Can I make up my own Diceware word sequence? or does one *have* to use the generator?

Options
Sensel
Sensel
Community Member

Let’s say I am a farmer or rancher. I could make a passphrase that is easier for me to remember on some of my accounts.

Like: hell-freeze-over-prior-pigs-fly

or: buffalo-earth-horse-roam-dog-quail

Equally, I could totally fake it all out BUT known only to me the meaning of each word

peace-fearless-rabbit-salamander-rod-vomit

or do Diceware phrases have to be generated?


1Password Version: 6.0.2
Extension Version: Not Provided
OS Version: 10.10.4
Sync Type: Not Provided
Referrer: forum-search:Can I make up my own Diceware word sequence? or does one have to use the generator?

Comments

  • hawkmoth
    hawkmoth
    Community Member
    edited March 2016
    Options

    @Sensel -

    do Diceware phrases have to be generated?

    Part of the key to making Diceware pass phrases secure is that they must be generated completely randomly. Humans seldom chose truly random words. For example, people tend to pick only nouns. That doesn't apply to your examples, I see, but the word combinations you've used do have a relationship to each other. I've taken the advice from AgileBits to really make my choices random for my 1Password master password. It's almost the only password I need to remember after that, so it isn't so hard to memorize. Amd I make sure I have to enter it frequently to be sure it doesn't fade from memory.

    This AgileBits blog post is a few years old by now, but still informative: Toward Better Master Passwords I've been a user since well before the time when 1Password itself could generate these pass phrases, and I used dice for mine to be sure it was a random selection from the word list.

  • Drew_AG
    Drew_AG
    1Password Alumni
    Options

    Hi @Sensel,

    I hope hawkmoth's answer was helpful for you! The blog post he included is a great one, and you might also be interested in a more recent one which discusses the randomness and strength of wordlist passwords: How 1Password calculates password strength

    Thanks for taking the time to ask us about that! Please let us know if you have more questions about that or need anything else. Have a great weekend! :)

  • Sensel
    Sensel
    Community Member
    edited March 2016
    Options

    Actually, my question remains unanswered! Super security paranoia aside, can I make up my own Diceware word sequence? or does one *have* to use the generator?
    The implication in the (not really the) answers is, yes, we can. Just don’t over noun it. But, it won’t be super-duper secure. Just super secure. (Remember, paranoia and security are both relative.)

  • danco
    danco
    Volunteer Moderator
    Options

    I think part of it is not to use your own sequence, but to use a random method of creating a sequence (such as the original dice tossing in Diceware) Otherwise there is likely to be too much pattern in the words. Beyond that, all that is needed is that the sequence is taken from a sufficiently long word list.

    In your example fly-over-hell-pigs-prior-freeze and over-pigs-prio-fly-freeze-hell have to be possible sequences that are as likely as your original.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited March 2016
    Options

    @Sensel, you have to use a sufficiently random process for selecting the individual words and order. Human brains are not sufficiently random.

    XKDC

    Source: http://xkcd.com/1210/

  • julie-tx
    julie-tx
    1Password Alumni
    Options

    One of the problems with self-generating pass phrases is internal bias, which I cover in the blog post @Drew_AG referenced above.

    We can think "Hey, I'm super clever -- I'll make up my own passphrase!" but there have been instances where passwords needed to be cracked and personal information and behavior was used to do precisely that. I know from my own experience that I have biases when I create hand-rolled passphrases.

    Food and sports cars.

    If you compiled a list of words related to food items, sports cars, engine components and component types ("automatic", "manual", "limited slip differential", "normally aspirated", "forced induction" -- get the picture?) you'd have all the words Naive Julie would have used many years ago. The problem there is you can find my rants about sports cars and food on my Facebook page. You don't have to go through speed shop catalogs and restaurant menus to find my "favorite" words. That's where attackers are going to get their ideas.

    When I wrote that blog post and was looking for examples, I used the fact that I say "cool" all the time, but I never say "groovy" or "hip". That's the reason self-generated passphrases are so weak. My car has rack and pinion steering, 4-speed automatic with overdrive, dual high-flow cat exhaust, and a limited-slip differential and I just don't think about other kinds of car stuff. Or food that involves sprouts, tofu or whatever the heck arugula is.

  • hawkmoth
    hawkmoth
    Community Member
    Options

    @Sensel said,

    The implication in the (not really the) answers is, yes, we can [roll our own pass phrases. Just don’t over noun it.

    Nope, that wasn't what I meant at all. I meant that humans have a bias towards using nouns, among other biases. I did not mean to imply that it's OK to generate your own pass phrases, so long as you don't over noun them. That is why I didn't say that it's OK to roll your own, just don't over noun it. As the others have since explained, it's only secure to roll your own if your mind is able to pick truly random words in truly random order.

    Everyone has to decide how secure and how paranoid one wants to be, but you asked if it was OK to make your own pass phrases, then used examples where all the words are related to one another. It's certainly better to use a string of words than to use the dictionary words most people pick. You are, of course, free to use whatever method you'd like to use, so long as you are comfortable with the security. The pros on the matter (of which I am not one) weighed in on this thread afterward to explain why you get the advice you do from AgileBits.

  • Sensel
    Sensel
    Community Member
    Options

    Boy, everyone who has replied totally did not get my question EXCEPT danco. Thanks
    Read this Washington Post article about one annoying password measure implemented by IT areas all over, is a total disaster and was the first day some idiot engineer thought of it.
    All this typing of this and that and why do that and not that, totally turns off 99% of your users and they still just use monkey taco and glaze over.
    Simple, even if slightly more risky, is better because it is actually more secure in the long run.
    A sequence of words, which is way easier then kesWvVDrIrM$6"f7lWnp, made by a brain, but warned to mix verbs and nouns, and avoid hobbies or any element of your life, is way better then monkey taco.

