We’ve done a few videos
关于密码 密码破解 选择良好的密码的视频了
on passwords, cracking passwords, choosing good passwords.
And I’ve had had a few requests both by email,
and you know Twitter and on in the comments about a
choosing a password mechanism called Diceware.
So I thought we’d look at
this and think what’s the pros and cons
of this of this quite interesting system for choosing passwords.
So here’s my nice unbiased casino dice
that I got just for this occasion.
I was quite excited apparently this
this dice is not biased towards rolling a six,
which actually would just mean my performance in games goes down.
When we spoke about passwords last time,
my hypothetical password mechanism was something
like four random words with a bit of
symbolic, symbols added in maybe randomly
in the middle of a word.
Now I chose that because I felt it was a
a nice compromise between having to type something in
that’s really, really long, or
and having something that’s not too hard to remember,
but also quite hard to break.
Now Diceware is in some sense quite similar to this scheme.
But it’s perhaps more mathematically defined exactly how hard it is to break.
Which is why people like it.
Because I think the question comes down to in my scheme,
if I pick four random words,
how random are those words truly?
If an attacker wanted to brute forth my password,
then and they know for example
that I’m using four words appended together.
Then what they’re going to want to do
is try and work out the list of all the words
I might have used.
Now I try and throw them off a bit
by using slightly odd words, but I’m a bit weird.
But for the majority people let’s imagine that everyone in the country
where everyone in the world is using this password scheme,
lots of people are going to pick really easy words.
You know back to the correct horse battery staple thing,
Xkcd alluded to this and we’ll talk about that in a minute.
But it didn’t necessarily answer every question
but it did get a good message across.
The entropy or the number of possible words that you’ve chosen
is gonna differ from person to person. Right?
If one of my words I pick is ‘database’,
is that because I’ve picked that right out at random?
Or is it because it says”databases” on this book up here,
and I accidentally saw it in the corner of my eye.
Don’t pan to the bit with no books on it.
Yeah, I’m just looking at
your collection of cubes. All solved!
That’s how I roll.
So what Diceware does? The website was established in 1995 by
a guy called Weinhold from the United States.
What it is is a way
of using dice to ensure that
the words you’re picking are actually random rather than
just what you think is random.
And that way we have a very nicely defined.
Should we say mathematical difficulty for brute forcing that password?
So this is the Diceware list,
but I guess it’s a kind of compromise between the number of dice.
You just have to roll incessantly
to come up with passwords and being fairly quick.
But there are 7776 words on this,
which is all the different combinations
of five dice rolls, right?
Now so that’s why I’ve got my nice unbiased dice.
We don’t wanna be accidentally biasing me
towards the end of this document for example.
So as an example we roll the dice.
It’s a 5.
Each of these has 5 numbers
from 1 to 6 in front of the word.
Which tells you which words are going to pick.
So these are the fours, I’m on to the five, says.
There’s the start of the fives there,
Then roll the dice again.
It’s a 6.
So I’m now on to the five-sixes which is here.
And then again,
5 6 4 5 1
5 6 4, 5, 1.
5 6 4 5 1是单词‘tapir’
5 6 4 5 1 is the word ‘tapir’.
Whereas in the animal with the snout.
So that’s the first word of my password.
So let me write that down.
This could take a little while.
This is where you need to use
视频剪辑技能的时候了 ‘tapir’ 对吧
all of your video editing skills ‘tapir’. Right.
Let’s do this again
好吧 1 3 2 1 3
Okay, 1 3 2 1 3.
If you’ve done this a lot of times,
可能会做得快一点 1 3 2 1 3
maybe it’d be faster. 1 3 2 1 3.
找到了 ‘backup’ 很好
There we are, ‘backup’, nice.
5 1 3 3
5 1 3 3.
什么数字啊？1 5 1 3 3 1
What is it? 1 5 1 3 3 1.
How many times have you got to do this?
好问题 ‘rand’ 有意思 ‘r-a-n-d’
Good question.’rand’, interesting.’r-a-n-d’.
Ah, South African currency? Yeah?
And also short for ‘random’,
which is what we’re doing now.
5 2 4 6 2 ‘rw’ 有意思 读和写 对的
5 2 4 6 2 ‘rw’ interesting, read/write. Yeah?
So not all of these are full words.
That’s one of the thing that’s quite about this.
3 6 要掷第3次了 太激动了 3 6 4
3 6 having been into 3. It’s quite exciting. 3 6 4
2 2 3 6 4 2 2
2 2, 3 6 4 2 2.
They’re guaranteed to be unbiased I think.
But then I got them cheaply off the internet.
So I don’t actually know.
Okay, so let’s let’s stop.
Let’s stop there.
I’ve done. I’ve got five words.
Right now. Is this password really good?
Well the first thing to notice
but what you don’t want to do when
you’re picking a password is record it on
video and show it on the internet.
So I probably won’t put this as my actual password.
But there will be a few people that try nonetheless.
We’ve rolled the dice five times per word,
we find the word and then we put spaces in
between it and that’s our passphrase, right?
