Name: Diceware & Passwords - Computerphile
Uploaded: 2020-03-27T17:01:51.000Z
Duration: 10 min 56 s
Description: Thousands of YouTube videos with English-Chinese subtitles! Now you can learn to understand native speakers, expand your vocabulary, and improve your pronunciation...

We've done a few videos on passwords cracking passwords choosing good passwords

and I've had had a few requests both by email, and you know Twitter and on in the comments about a

Dice where so I thought we'd look at this and think what's the pros and cons of this of this quite interesting system for choosing

Passwords so here's my nice unbiased casino dice that I got just for this occasion

I was quite excited apparently this-  this dice is not biased towards rolling a six

Which actually would just mean my performance in games goes down.

When we spoke about passwords last time my hypothetical password mechanism was something like four random words with a bit of

Symbolic symbols added in maybe randomly in the middle of a word now

I chose that because I felt it was a a nice compromise between having to type something in that's really, really long or

And having something that's not too hard to remember

But also quite hard to break. Now diceware is in some sense quite similar to this scheme

But it's perhaps more mathematically defined exactly how hard it is to break. Which is why people like it?

Because I think the question comes down to in my scheme if I pick four random words

How random are Bo's worse truly if an attacker wanted to brute forth my password?

Then and they know for example that I'm using four words appended together

Then what they're going to want to do is try and work out the list of all the words

I might have used. Now, I try and throw them off a bit by using slightly odd words, but I'm a bit weird but

For the majority people let's imagine that everyone in the country

where everyone in the world is using this password scheme lots of people are going to pick really easy words you know back to the

Xkcd alluded to this and we'll talk about that in a minute, but didn't necessarily answer every question

but it did get a good message across the entropy or the

Number of possible words that you've chosen is gonna differ from person to person right if one of my words

I pick is database is that because I've picked that right out at random

Or is it because it says "databases" on this book up here, and I accidentally saw it in the corner of my eye

Yeah, I'm just looking at your collection of cubes  -All solved!

That's how I roll, so what dice where does the website was established in 1995 by a guy called Weinhold from the United States

What it is is a way of using dice to ensure that

The words you're picking are actually random rather than just what you think is random and that way we have a very nicely defined

Should we say mathematical difficulty for group forcing that password?

So this is the diceware list, but I guess it's a kind of compromise between the number of dice

You just have to roll incessantly to come up with passwords and being fairly quick

Words on this which is all the different combinations of five dice rolls, right? Now

So that's why I've got my nice unbiased dice

We don't wanna be accidentally biasing me towards the end of this document for example so as an example we roll the dice

It's a five. Each of these has five numbers from one to six in front of the word

Which tells you which words are going to pick. So these are the fours, I'm on to the five, says

There's the start of the fives there, then roll the dice again

It's a six, so I'm now on to the five-sixes which is here and then again

Whereas in the animal with the snout so that's the first word of my password so let me write that down

This could take a little while this is where you need to use all of your video editing skills tapir right. Let's do this again

If you've done this a lot of times, maybe it'd be faster 1 3 2 1 3 there. We are back up nice

How many times have you got to do this? Good question. "Rand", interesting. "R-A-N-D"

Ah, South African currency? Yeah, and also short for random, which is what we're doing now

5 2 4 6 2 RW interesting read/write, yeah, so not all of these are full words

That's one of the thing that's quite about this 3

6 having been in 2 3 exciting three six four

They're guaranteed to be unbiased I think but then I got them cheaply off the internet, so I don't actually know

Okay, so let's let's stop. Let's stop there. I've done. I've got five words right now. Is this pasta really good

But what you don't want to do when you're picking a password is record it on video and show it on the internet

So I probably won't put this as my actual password

But there will be a few people that try nonetheless.

We've rolled the dice five times per word, we find the word and then we put spaces in between it and that's our passphrase, right?

So that is literally our password then for whatever purpose we want.

Why is this better than what I was doing? W ell, it's different, mostly. There's a few questions

we've got, right? The first is "But is this a reasonable password in terms of strength?"

Also, "How practical is it to type in?" right" It took a little while to generate

But if you're doing it a couple of times for the front end of a password manager, maybe that's not such a big deal

One thing that's worth noting is that this isn't all the words in the English language. This is this is a carefully chosen

7700 words, but a knife is short so most of the words are fewer than five characters

There's a few really short ones the idea being that even if you've got a five word or six word passphrase

It's never going to get that long you should get quite quickly typing it in

but the real benefit of this system is that these are actually random as opposed to what I've perceived to be random because

Which might have been a word that I happen to see on the side of a bus this morning in the previous videos we talked

about brute forcing about not you knowing what any of the characters were and how we make it easier for the attacker by using a

Dictionary of known words yeah, so this is literally providing dictionary right yeah

That's the drawback in some sense and the strength so we know exactly what words could appear in my passphrase

But even so we still can't break it because I've used too many of them so in some password schemes like

Ones where I pick words at random from a dictionary in my own brain

I'm working under the assumption, but that's secure because no else knows how it works

No one can reverse-engineer that process. That might be true, it might not be true. It depends how well you know me.

This, the process is extremely open everyone knows what the password list was

Everyone knows what my password is going to be like

But they still can't break it because it's 2 to the 64 operations

Which is too much what we don't want is security through obscurity right if I use it if I only use a 500 word dictionary

Right, that's fine as long as I keep that dictionary secret if I doesn't seem like a very good idea because then that dictionary might

Accidentally come out, and then it would be incredibly easy to break my password

So what is the strength of his password well each of these words has come from?

7776 right so we can assume that the attacker knows, but I'm using this password scheme, so they know my password is five words

separated by spaces which adds nothing because they know what the spaces are

7776 so the strength of this password is actually 7 7 7 6