Diceware for wifi passwords?

1pswdfan

I'm going to be setting up wifi for someone and was initially going to set the password as a WPA2 random 64 character password. However, I'm wondering whether it would be easier to simply choose a diceware password from 1Password's "Words" as that would be easier to type, especially on mobile devices.

• Would a diceware password (seven words, each separated by a non-letter) be as strong as a 64 character password?
• Could I use fewer than seven words and retain the same security level?
• Are there any downsides to using Diceware for a wifi password?
• If Diceware's popularity increases, is it not risky to have all passwords generated from a set list of words? Doesn't this make its passwords more vulnerable?

Thanks

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

jpgoldberg

Hi @1pswdfan! (I like your name).

Math versus security

Quite frankly, both a 64 character password and a seven word Diceware password are overkill for a WiFi password. Unless there is something particularly unusual about your setup, there is no real threat of offline attacks against such a password, and so the strength requirements of them really huge. (Uniqueness, however, is very very important. Don't reuse these anywhere else.)

A seven word password using our wordlist generator gets you 99 bits. Quite frankly it would already more than the age of the universe to crack that, and it would consume far more electricity than humanity produces to try to crack it. So the fact that in a technical sense, a random 64 character password is enormously stronger, it wouldn't be adding any meaningful security as the 99 bit wordlist password is already overkill.

If you want to see more detailed discussion of this point, please take a look at https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/

Anyway, for a typical WiFi password, a three word wordlist password from our list gets you 42 bits of strength, which is more than enough for defending on-line attacks.

Stays strong even if everyone uses it

You asked a very important question here:

If Diceware's popularity increases, is it not risky to have all passwords generated from a set list of words? Doesn't this make its passwords more vulnerable?

When we talk about the strength of these passwords we are assuming that the attacker knows what system you used to generate the password. This a fundamental part of security design.

A lot of other password advice that has floated around ("substitute @ for a", or "pick a phrase and use the first letters of it") don't really hold up to that principle. If an attacker knows what system you use, then much of its (claimed) strength disappears. But we very specifically wish to use password creation schemes that stand up even when the attacker knows exactly what scheme is used.

I like calling this the Kantian Principle of Advice.: The advice should remain good even if most people follow it.

dszp

There are some Knowledgebase entries and blog posts that help with this but I'm on my phone and I'm sure someone else can find them. However, if you use a sufficiently long Diceware password (say, 5 to 7 words), the strength comes from the number of words and the number of possibilities of each word. And the randomness. So while technically a 64-character password would be more secure if random, practically the Diceware password would still take trillions or more years to guess with current technology (and most tech we can predict). I would say you're fine to use one! Certainly it would make other wireless networks a more attractive target, or using another method like malware or social engineering to breach the network.

julie-tx

@dszp -

That's correct. The strength of word-based passwords isn't in the length of the password (my master password is over 25 characters long) it's in the number of words and the size of the dictionary used for those words.

dszp

Apparently I took long enough to type my first reply that it wasn't even the first! (It was when I started it :-)

That's ok, the link is the one I was thinking of. And my master password is also in the over 25 character range.

I disagree slightly that a wifi password is not subject to an offline attack. There are ways (and if none exist for WPA2, which I'd have to look up, a way may be found as there have been for previous wireless encryption standards) to capture enough of a wifi conversation that the original key could be derived from an offline attack based upon the captured data. The attacker would need to be within range of the wireless network and not on the Internet only (but this could be anyone within several blocks of the network, though they'd likely need a large sample of data to work with).

The likelihood of this happening to a given wireless network is low compared to a web-enabled system being attacked due to geographic limits, but I wouldn't rule it out if you're looking for security to match a full-length password. Certainly a 3-word Diceware password will beat the ever so common phone number-or-address-as-key (don't laugh, I'm an IT consultant and those are frighteningly common!), but something in the 4-7 range would be stronger against an offline attack, however less likely.

dszp

For reference, see this article at HowToGeek regarding offline WPA2 cracking. And for a discussion about the math behind Diceware passwords (500 million years is the estimated cracking time for a 5-word Diceware password, with 64 bits of entropy), see this AgileBits blog post: Better Master Passwords: The Geek Edition

Both are plenty geeky though explained very well. Neither are required reading for the above conclusions, just references as I mentioned :-)

1pswdfan

Hi @jpgoldberg, @dszp, and @julie-tx,

Thanks very much for your detailed replies.

It seems that choosing a passphrase composed of more than 3 or more words would be ideal for wifi.

Which site do you use to calculate how long it would theoretically take to crack a password? My primary concern is against possible attempts to access the network or its data. Though it's not very likely, I'd prefer not to create a network that could be breached by someone uninvited.

