This page was made with ClickFunnels - Create Marketing Funnels in Minutes! Click here to get a free 14 day trial account. Your page? Want to remove this banner?
Password Vs. Passphrase
An Introduction to Diceware & EFF Lists
Written by Grant Hunter, 3 October 2017

Encryption is now a standard piece of technology that is used for the protection of data and communication of information. Whether you are using Mac OS, Windows, iOS, Android or Linux, encryption will be used to protect your data. 

Some companies provide encryption with their hardware as well. For example; Samsung has Knox for their devices, which much like Mac and Windows, locks down the hard drive, so without the passkey the device is useless. 

Password managers, like LastPass and KeyPassX, will store all your passwords in one place and require a single passkey for access. Even some applications like WhatsApp, offer end-to-end encryption for chat services. This technology is only as good, however, as the passkey that you choose to secure the login with. 
By now you have already had experience setting up a password. Whether its for a shared computer, your online banking or even your Facebook account. It will likely be a string of between 6 and 16 characters long, contain a combination of letters, numbers & symbols. It could be a word (yourdogsname), a string of random characters (Di8#%kMs@) or maybe a mix of the two (re@llyc00L). 
A passphrase is like a password, only it will be longer and contain spaces. For example: ‘Behind every great man is a woman rolling her eyes’. A passphrase can also contain symbols, and can be a random set of words with grammatical accuracy. The main difference of the two is that passwords do not have spaces while passphrases have spaces and are longer. (If you have used PGP software to encrypt emails, you will have already had to use a passphrase to secure your private key).

What makes a passkey strong to attack is its degree of randomness or uncertainty. This is called Entropy[1]. Entropy is measured in bits. The outcome of a single coin toss (heads or tails) has one bit of entropy. A 128-bit key that is uniformly, randomly generated has 128 bits of entropy.
So why choose a passphrase over a password?
    1) A passphrase is easier to remember than a string of random characters[2]. 

    2) A passphrase is harder to guess or crack using brute force attacks due to                   having a higher entropy. 
    3) Passphrases are supported by major OS and applications (Mac and Windows             allow up to 127 characters).

The thing is, humans aren’t very good at creating totally random sets of words. We are a species of patterns and have great difficulty in doing anything in a truly random way. You are likely to either pick a quote, or some phrase, or some part of one. Even if you try to come up with a random set of words, you will still tend to apply rules of spelling and/or grammar. 

Research suggests that users aren’t able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language[3]. This basically reduces the entropy and any passphrase that comes directly from your mind will be influenced in some way by what you have read/watched/listened to or facts about your life. Just imagine if the attacker of your system had taken all the scripts from every movie/tv show, every song lyric, every poem or book, every page of wikipedia and any other source of digital information as the basis for their brute force attack. How well do you think any passphrase which comes from your mind will do?
Enter the solution - Diceware
Diceware was developed in 1995 by Arnold Reinhold. It is a method of creating passwords, and passphrases using a six-sided die with a corresponding word list. You take the die, and roll it five times. The numbers (from 1 to 6) are taken from each roll to produce a five-digit number. This five-digit number then corresponds to a word on the Diceware list. The Diceware list has 7,776 words which represent every single combination of the five dice rolls. Each word in the list will add approximately 12.92 bits of entropy to the passphrase. For those who enjoy the maths this is worked out as log²(6⁵)  bits and can also be shown as 2¹²⋅⁹² = 7,776. Remember that 1 bit of entropy is equivalent to the result of a single coin toss.  

This level of unpredictability assumes that a potential attacker knows that Diceware has been used to generate the passphrase, knows the particular word list used, and knows exactly how many words make up the passphrase. If the attacker has less information, the entropy can be greater than 12.92 bits per word[4].

In 1995, Arnold Reinhold considered that the average user required a minimum of 64bits (five words). In 2014 he upped this to 77 bits (six words), as a response to the higher computational power available[5].

If you choose a single word from the 7,776 words on the Diceware list, an attacker has a 1 in 7,776 chance of guessing your passphrase. It would take them at most 7,776 tries and on average 3,888 tries (they are 50% likely to guess the word after trying half the list).