  • hawkmoth
    hawkmoth
    Community Member
    edited March 2016
    Options

    Regarding that Washington Post article, this is another reason why AgileBits recommends constructing a strong master password an then never changing it. (I'll leave this alone now. Adopt whatever makes you most comfortable.

  • vplewis
    vplewis
    Community Member
    Options

    @Sensel Everybody got you question the first time. They were trying to explain to you why diceware works securely and non-random choices may not work as securely.
    As to "Simple, even if slightly more risky, is better. . ." ultimately leads to [12345678] as a simple password—which is not more secure in the long run.

  • Vee_AG
    Vee_AG
    1Password Alumni
    edited March 2016
    Options

    Indeed you can make up your own passphrases, but if you make them up, they won't be random, so they won't be as strong. And they certainly won't be Diceware because Diceware is, by definition, randomly generated. The true randomness is a big part of what makes it strong.

    But an important point to keep in mind here is one that hawkmoth mentioned: 1Password stores all your passwords so you don't need to make them memorable. Create a strong (long and random) and memorable Master Password, and perhaps Apple ID and/or Dropbox password (depending on your setup), and let 1Password do the rest of the heavy lifting as far as generating and remembering. That's what it's there for. :)

    P.S. I've moved this discussion to the Lounge forum as it is not specific to 1Password for Mac or any of the client apps.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    @Sensel,

    I'm sorry that you feel that I was answering the wrong question. And I apologize for not digging into the details of your proposed scheme, but I felt that the details didn't matter because it is indeed the case that Diceware passwords have to be generated. Do not make up your own scheme.

    I also treat the choice of words the same way that I treat the choice of sequence. Neither should be human generated and the reasons are the same for both cases.

    The Internet is littered with some terrible password advice, and you are absolutely correct that IT departments have bought into what I consider a cargo cult of "what makes for a good password" (But that is another story) and what makes for a good password policy (yet another story).

    There actually are some situations in which regular password changes are useful. But those situations are far fewer than many imagine, and they emphatically do not include 1Password Master Passwords.

  • danco
    danco
    Volunteer Moderator
    Options

    Aren't some of the answers missing something?

    Diceware is intended to be secure even though the list of words is freely available. So the OP is free to create any list of words he likes, it just needs to be long enough.

    What is important is to make a random choice of words from the list, by throwing dice or whatever method is convenient. But making one's own choice is not a good idea.

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    Diceware is intended to be secure even though the list of words is freely available. So the OP is free to create any list of words he likes, it just needs to be long enough.

    @danco: It's important to assume that an attacker knows how the key (password) was generated, so having the standard Diceware lists public doesn't hurt their usefulness. And honestly using a list that someone else set up (provided it is long enough and doesn't contain duplicates) is best anyway, since a list I make myself may be biased, both in its order and composition of words I'm familiar with. Always fascinating to think about. :)

  • Sensel
    Sensel
    Community Member
    Options

    You can put a massive 5 ton steel door on your house or, a normal one. Risk and protection are all relative.
    If one randomly picks words, sure, bias. Whatever.
    But, I am not the bank of Panama. I can live with that small supposed “risk”.
    BTW: we are all at greater risk of dying in a car crash. But we accept those risks and limits on cost to safety. But maybe some commenters here have added more safety features to their car like — wearing a helmet. I choose not to wear a helmet in my car. But WOULD (and do) on my bike (any, kind, of bike) because, the line is much thiner between life and death without a steel cage and airbags around me.
    It is all relative people.

  • Ben
    Options

    :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    You are absolutely correct @Sensel that your choices should depend on what kinds of threats you anticipate.

    The cool thing about generated Diceware passwords is that we know exactly how strong they are. We don't know that about a human generated one. So with Diceware we can calculate what risk you face. You might find that a three word password is enough for your needs, while someone else may feel that they need a five word one.

    But when we go to human created ones, we can't tell. A six word phrase like "to be or not to be" is going to be weaker than a three word one generated by our generator.

    Answering the question

    So let me answer your original question a bit differently.

    To have the security properties of a Diceware-like password it does need to be generated.

    Whether you need all of those security properties is a choice that only you can make. So if you decide to modify and reorder the generated things to make more sense, then go ahead. But you will be making it weaker by some unknown amount.

  • Sensel
    Sensel
    Community Member
    Options

    I’d call that, nitpicking.

  • Megan
    Megan
    1Password Alumni
    Options

    Hi @Sensel,

    I think we are getting a bit tied up in the details here. The title of the thread says “Can I make up my own Diceware word sequence.” The answer to that is “yes, if you use dice and choose the words completely at random from the Diceware list.”

    Otherwise we’re just talking about a passphrase.

    Now, can you create your own passphrase? Most definitely. As has been mentioned above, it won’t have the same security properties as a randomly generated Diceware password, but if you are ok with the less-defined security, then, go right ahead and use a passphrase.

    It’s up to each of us to determine what level of security we feel comfortable with, and what we feel is necessary.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    Sorry about that @Sensel, but security questions often require a certain amount of nit-pickiness to answer.

    So let me try a different answer to what I believe your original question was:

    You can create a passphrase that makes some sense to you. In general it will be weaker than a passphrase of the same length created by our generator. It may, however, be strong enough for your needs.

This discussion has been closed.