top of page

Password Generation

At the conceptual heart of DicePassword is the method of creating long and complex passwords that are difficult to discover by hackers.

​

In cryptography, we use the word 'Entropy' to refer to a system's ability to create unpredictable random numbers (for example). Therefore a password having high/lots of/enough entropy might be deemed to be better than one having little/no/insufficient entropy. You may expect this kind of language throughout this text. [when  looking for information about this on the web use the search term 'entropy information theory'.

​

There are different ways of calculating the Entropy of a password, so not all methods return the same value. When I talk of  Entropy's value think  of it a a relative rather than an absolute thing (for instance, 50 is not much, so 150 might be really good).

​

Although this text will explain some detail about how passwords get hacked and ways to defeat our enemies, I will start with the conclusions:

  • A good password will be difficult to remember

  • Passwords need to be different for each web site you visit

  • Passwords should be changed regularly

​

DicePassword is an adaptation of a scheme developed and promoted by 'Diceware', an organisation that developed and now maintains the methods I will describe and centres around a premise that 'you can't get more random than by rolling a dice'. Diceware have produced a list of words that have been numbered to correspond to the numbers produced by rolling a dice five times. For instance if five consecutive rolls of a single dice results in '14322', this will correspond to the word 'blew' in the word list. Altogether there are 7776 words in the Diceware word list. By repeating this process for four more words (ie. 25 dice rolls in total), you might produce a result like this:

'blew jacob boat wove drum', and if that was the password that you used for your Amazon account (don't do that please) this would have pretty good entropy, certainly good enough to protect an account like Amazon.

​

The password that we have just created has an entropy of 148 and the length of the password is 25 characters. Compare this with a password like 'Samantha' which has a length of 8 characters and an entropy of 45. Now play that old trick of doing character substitution: 'S@m@nth@' and you get an entropy of 51. Better entropy but every hacker knows that 'Samantha' is a commonly used password and and have come to expect that you will change every 'a' to '@', 'e' to '3' and so on and that adds no complexity to the hacker's task of cracking your password.

​

What Diceware does is surprise the heck out of you when you have no choice over the password you generate by that method. This 'unpredictability' is the essence of Diceware's success at creating good passwords (passphrases).

​

Here is another password: 'MyCleverTescoPasword.1975'. This is 25 characters long and has an entropy of 165. Really good entropy! But useless if a hacker figures it out somehow because it reveals what all your other passwords might be: 'MyCleverAmazonPassword.1975' possibly. Passwords like this have zero entropy.

​

This leads to a short piece on how passwords get hacked. This is a technical subject and I will try to avoid technojargonisms. The following list is of techniques used by hackers:

  • Brute Force attacks - try every combination of characters until you get a result

  • Rainbow Table attacks - uses stolen passwords to make it easy to reverse how a password is stored in a database into its plain text 

  • Dictionary attacks - uses lists of commonly used passwords

  • Man-in-the-Middle attacks - where a real person or some malicious software watches network traffic (at the web server, in your Wi-Fi) and can 'see' the data coming from your computer

  • Social Engineering - phishing attacks, for example, that ask you to login to a fake web site so that the hackers can harvest your login details as you type them in.

  • Others that are maybe variants or combinations of the above in some way.

​

You may assume that there are, at the lowest level, different ways to defend against these threats, but they are all defeated by truly random, high entropy passwords that are frequently changed and by avoiding the temptation to assist people from exotic shores to steal your money. For reasons of good balance, we should, perhaps include the Jurassic Coast amongst those shores.

​

Dice vs. Computer

​

There can be little doubt that the seasoned thrower of dice will produce a good degree of randomness and I will not influence those thoughts if you share them. It is, however, quite feasible that a computer can do as well in generating random numbers under the right conditions and, in fact get better at it over time. DicePassword lets you roll the dice, enter the numbers and generate your passwords exactly as Diceware intended, but it also has automatic dice rolling using software and a human way of influencing the outcome of conventional software random number generators.

