypted, then you are correct. Why bother with the front door when it's a lot easier going through the cracks in the back door. Thus the use of passwords is akin to using a door to enter a space. The gatekeeper will let you in if you know the secret password.

The article emphasizes Diceware as a tool for generating encryption keys. The only way to open the door to the data is to have the key. The techniques for guessing passwords is nearly the same as those for guessing pass phrases which is why the article's author suggests that long passphrases are better and need not be a complex of obscure characters. There simply has to be a lot of characters to make it effective. Of course, the more characters there are, the more difficult it is to remember them, which is one more advantage of Diceware. They are common English words for the most part and only a slight amount of reiteration will make them stick in your mind. The author further suggest it's pointless to use Diceware on passwords to things like websites. It's simply too time consuming to generate them and you need unique ones for each secure website. He implies using regular password techniques and not be too concerned about the back doors. Well I don't know about that, but I suppose it makes sense. Anything REALLY sensitive would not be put on a website in the first place.

User avatar
Kellemora
Posts: 1994
Joined: 16 Feb 2015, 11:54

Re: Diceware

Post by Kellemora » 22 Aug 2016, 11:27

I use a really long password to get into my Cloud Storage on DropBox.
I'm still leery of placing anything in the Cloud, because it is placed on a server owned by someone, or a company, who more than likely has full access to everything on their server.
Come to think of it, they must have full access in order to run back-ups I would think.

I suppose a user could encrypt their data before uploading it to the cloud servers to add a greater margin of safety.

I've had hard drive failures eons ago, and was able to get most of my data back off the failed drive. But if that data was encrypted, it would have been impossible.
Just like the NAS the lightning took out. Although I still had the drives, they could only be read by that NAS. So my fears of using a NAS was reinforced, and I'm glad I backed up all the data before I placed it on the NAS.
Glad I didn't put my trust in it and figure it could rebuild itself. I always had this fear of the controller cards going south making my data unrecoverable. So what if it was hot swap drives, it was still a single box in a single location.

I honestly think most of us do not have the type of information which would be beneficial to a hacker. Unless we keep banking info and credit card data where they can get to it. This is something I've never done, except for using a limited amount credit card for some on-line purchases, and purchases are guaranteed, or used to be, don't know about today anymore.

One simple question. Would you trust placing your companies accounting records on a service like DropBox?

User avatar
yogi
Posts: 4407
Joined: 14 Feb 2015, 15:49

Re: Diceware

Post by yogi » 01 Sep 2016, 15:42

The shortest answer I can give you to your question is an absolute no. I would not trust a place like DropBox with my corporate financial data. I have no stories about companies losing data or having company secrets stolen off DropBox, but that does not mean they are not vulnerable. You are correct to assume DropBox employees, including any outsourced database administrators, have full access to all the records on their servers. I'm willing to bet that a close reading of their TOS would reveal that they own whatever you put on their servers and they are only selling you a storage space. Their ownership merely gives them rights to backups and possible seizure of records demanded by the NAS or FBI or Homeland Security folks. DropBox nor anyone else would be in business very long if they take your files and use them for their own purposes in a fashion similar to Facebook. DropBox is who they are, and I know there are better services out there for business purposes.

Amazon (AWS), Google (Nearline), and Microsoft (Azure) offer some very high class services. You will pay a bit more on any of those cloud servers, but their investment in infrastructure, security, and business software is far superior to anything DropBox has to offer. Each of those services offer virtual computing as well and I'm guessing you can get rid of all but one or two of your computers if you switched to cloud computing instead of what you are doing now. You might think it's expensive, but what are you paying for that computer farm you run now? lol Anyway, I would trust any one of the three big time players with my corporate financial bloodline.

Having said all that, it's a shame you have had some bad NAS experiences because that would be the ideal "cloud" in your case. The odds of a controller failing are close to nil, but the hard drive (with ball bearings) are guaranteed to fail at some point. If you are crazy paranoid about losing data then perhaps you should read up on something like a RAID 7 configuration. Again it's going to be expensive, but you can get rid of most of what you currently have if you ran your own cloud. In the long run it will be cheaper and you personally would be in control of your cloud. Of course learning about and becoming proficient in cloud management is quite an investment in time. Is it worth the effort when you consider the risks of losing your business data? You will have to decide that.

User avatar
Kellemora
Posts: 1994
Joined: 16 Feb 2015, 11:54

Re: Diceware

Post by Kellemora » 02 Sep 2016, 12:45

Thanks for all the info Yogi.

Only as an experiment, I messed around with a software driven RAID array, but don't remember if it was 5 or 7 anymore.
I had several IDE drives and selected six of them to use for RAID storage. I had two computers with four HDs in each, one of course was used for the OS, and the other three as part of the RAID system. They were not hot swap of course, but I could remove any one of the six drives and the file system would build itself back again. This was back when I was messing with forming a cluster, something which never panned out very well for me. Too complex and way over my head.

With so many folks using laptops these days, namely my son and brother, I have no way of doing outstate storage anymore. So I keep two hard drives in my office and two down at the house. Since we got Windows 10 I was making the backups by physically carrying the drives back and forth between the house and the office. But added an old Linux box with only 512 memory down at the house, only for the LAN connection to my daily external backup. But now the frau is starting to use Linux more and more, she likes the speed and features, especially for her on-line games. She uses the Win10 machine for her packaged and/or downloaded games.

As always, I'm always creating more work for myself. I bought a 4 terrabyte drive to copy whatever was left on my IDE drives to go through them. All of them are basically duplicates of each other, but sometimes a bit of data was left in a file and never got moved to the file server or sorted. So, little by little I go through files and put them where I think I would like to keep them, and this is how I find the duplicates, hi hi... Can't trust the programs that search for duplicates, as they thank anything with the same file name is the same file. OK, I know there are some that check file size, etc. but not the content close enough. For me, finding the time to get anything done is almost impossible. I'm behind on everything! hi hi...

When I want to move things from my computer or files to the frau's computer, since it does not have named LAN capabilities, DropBox works well for that. But I've heard that even though I delete the file from my DropBox folder, they still keep it somewhere anyhow. I know I can roll back to previous versions of documents, even though I changed their names. They must have a lot of storage space to do that. And another reason not to trust putting things in the cloud. It seems to remain forever.

Have a great day Yogi!

Post Reply