Password with real words (like Diceware) really safe?

Werner85
Werner85
Community Member
Warning No formatter is installed for the format ipb
«13

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • Fooligan
    Fooligan
    Community Member
    Warning No formatter is installed for the format ipb
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • Fooligan
    Fooligan
    Community Member
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    edited August 2012
    Warning No formatter is installed for the format ipb
  • Fooligan
    Fooligan
    Community Member
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    edited August 2012
    Warning No formatter is installed for the format ipb
  • Michael Tennes
    Michael Tennes
    Community Member
    Warning No formatter is installed for the format ipb
  • Werner85
    Werner85
    Community Member
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • sddawson
    sddawson
    Community Member
    edited August 2012
    Warning No formatter is installed for the format ipb
  • Paul M
    Paul M
    Community Member
    Warning No formatter is installed for the format ipb
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • sddawson
    sddawson
    Community Member
    Warning No formatter is installed for the format ipb
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • sddawson
    sddawson
    Community Member
    Warning No formatter is installed for the format ipb
  • danco
    danco
    Volunteer Moderator
    Warning No formatter is installed for the format ipb
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • MikeMcFarlane
    MikeMcFarlane
    Community Member
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    edited September 2012
    Warning No formatter is installed for the format ipb
  • MikeMcFarlane
    MikeMcFarlane
    Community Member
    Warning No formatter is installed for the format ipb
  • Fooligan
    Fooligan
    Community Member
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • benfdc
    benfdc
    Community Member

    You stopped quoting Reinhold too soon, Khad! He goes on to write:

    If all this seems like lily-gilding, just stick with the original passphrase you got from the Diceware word list.

    >

    … For [systems that insist upon a mix of uppercase and lower case letters] we suggest you select one of your Diceware words at random using a dice throw and capitalize its initial letter.

  • khad
    khad
    1Password Alumni

    I would have ended up quoting the whole thing. I think it is great reading for anyone interested in passwords. :D

  • benfdc
    benfdc
    Community Member

    Right, but @Fooligan was asking about a method for using Diceware to add caps, and Reinhold does suggest one.

    The method Reinhold suggests is clearly motivated by his view that, except in special situations, using mixed caps is a silly way to increase entropy. I say "clearly" because, per Kerchoff’s Principle, it adds only 2-3 additional bits of entropy.

  • Nunuv Yurbiz
    Nunuv Yurbiz
    Community Member
    edited August 2013

    The problem I have with diceware is that passwords made up of a series of short words (where each word is a "letter" in a much larger "alphabet") is that they're long, and it's a pain to type all that on an iPhone. Six short words may be easier to remember than, say, 9 random characters/symbols (96 charset) but what a pain to type! Especially while driving.

    We really need a better solution for mobile devices. If I want to do something quickly on my iPhone, I have to first enter my iPhone's password, then launch 1Password, then enter my 1Password password. And forget using any characters near the backspace key! [scream] It's not so bad when you have a full size, two-handed keyboard; awful when you're driving and fumbling around your iPhone.

    I gave up on the iPhone itself and just set a six-number password. But my 1Password password is long. (I thought there was an ability in 1Password to have normal entries and high-security entires? DId that go away?)

    And here's another thing [rant] why can't the 1Browser save SSL certificates? I have a self-signed certificate to access my web server over SSL and every time I have to confirm that the certificate is OK [/rant]

    Is voice recognition security feasible? That, at least, would be hands free. (Voice recognition could be either recognizing the letters/numbers/words I'm speaking and/or recognizing my voice as my own.)

  • khad
    khad
    1Password Alumni

    Especially while driving.

    Yikes! As a motorcyclist, I do hope that you never actually do that. Please keep your eyes on the road.

    (I thought there was an ability in 1Password to have normal entries and high-security entires? DId that go away?)

    Yes, one of our goals with 1Password 4 was to make strong security the default. The old PIN code had the downside of being used to encrypt some items and with only 10,000 possibilities, this just wasn't good enough for us to continue with. We did away with that approach in the first iPad version as well. The PIN code was originally conceived as a convenience feature for frequently accessed items in the time before iPhone OS supported fast app switching and background tasks. It was a compromise we were never happy with, but it provided the best balance of security and user experience at the time. We do still have the unlock code available in settings, but it is only used to control access to the 1Password application, never for encryption of any of your data. This means that you need to authenticate with your master password at least once per session in order to be able to use the QUC.

    From the User Guide:

    You can configure 1Password to never prompt the password/code, but this only works after you:

    1. Initially unlock 1Password app already,
    2. Set both Request After and Request Code After to Never, and
    3. Also keep re-opening 1Password once in a while.

    Why the last one? When you stop using 1Password, the iOS app will keep track of how long it’s been in the background in order to ensure there’s enough memory for your current and most recently used apps. 1Password can remain unlocked in memory only until iOS is forced to fully close the app in the background to reclaim its memory block, so that your current apps can use it.

    If the termination has occurred, you’ll have to enter the master password to unlock it.

    Note that the more memory you have in your iOS devices, the longer 1Password can remain unlocked. Keep this in mind when switching to older iOS devices that might see 1Password locked more often.

    I hope that clarifies the situation and our decision a bit. If you have other thoughts or ideas, please let us know.

    And here's another thing [rant] why can't the 1Browser save SSL certificates? I have a self-signed certificate to access my web server over SSL and every time I have to confirm that the certificate is OK [/rant]

    I'll pass your request along. Thanks for mentioning this.

    Is voice recognition security feasible? That, at least, would be hands free. (Voice recognition could be either recognizing the letters/numbers/words I'm speaking and/or recognizing my voice as my own.)

    Even just recognizing a voice can be tricky. I'm sure you've used Siri. ;) Accurately recognizing and securely verifying a specific voice is not really a suitable option at this time. But who knows what the future holds?

    As for the main point of your post, by all means, please use a Master Password that you are comfortable with. If you prefer not to use a Diceware password, that can be perfectly acceptable. Diceware is just the method we recommend. :)

  • benfdc
    benfdc
    Community Member

    Interesting. @jpgoldberg is working on a diceword-ish generator based on the notion that all-lowercase pass phrases are, as a rule, easier to type on mobile devices than mixed case + numeric + symbol passwords, but noneofyourbusiness dislikes typing six short words.

    I prefer short words, and that's what I use for my iPhone's unlock code.

    One thing that noneofyourbusiness and I have in common is that I too often find myself inadvertently hitting the backspace key on my iPhone keyboard when trying to type an L or M.

    Having an "avoid L and M" checkbox in a diceware-ish generator sure sounds odd, but if it were there I might well use it!!

This discussion has been closed.