​

The image below shows how DicePassword can create large random numbers using mouse moves. You get to this dialog by clicking 'Generate random' and should be the first thing that a new user does after registration.

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

By moving the mouse around in this window, you are creating a random number that is used as the 'Seed' for all future random numbers that DicePassword creates. 

​

This could be thought of as 'like' shaking a dice in a cup and rolling it many hundreds of times. When generating passwords the user can chose the manual dice rolling method or the automatic methods to be described later.

​

Whenever DicePassword loads, it will retrieve the last Seed value that it used so that it is not necessary to use the 'Generate random' feature every time.

​

Generate Passwords (the Diceware way)

​

I am not going to teach you how to roll a dice, so the image below shows the effect after five rolls and entering the results in the Dice throws boxes. On entering the fifth digit, DicePassword will look up the word in the Diceware word list and display it. Notice also that it begins to assemble the final password in the text box next to the 'Random' button.

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

When you have rolled the dice enough times to create all five words, you get something like the image below.

​

Note that below the 'Random' button you will see (progressively) the length of your new password and it's Entropy value. An Entropy of 154 is very good, but we are not done yet. Most web sites will have rules that, for instance require you to have upper case characters, digits and other special characters perhaps and so the password shown may not be a valid one yet.

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

Next, therefore, we will decorate the password so that it might conform to the site's rules. The next image show how the 'Change spaces to' and 'Convert to Title Case' options have been selected. We have also clicked on the 'Digits' button to add a random four digit number to the end of the password.

​

​

​

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

​

​

​

The entropy in this password has now shot up to 205 which is pretty much uncrackable by brute force attack (see table below).

​

​

​

​

​

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

​

​

​

​

​

​

​

​

​

​

​

Whilst the table above is very encouraging, remember that Brute Force attacks are just one of several methods that hackers can use. Fortunately, Rainbow table and Dictionary attacks may have better performance but are still very difficult methods for cracking long passwords such as the one shown above. I think that the table shows the time to reveal every possible permutation, so for a more realistic estimate divide the times by two (3.5 qd years is still quite a long time but I'd start to panic after 2).

BUT, complacency is not advised. My favourite aphorism is "overkill is too much until its not enough" and the problem is that we do not know when that moment will arrive. This is why I advise that passwords are changed frequently and are different for every site you visit.

​

DicePassword Automatic mode

​

Click the big square 'Auto' button at the top left. This will generate all five words for you and the Digits will also be created. You can change the 'Change spaces to' and Title case settings if you wish. Some of the  automatically generated passphrases are memorable (with effort), so if there is a word you want to change, use the 'Auto' button next to it to generate a new one.

​

Scary Whacky mode

​

If you click on 'Random', DicePassword will use its random number generator to create a password using all of the usable characters designated.

​

Here is a password using Scary Whacky mode with the password length set to 80:

​

Lz8V_^G0xP-%2wV75ZrlbTu%Jt$q4yglanZ2j3Ywz2jpO25z%.COH^I!f@nRcq&.J0%PS$Yca%8uLfC1

​

This password has an entropy of 529 and you should not be surprised if men in dark suits turn up in the early hours to ask about certain things, should you ever try Scary Whacky mode.

 

Other Password buttons

​

Assign this password - whenever a password field is present on any of the tab pages, the current password will be transferred to it. Normally, such password fields have a history stack, saving the old passwords for later reference if required. The help for this feature has more detail.

​

Show Passwords - when checked all password fields everywhere in the DicePassword UI will be shown, else, they will be disguised using the hidden password symbol.

​

Show Word List - presents a dialog containing all of the the Diceware words. You can edit this if you wish.

 

Gaga doohoo ayah - my 3 month old grand daughter getting conversational with her parents.

 

​

​

​

​

​

​

​

​

RandomMouse_edited.jpg
Diceware-01.png
Diceware-02.png
Diceware-03.png
time to crack.jpg
bottom of page