Show password length in characters when generating Diceware passwords

pbryanw

Hi,

I've been on a few web-sites where there's been a limit to the password length. This isn't too bad using the standard generator, as it shows how many characters are in the password. I'm just wondering if this could be brought across to the diceware generator. As it stands, it only shows you how many words from the diceware list are in the password. As each word can be a different length, this doesn't let me know how many characters the full password is going to be. Anyway, hope you can add this feature to the various 1Password browser extensions.

RichardPayne

If you start restricting the word choices that Diceware can select from then you fundamentally reduce it's security. For fields with a restrictive length limit I'd recommend using a standard randomised password.

MikeT

Hi guys,

@pbryanw, Richard is correct. The more restrictions you placed on Diceware, it gets weaker quicker than using the random-character generator. One of the basic premises of Diceware is to generate a long pass phase where you can easily type, read, speak it, and/or memorize it. If you restrict the length, you can basically figure out the pattern quickly because there aren't a lot of words that can fit within that range and password crackers will use that against you.

For length-restricted passwords, you'd be better off using the random character settings as Richard've mentioned.

pbryanw

@RichardPayne, @MikeT - Hi, thanks for the help. It's just that recently I had to generate a password that had a 30 character limit. I wanted a diceware password because it would be easier to type in and remember. If I could see the character length of the diceware password, I could re-roll until I got one under, or around, 30 characters in length. If I understand you both, in this scenario it would still be better to generate a standard randomised password? Yet how do I generate a standard randomised password of 30 characters that is not a chore to type in manually when I need to?

RichardPayne

If I could see the character length of the diceware password, I could re-roll until I got one under, or around, 30 characters in length

And that is the fundamental weakness in what you're proposing. By re-rolling until you get one that fits you reduce the set of possible results which makes it easier to guess.

Yet how do I generate a standard randomised password of 30 characters that is not a chore to type in manually when I need to?

You can't, other than excluding symbols and numbers (at 30 chars long, 1Password still considers it to "Fantastic"), and even that's not easy to remember. The question is, what is this for? Why would you need to type it manually?

MikeT

Hi @pbryanw,

If I understand you both, in this scenario it would still be better to generate a standard randomised password

Absolutely because every character, digits, and symbols would be used to fill up to 30 characters. In Diceware, it is restricted to the words that exists in the two diceware lists, which are either 7776 short words or 17679 4-8 char words, which would be known to anyone.

Add another restriction of 30 characters to the Diceware generator, it would be easier to guess it compared to a 30 random string of characters. A password cracker can be fed the following information: "up to 30 characters", "limit searches to words included on these two standard lists" and it would generate a much shorter list of every single combination that can be checked compared to "up to 30 characters" and "limit to every single letter, character, symbols, and so on".

On the other hand, you can edit the generated password to add or remove characters to manually truncate the length. So, if you get: stead fear algal aliens dowels (31 char), you can just edit the last set and say something like $g9z!; stead fear algal aliens $g9z!. Even just changing the delimiters would make it more stronger, like stead fear,algal aliens,$g9z! (space, comma, space, comma).

Anything that makes it easy for you to remember == easier for the password cracker to figure out as well.

I'll see if we can add something to the UI to mention how many characters there are in the field, it might at least make it easier to edit.

pbryanw

@RichardPayne, @MikeT - I suppose the only times I need to enter a password manually are for ones like Dropbox when I'm first setting up a PC, and I need to copy the password from 1Password on my Smartphone (however Dropbox doesn't have a character limit).

However, I now understand why, in cases when I don't need to manually enter the password and there's a character limit in pace, that a standard randomised password would be better. Thanks to both of you for your help and easy-to-understand explanations on this matter.

RichardPayne

There really is no excuse for websites having password maximum lengths these days. The only reason for them is to keep the password within a database field size. Since they should be hashing passwords and hashes always come out at the same size no matter how long the password, the only reason for length restrictions is if they are storing the password itself. If you're cautious then length restrictions are a bit of a red flag.

MikeT

pbryanw, you're welcome. If you have any additional question, please do let us know.

I've filed an improvement request to see if we can add a tooltip or something like that to tell us the number of characters including the delimiters in the Diceware generator.