Which is stronger password to protect me

Hi, I think I dangerously have been reading too much on making a stronger password since the reports of countries trying to crack passwords :)

To make a long story short, are the random word sentences generated (I think it is the 1P dicewords) stronger for super-computer cracking efforts against me, or long random character and number passwords?

Both arguments have made their point, and they are both believable, so I would eagerly like to hear from someone who works with this stuff rather than internet arm-chair quarterbacking people.

Thanks,
Peter

Comments

  • RichardPayne
    RichardPayne
    Community Member

    http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
    http://blog.agilebits.com/2012/07/31/1password-is-ready-for-john-the-ripper/

    Also take a look at the calculations at the end of this thread:
    https://discussions.agilebits.com/discussion/comment/140144#Comment_140144

    Those calculations are based on cracking a system that uses a key strengthening algorithm (as 1Password does). I'm not sure of the current numbers but a couple of years ago crackers were doing 350 billion guess per second against non-strengthened keys. Using that rate in my calculations works out at 10,000 years to, on average, to crack a 6 word diceware password.

  • DBrown
    DBrown
    1Password Alumni

    According to my family medical history, 30 to 40 years should be enough for me. :)

  • bkh
    bkh
    Community Member

    "According to my family medical history, 30 to 40 years should be enough for me."

    If you are not already pretty old, I'm sorry to hear that.

  • DBrown
    DBrown
    1Password Alumni

    Oh, I'm both!

  • Peter_Pappas
    Peter_Pappas
    Community Member

    Thank you for your answers.

    For online banks, Scottrade and so on, would I be using dicewords for my account passwords or the 24 character generated phrases?

    I know I can find out for myself, but would the spaces give a problem with the bank's password fields?

    Peter

  • RichardPayne
    RichardPayne
    Community Member
    edited September 2014

    @Peter_Pappas‌
    The way I look at it is that I use non-Diceware passwords for most of my logins. They are undoubted stronger for the same length. The only ones I use Diceware for are the ones I must actually remember without relying on 1Password. They are:

    1) 1Password Master Password
    2) Dropbox password (which I need to access my keychain in the event of a catastrophic local hardware failure).
    3) My primary email account (in case I can't recovery from Dropbox either, this allows me to do manual password resets on my accounts).

  • Peter_Pappas
    Peter_Pappas
    Community Member

    Thanks everyone for all your help. I have a situation and have to find a solution for myself.

    Here is what I did. Please tell me if I did a good thing, or if I shot myself in the foot :)

    I cannot remember the Diceware words, and I cannot type accurately when under pressure so I need to find a solution for copy and paste. I have thought of every which way but loose on where and how to hide my Diceware password in the computer so I can copy and paste. This is saved in my Dropbox so I can access this on 3 computers.

    I am in a stressful situation and when in a high pressure fast paced situation arises it becomes hard to remember even easy passwords. You will have to trust me on this without explanation. Think a hospice at home situation.

    Here is my solution, I am not into this like you guys are, so I took pieces of the puzzle and created my own new solution. My goal is to copy/paste the masterpassword into 1P and still stay secure.

    1. I Googled and found the Diceware word list (http://world.std.com/~reinhold/diceware.wordlist.asc).
    2. I sorted all the Diceware words from that list randomizing the order. The list now looks like this for 8 pages long in my file:

    "jude sykes cilia fray chili blimp leave wb urn de minos slam juju span bosom cure tater birth exist mu track match winch irene morse plant carla mario shook snore pickup tl pont debby owing lump dodge oath rl list suny bong rabbi sss z's ovate nasty about efface macro ta loy blythe abel axes foss klux rich long freak boston gwen dubhe poesy sear final finch foggy rape oak align noun the cahill lift none rift abram aaa mutt lois faro lather divorcee hangnail eclectic relic mode cos plump haven odin ad nelsen antic field kenya plaza rhea hunk fx spay june curb fate dowel bm stamp sash dolan whip junk nikko give lr nor glib vivian booky xt mold sm sure clive laity raj some verne crop torch epoxy baton typic kite fest wary ne cherub swing skiff west lp fad loss shrug rude berlin larkin pelt sybil bush swirl took cady wyatt slap dope fowl z clarke wore ax radon genus lk enrico np maple coup month bud gift whisk pupal axis churn toxic pat vitae ro strip villa clan penh neff still crock return austin lava slot ph name eject beget pb barley poi rank rs opec briggs peril tacoma awash whit topic erode weber hat scary fig biota vast negro radio plat boo hilum ante gluey rabid debug squint ej iambic rocket ee caine hayes brim pact rrr saint tonal brad idyll luger shrew dart shy prefix waist plato mayer lars vote dreg allis mire fable bunk ella ravel went milk p's capo pyrite vail equip rise snowy piety bourn butte fin legion vague wily oo cacm swum herr pomona world alsop lumpy rilly repent setup amid ire she'd egan cetus july rump son dunce trot foamy vamp stile sibyl scorn append staff heavy otis must genoa overt entrap butt log wrath illume lure haze tort rabbit"

    1. I copied and pasted this into my Rolodex file software in the computer (on Dropbox so I can access this on multiple computers). I named in American Words to know what to look for. There are 7464 words.
    2. I went to 1Password > Password Generator and generated a 4 word Diceware password.
    3. I deleted those words from the list of words.
    4. I pasted the generated Diceware password somewhere in that list of words and can search for the first word and copy the passphrase out.
    5. I added a 5th I made up according to the article on making strong passwords in the string of 4 words making it now 5 words.