If you choose three words that means that there are 7,776³ or 470,184,984,576 different combinations. This is the most amount of tries it could take them and on average roughly 235,000,000,000 tries.

If you choose seven words there are 7,776⁷ or 
1,719,070,799,748,422,591,028,658,176 combinations. Now if your attacker had the capability of performing 1 trillion guesses per second, it would take them an average of 27 million years to guess this passphrase. Not bad for 7 randomly picked words and a lot easier to remember than a string of 12 randomly picked characters.  

What is the actual difference between the two though? Let’s look at an example:
As you can see, the passphrase has 90 bits of entropy, which is higher than the password at 78 bits. So it’s a higher level of security and easier to remember[1].
Optional Additional Security:
If you want to add a further level of security without adding any extra words, you can replace a randomly selected letter, out of a randomly selected word with another randomly selected character. The process goes as follows:
     1) Roll one die to choose a word in your passphrase (if you have between 6 and             12 words you can use two dice and keep rolling until the combined number               corresponds to one of the words).

     2) Roll again to choose a letter in that word.

     3) Roll a third and fourth time to pick the added character from the following                 table.

The EFF Lists
In 2016, The Electronic Frontier Foundation suggested that several avenues to improve the usability of the Diceware word list and introduced three new lists for use with a set of five dice. They cited the following deficiencies:
     It contains many rare words such as buret, novo, vacuo
     It contains unusual proper names such as della, ervin, eaton, moran
     It contains a few strange letter sequences such as aaaa, ll, nbis
     It contains some words with punctuation such as ain't, don't, he'll
     It contains individual letters and non-word bigrams like tl, wq, zf
     It contains numbers and variants such as 46, 99 and 99th
     It contains many vulgar words
     Diceware passwords need spaces to be correctly decoded, e.g. in and put are in the list as well as input.
The first list they produced matched the Diceware list in size (7,776 (6⁵)) and addressed each of the above points. They also increased the average word size from 4.3 to 7.0 by removing all 3 letter words and prioritising familiar words over short and unusual words.

The other two lists were smaller than the first. Both being 1,296 (6⁴) words, for use with a set of four dice instead of five. This was with the aim of improving typing efficiency while offering a selection of more memorable words to aid memorizing the passphrases.

Passphrases generated using the shorter lists will be weaker than the long list on a per-word basis (10.3 bits/word). Put another way, this means you would need to choose more words from the short list, to get comparable security to the long list—for example, using eight words from the short will provide a strength of about 82 bits, slightly stronger than six words from the long list[8].
Practical Use of Passphrases
Diceware passphrases are great for when you’re typing them into your computer to decrypt something locally, like your hard drive, your PGP secret key, or your password database.

However you don’t need them as much for logging into a website or something else on the internet. In those situations, you get less benefit from using a high-entropy passphrase. Attackers will never be able to guess a trillion times per second if each guess requires communicating with a server on the internet. In some cases, attackers will own or take over the remote server. In these cases, they can grab the passphrase as soon you log in and send it, regardless of how strong or weak it is cryptographically.

For logging into websites and applications you can use a password manager. Then lock up all your passwords behind a master passphrase that you generate with Diceware. Use your password manager to generate and store a different random password for each website you log in to[9].
Here at Cypherpunks2.0 we aim to provide you with interesting and informative articles.  If you enjoy reading and see the value, please share this post with you friends!

BTC - 1KssP7Y47doZMFKf4ke5b7qAPiYyXLaN82
ETH - 0x8cb45afeffd7c26818f27be3d198dc59a6bd7490
LTC - LfnmBLtnogxNEBq4wS62y9DDvUTpddK8S3

About Author: Grant Hunter

Blogger, privacy advocate and content contributor. Grant is a deep philosophical thinker, an arm-chair economist, a cryptocurrency expert and a Cypherpunk! 
FB Comments Will Be Here (placeholder) - All Rights Reserved - Terms Of Service
support at
Powered By