@jpgoldberg: Your "Kantian Principle of Advice" is very interesting. If I understand it correctly, are you saying that even if someone knew that I tended to choose passwords that were for example 4 diceware words separated by a symbol (word#word#word#word), the sheer number of possibilities this pattern allows would make it practically impossible to crack in a useful time frame? The important part, of course, is to allow the system (such as 1Password's Words option) to choose the password.

I find these word passwords really interesting and human-friendly. For example, I still remember a three-word password I entered last night, where I would never have remembered it had it been just random characters of the same length.

hawkmoth

This has been posted in the forum before, but it seems worthwhile repeating here. The message is that we've been led to create insecure passwords that we cannot remember, when it would be more secure to generate pass phrases that we can remember. (Apologies for the inelegant interpretation of a brilliant cartoon.)

https://xkcd.com/936/

julie-tx

@hawkmoth -

We've been led to create passwords which may be secure, because they are as complicated as can be, but which are nigh on impossible to remember. This leads people to only perform the predictable obfuscations, and that leads back to ... insecure passwords. That's the take-away of that cartoon.

I think that password managers are leading people in a different direction - passwords people don't have to remember, but which are so complex they cannot be broken by brute-force methods, ever. I think people are more likely to generate 32 characters chosen from a 95 character alphabet if they don't have to remember them. That's pretty close to as many possible passwords as elementary particles in the entire Universe. I have accounts on web servers that allow 50 character almost fully random passwords. At that point - 50 characters chosen from a 95 character alphabet - all attacks are futile, forever.

jpgoldberg

I love to be told I'm wrong about something, as it is always an opportunity to learn new things.

@dszp pointed out

I disagree slightly that a wifi password is not subject to an offline attack. There are ways[...] to capture enough of a wifi conversation that the original key could be derived from an offline attack based upon the captured data.

And helpfully provided a link to an article detailing this.

So I stand corrected. But as noted the attacker would need to capture and record a lot of transactions to have a better shot at off-line cracking. So while three word passwords from our wordlist are still going to be more than enough for almost everyone, there might be people who have a need for four words.

If your threat environment is such that you would need even more, you shouldn't be using PSK for your WiFi anyway.

hawkmoth

@julie-tx - Duly noted, and I do exactly that when 1Password is managing my data. But for those I need to remember, the randomly chosen memorable words from a list is the way I generally go. I was thinking too narrowly when I posted that link. Or perhaps not thinking at all!

The bulk of the discussion in the thread, though, has been about the security of words chosen from a list. Perhaps some defense?

julie-tx

@hawkmoth -

The words themselves don't actually matter, only that there are N of them and the probability of choosing any particular word is the same as choosing any other particular word. We could actually replace the words themselves with the index of the word in the table and there would be no loss of strength provided there are delimiters between the "words" so there's no risk that two words catenated without a delimiter is the same as any other substring or word in the dictionary.

If "apple", "zebra", "rocket" and "icepick" were words 137, 17542, 12640 and 7284 (respectively), the passwords "apple zebra rocket icepick" and "137 17542 12640 7284" have the same strength. This might appear counter-intuitive because the first has 26 characters and the second has 20, and the first is lowercase A-Z (26 possible letters) and the second is is 0-9 (10 possible digits), but there really are the same number of possible combinations.

In both instances what the attacker is attempting to go after is a dictionary-based password, taken one entry at a time, with N entries in the dictionary, and M entries making up the overall password. So, the possible password space is N ^ M regardless of what the set of all N happens to be made up of -- words from the English / Spanish / French / Esperanto dictionary, unique names of cities / animals / plants / constellations, or even randomly generated blogs of gibberish. You start with the assumption that the attacker knows the dictionary contents and the number of "words" in the password, and you go from there.

dszp

This thread has a really good discussion of Diceware security. This is the third and last page and the final entry has some good time-to-crack comparisons: https://discussions.agilebits.com/discussion/10684/password-with-real-words-like-diceware-really-safe/p3

But I recommend going to the start of that thread's first page and reading all the way through. Quite a nice discussion! Thanks for the push to do the research, found lots of good reading, that's just the best/easiest to point to :-) Found it on Google, too!

(As a little Easter egg, @jpgoldberg links to a YouTube video of himself at Passwordscon giving a talk about defining password security in one of the posts in that thread. I haven't watched yet but I might find the time :-)

Drew_AG

Thanks for the feedback and the link! Indeed, there have been quite a lot of excellent discussions about security in these forums over the years. I'm glad it's all been so helpful & interesting for you. We're always happy to help if you have more questions! :)