{"id":56462,"date":"2015-04-13T12:00:20","date_gmt":"2015-04-13T11:00:20","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=56462"},"modified":"2015-05-05T21:25:52","modified_gmt":"2015-05-05T20:25:52","slug":"passphrases-that-you-can-memorize-but-that-even-the-nsa-cant-guess","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2015\/04\/passphrases-that-you-can-memorize-but-that-even-the-nsa-cant-guess\/","title":{"rendered":"Passphrases That You Can Memorize \u2014 But That Even the NSA Can\u2019t Guess"},"content":{"rendered":"

\"dice-getty-article-display-b<\/a><\/p>\n

It\u2019s getting easier to secure your digital privacy. iPhones now encrypt a great deal<\/a> of personal information; hard drives on Mac<\/a>\u00a0and Windows 8.1<\/a> computers are now automatically locked down; even Facebook, which made a fortune on open sharing, is providing end-to-end encryption<\/a> in the chat tool WhatsApp. But none of this technology offers as much protection as you may think\u00a0if you don\u2019t know how to come up with a good passphrase.<\/p>\n

A passphrase is like a password, but longer and more secure. In essence, it\u2019s an encryption key that you memorize. Once you start caring more deeply about your privacy and improving your computer security habits, one of the first roadblocks you\u2019ll run into is having to create a passphrase. You can\u2019t secure much without one.<\/p>\n

For example, when you encrypt your hard drive, a USB stick, or a document on your computer, the disk encryption is often only as strong as your passphrase.\u00a0If you use a password database, or the password-saving feature in\u00a0your web browser, you\u2019ll want to set a strong master passphrase to protect them. If you want to encrypt your email with PGP<\/a>, you protect your private key with a passphrase. In his\u00a0first email<\/a> to Laura Poitras, Edward Snowden\u00a0wrote,\u00a0\u201cPlease confirm that no one has ever had a copy of your private key and that it uses a strong passphrase. Assume your adversary is capable of one trillion guesses per second.\u201d<\/p>\n

In this post, I outline a simple way to come up with easy-to-memorize but very secure passphrases. It\u2019s the latest entry in an ongoing<\/a> series of stories offering solutions \u2014 partial and imperfect but useful solutions \u2014 to the many surveillance-related problems we aggressively report about here at The Intercept<\/em>.<\/p>\n

It turns out, coming up with a good passphrase by just thinking of one is incredibly hard, and if your adversary really is capable of one trillion guesses per second, you\u2019ll probably do a bad job of it. If you use an entirely random sequence of characters it might be very secure, but it\u2019s also agonizing to memorize (and honestly, a waste of brain power).<\/p>\n

But luckily this usability\/security trade-off doesn\u2019t have to exist. There is a method for generating passphrases that are both impossible<\/em> for even the most powerful attackers to guess, yet very possible for humans to memorize. The method is called Diceware<\/a>, and it\u2019s based on some simple math.<\/p>\n

Your secret password trick probably isn\u2019t very clever<\/strong><\/p>\n

People often pick some phrase from pop culture \u2014 favorite lyrics from a song or a favorite line from a movie or book \u2014 and slightly mangle it by changing some capitalization or adding some punctuation, or use the\u00a0first letter of each word from this phrase. Some of these passphrases might seem good and entirely unguessable, but it\u2019s easy to underestimate the capabilities of those invested in guessing passphrases.<\/p>\n

Imagine your adversary has taken the lyrics from every song ever written, taken the scripts from every movie and TV show, taken the text from every book ever digitized and every page on Wikipedia, in every language, and used that as a basis for their guess list. Will your passphrase still survive?<\/p>\n

If you created your passphrase by just trying to think of a good one, there\u2019s a pretty high chance that it\u2019s not good enough to stand up against the might of a spy agency. For example, you might come up with \u201cTo be or not to be\/ THAT is the Question?\u201d If so, I can guarantee that you are not the first person to use this slightly-mangled classic Shakespeare quote as your passphrase, and attackers know this.<\/p>\n

The reason the Shakespeare quote sucks as a passphrase is that it lacks something called entropy<\/em>. You can think of entropy as randomness, and it\u2019s one of the most important concepts in cryptography. It turns out humans are a species of patterns, and they are incapable of doing anything in a truly random fashion.<\/p>\n

Even if you don\u2019t use a quote, but instead make up a phrase off the top of your head, your phrase will still be far from random because language is predictable. As one research paper<\/a> on the topic states, \u201cusers aren\u2019t able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language,\u201d meaning that user-chosen passphrases don\u2019t contain as much entropy as you think they might. Your brain tends to continue using common idioms and rules of grammar that reduce randomness. For example, it disproportionately decides to follow an adverb with a verb and vice versa, or, to cite one actual case from the aforementioned research paper, to put the word \u201cfest\u201d after the word \u201csausage.\u201d<\/p>\n

Passphrases that come from pop culture, facts about your life, or anything<\/em> that comes directly from your mind are much weaker than passphrases that are imbued with actual entropy, collected from nature.<\/p>\n