    Now I can easily find and copy/paste my Diceware word phrase I embedded in the word list, add the 5th word into the phrase and am good to go.
    I use a word I made up like the 2 dogs example in the article on the 1Password website. This way when an emergency happens and things are going bad, I don't have to remember anything but that one word while under pressure. I can copy/paste and add the additional word in the right place in the passphrase. My thinking is even if the passphrase sequence can be found in that huge list of words, it still needs the 5th word inserted in the right position to work. This is something I can work with as long as it is not something really dumb lol.

    So, does this sound reasonable, did I miss something obvious? Also, can I see the password as i type into the vault as an option?

    Peter

  • RichardPayne
    RichardPayne
    Community Member

    First, no, the vault password is always obscured when you enter it.

    Your scheme seems ok to me. The only area for potential concern I can see is the reliability and randomness of your sorting process.
    Any comments @jpgoldberg‌?

  • Peter_Pappas
    Peter_Pappas
    Community Member

    Why would the randomness of the sorting matter? My passphrase was generated by the 1Password password generator, not the sorting process of the spreadsheet. I randomized the sort order of all the Diceware words, and then buried my passphrase that 1P generated somewhere in that list so I can copy and paste it in. I "hid" my passphrase in that list of randomized word. I didn't alter my passphrase from 1Password but I did add my own word to that passphrase.

    If my passphrase is "she sells sea shells" I needed a place to hide that in the computer to copy and paste it. That is what my problem is as it seems in all the writings - that if I can think it - then so can the bad guys.

    My solution is to hid my passphrase in the entire Diceware word list. I have a method to find it (search for the first word and then copy the whole passphrase - yes, I can recognize it by sight). Then to make it more difficult, I insert my additional word I made up in the proper position. For me, it is easy and I think I am still following protocol. So the complete passphrase cannot be identified and copied because it is not all in one place. The one that 1Password generated is hidden in that randomised word list, plus I modify it before pasting it into the vault by adding my own word. That is why the random sorting I did should not matter, at least I don't think it should matter?

    I can tell you how I randomized the words if it helps to know that. Oh, one more thing, I deleted my passphrase words from that list - or it would be easy to tell what they are as they would be the only words in the list twice lol :)

    So, to get my passphrase, the bad guys would have to extract the exact passphrase from the big Diceware randomized word list, and then add my additional word in the right sequence or position. I am hoping this gives me copy/paste ease and still keeps my security high. I paste the passphrase into the 1Password program using the new desktop feature.

    Peter

  • RichardPayne
    RichardPayne
    Community Member

    The reason it matters is because if the randomised word order is predictably random then your inserted diceware passphrase will break the predictability and would therefore be detectable.
    I doubt that this is a serious problem for you, but it was the only problem I could see so thought I'd mention it.

  • bkh
    bkh
    Community Member

    The other small problem is that it appears you published a portion of your actual "randomized" list on line, so now the bad guys have that to work with. If they try to randomize their list using some automated technique and some portion (the first portion?) matches what you posted, then they have accomplished the attack that @RichardPayne described.

  • Peter_Pappas
    Peter_Pappas
    Community Member
    edited September 2014

    Oh, Okay, I understand - thanks.

    I used 2 columns in the spread sheet. In one column is all the words. In the other column I filled it with =rand(). This generates a random number. You can try that in your spread sheet program. Then I sorted based on the random numbers and basically the words all got shuffled. You can shuffle them over and over by re-invoking the =rand() to generate a new number again and then sort again.

    The random numbers generated look like this:

    0.0008459557 a

    0.1596180594 a&p

    0.7031317207 a's

    0.6409454602 aa

    0.7514410922 aaa

    0.3428823606 aaaa

    0.1601678987 aaron

    0.1846904964 ab

    0.5569116324 aba

    0.2459086033 ababa

    0.3672429463 aback

    0.5409865987 abase

    0.3706057654 abash

    0.4859465281 abate

    0.3711592967 abbas

    Pretend the above 2 columns is in a spread sheet in the proper columns (A and B). Then just sort on the number column.

  • RichardPayne
    RichardPayne
    Community Member

    You've just been Markdowned! Welcome to formatting hell.

    I get the idea though. rand() is not random in the cryptographic sense, but it might be secure enough for this. I'm sorry to say I simply don't know.

  • bkh
    bkh
    Community Member

    rand() is not random in the cryptographic sense

    +1

    The method of @Peter_Pappas may well resist a casual attack, but not a serious attack. Also, malware (such as a simple key logger) on the local PC can observe the search for the master password diceware phrase, since it is not carried out in the secure desktop.

  • Peter_Pappas
    Peter_Pappas
    Community Member

    Actually the keylogger argument is best. I will just try and write down a 5 word passphrase and see if it can just become a part of me.

    Thanks everyone very much :)

    Peter

  • bkh
    bkh
    Community Member

    Actually the keylogger argument is best. I will just try and write down a 5 word passphrase and see if it can just become a part of me.

    That's best. Repetition is your friend. And the piece of paper in your safe deposit box will save you if some disaster impairs your memory.

  • RichardPayne
    RichardPayne
    Community Member

    That's best. Repetition is your friend. And the piece of paper in your safe deposit box will save you if some disaster impairs your memory.

    Make sure it's a fire proof safe. ;)

  • DBrown
    DBrown
    1Password Alumni

    I'd do both: a safe (preferably fireproof) for access at home and a safe deposit box for off-site backup.

This discussion has been closed.