So that is literally our password then for whatever purpose we want.
Why is this better than what I was doing?
Well, it’s different, mostly.
There’s a few questions we’ve got, right?
The first is that “Is this a reasonable password in terms of strength?”
Also,”How practical is it to type in?” Right?
It took a little while to generate.
But if you’re doing it a couple of times
for the front end of a password manager,
maybe that’s not such a big deal.
One thing that’s worth noting is that
this isn’t all the words in the English language.
This is this is a carefully chosen 7700 words,
but a knife is short.
So most of the words are fewer than 5 characters.
There’s a few really short ones the idea being
that even if you’ve got a 5 word or 6 word passphrase,
it’s never going to get that long.
You should get quite quickly typing it in.
But the real benefit of this system is that
these are actually random as opposed to
what I’ve perceived to be random.
Because I thought of a word in my head,
which might have been a word that I happen
to see on the side of a bus this morning.
In the previous videos we talked about brute forcing,
about not you knowing what any
of the characters were and how we make it
easier for the attacker by using a
dictionary of known words. Yeah.
So this is literally providing dictionary. Right. Yeah.
That’s the drawback in some sense and the strength.
So we know exactly what words could appear in my passphrase.
But even so we still can’t break it
because I’ve used too many of them.
So in some password schemes
like ones where I pick words at random
from a dictionary in my own brain,
I’m working under the assumption,
but that’s secure because no else knows how it works.
No one can reverse-engineer that process.
That might be true, it might not be true.
It depends how well you know me.
This, the process is extremely open
everyone knows what the password list was.
Everyone knows what my password is going to be like.
But they still can’t break it,
because it’s 2 to the 64 operations,
which is too much. What we don’t want
is security through obscurity, right. If I use it
if I only use a 500 word dictionary, right,
that’s fine as long as I keep
that dictionary secret. But I doesn’t seem like a
very good idea. Because then that dictionary might
accidentally come out,
and then it would be incredibly easy to break my password.
So what is the strength of this password?
额 一共有7776个单词 对吧
well each of these words has come from 7776 right.
So we can assume that the attacker knows,
but I’m using this password scheme.
So they know my password is 5 words
separated by spaces which adds nothing,
because they know what the spaces are
out of a possible 7776.
So the strength of this password
is actually 7 7 7 6 to the 5.
So another way of looking
at it isn’t how many bits of entropy does this password have.
A lot of the time, that’s how we view passwords.
Each of these words is 12 point 9 bits.
So 12.9 times by 5 words is
64.5 bits which is pretty good actually.
That means that on average an attacker is going to have to do
about 2 to 63, 2 to just under 64 operations
to guess your password in brut-force.
That’s quite a lot of operations.
Particularly given they’re going to have to perform some hash to do this.
The nice thing about this password scheme is
we know exactly how secure it is, right?
As opposed to we’re guessing that
the words aren’t just words I know.
And someone can social engineer those words.
And also if we want it to be more secure,
we can just add another word or another word.
As computational power goes up,
we just add more words.
And we can probably remember a few words,
or if they get really long
write them down and put it in our wallet.
Don’t lose it.
I’m guessing as well
you could potentially vary the whole spaces thing right?
Yeah. So the space
the spaces thing is not hugely important.
The reason it’s there is
because sometimes you might accidentally join two words together.
And they might actually be a different word on here,
in which case your search has gone down to four words, right?
So if you’re being careful
that these are all actually different words,
and they don’t concatenate to make another word,
you don’t need the spaces.
Or you could use a different character.
You could also do what I did,
and use fewer words,
and put a random character in, right?
Now on the website, he has plenty of ways of
loading dice and also choosing random characters.
Because again, when I pick a symbol, it’s often
如你所知 通常是星星 ‘＆’或者下划线
you know a star or an ampersand or an underscore.
Those aren’t all the characters that exist.
So it’s a really interesting twist on picking passwords.
This came about you know a few years ago now,
where maybe a fork out a four word password was reasonable.
Now in some sense you can’t imagine that
seven or eight or nine word passwords are that feasible
for the majority of users.
That there has to be some usability, considerations.
But on the other hand five’s not too bad,
or as I say 4.
But they make an unexpected alteration like an
adding of a random symbol at a random position,
not between the words. And that will
significantly increase the amount of time it would take to break.
You can get too carried away like with passive security.
I have, and so half the time I can’t login
because I get my password wrong.
And so I’ve been, but
the thing you also you have to remember is
that this is way beyond a normal
brute-force attack by someone who’s just happens
to have found your password hash on pastebin. Right?
This is when we when we’re talking
about five or six word passwords where we’re talking about nation state level.
And you’ve got to really wonder
whether they really care about your individual password.
You might still want to secure it against them anyway.
That’s that’s for you to decide.
But, they may just visit you instead.
We’ll put a link to the website
in the description as well.
So you can have a look through.
He’s considered almost every possible angle
for this so when do you add symbols,
how many words is enough for the level of security you want?
It’s a really good interesting look into password security.
So I recommend you have a look.