This short but enlightening video from Khan Academy\u2019<\/a>s free online cryptography class illustrates the point well.<\/p>\n

httpv:\/\/www.youtube.com\/watch?v=vVXbgbMp0oY<\/p>\n

Make a secure passphrase with Diceware<\/strong><\/p>\n

Once you\u2019ve admitted that your old passphrases\u00a0aren\u2019t as secure as you imagined them to be, you\u2019re ready for the \u201cDiceware\u201d technique.<\/p>\n

First, grab a copy of the Diceware word list<\/a>, which contains 7,776 English words\u00a0\u2014 37 pages for those of you printing at home. You\u2019ll notice that next to each word is a five-digit number, with each digit\u00a0being between 1 and 6. Here\u2019s a small excerpt from the word list:<\/p>\n

24456 eo<\/p>\n

24461 ep<\/p>\n

24462 epa<\/p>\n

24463 epic<\/p>\n

24464 epoch<\/p>\n

Now grab some six-sided dice (yes, actual real physical dice), and roll them several times, writing down the numbers that you get. You\u2019ll need\u00a0a total of five dice rolls to come up with the first word in your passphrase. What you\u2019re doing here is generating entropy<\/em>, extracting true randomness from nature and turning it into numbers.<\/p>\n

If you roll the number two, then four, then four again, then six, then three, and then look up in the Diceware word list 24463, you\u2019ll see the word \u201cepic\u201d. That will be the first word in your passphrase. Now repeat. You want to come up with a seven-word passphrase if you\u2019re worried about the NSA or Chinese spies\u00a0someday trying to guess it\u00a0(more on the logic behind this number below).<\/p>\n

Using Diceware, you end up with passphrases that look like \u201ccap liz donna demon self,\u201d \u201cbang vivo thread duct knob train,\u201d and \u201cbrig alert rope welsh foss rang orb.\u201d If you want a stronger passphrase you can use more words; if a weaker passphrase is OK\u00a0for your purpose you can use less words.<\/p>\n

How strong are Diceware passphrases?<\/strong><\/p>\n

The strength of a Diceword passphrase depends on how many words it contains. If you choose one word (out of a list of 7,776 words), an attacker has a one in 7,776 chance of guessing your word on the first try. To guess your word it will take an attacker at least one try, at most 7,776 tries, and on average 3,888 tries (because there\u2019s a 50 percent chance that an attacker will guess your word by the time they are halfway through the word list).<\/p>\n

But if you choose two words for your passphrase, the size of the list of possible passphrases increases exponentially. There\u2019s still a one in 7,776 chance of guessing your first word correctly, but for each first word<\/em> there\u2019s also a one in 7,776 chance of guessing the second word correctly, and the attacker won\u2019t know if the first word is correct without guessing the entire passphrase.<\/p>\n

This means that with two words, there are 7,7762<\/sup>, or 60,466,176 different potential passphrases. On average, a two-word Diceware passphrase could be guessed after the first 30 million tries. And a five-word passphrase, which would have have 7,7765<\/sup> possible passphrases, could be guessed after an average of 14 quintillion tries (a 14 with 18 zeroes).<\/p>\n

The amount of uncertainty in a passphrase (or in an encryption key, or in any other type of information) is measured in bits of entropy<\/em>. You can measure how secure your random passphrase is by how many bits of entropy it contains. Each word from the Diceware list is worth about 12.92 bits of entropy (because 212.92<\/sup>\u00a0is about 7,776). So if you choose seven words you\u2019ll end up with a passphrase with about 90.5\u00a0bits of entropy (because 12.92 times seven is about 90.5).<\/p>\n

In other words, if an attacker knows that you are using a seven-word Diceware passphrase, and they pick seven random words from the Diceware word list to guess, there is a one in 1,719,070,799,748,422,591,028,658,176 chance that they\u2019ll pick your passphrase each try.<\/p>\n

At one trillion guesses per second \u2014 per Edward Snowden\u2019s January 2013 warning \u2014 it would take an average of 27 million years to guess this passphrase.<\/p>\n

Not too bad for a passphrase like \u201cbolt vat frisky fob land hazy rigid,\u201d which is entirely possible for most people to memorize. Compare that to \u201cd07;oj7MgLz\u2019%v,\u201d a random password that contains slightly less entropy than the seven-word Diceware passphrase but is significantly more difficult to memorize.<\/p>\n

A five-word passphrase, in contrast, would be cracked in just under six\u00a0months and a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second. Keeping Moore\u2019s Law<\/a> in mind, computers are constantly getting more powerful, and before long one trillion guesses a\u00a0second might start looking slow, so it\u2019s good to give your passphrases some security breathing room.<\/p>\n

With a system like this, it doesn\u2019t matter at all that the word list you\u2019re choosing from is public. It doesn\u2019t even matter what the words in the list are (two-letter words are just as secure as six-letter words). All that matters is how long the list of words is and that each word on the list is unique. The probability of guessing a passphrase made of these randomly-chosen words gets exponentially smaller with each word you add, and using this fact it\u2019s possible to make passphrases that can never be guessed.<\/p>\n

Do I really have to use dice?<\/strong><\/p>\n

This is a longer discussion, but the short answer is: Using physical dice will give you a much stronger guarantee that nothing went wrong. But it\u2019s time consuming and tedious, and using a computer to generate these random numbers is almost always good enough.<\/p>\n

Unfortunately there doesn\u2019t appear to be user-friendly software available to help people generate Diceware passphrases, only various command-line-only Diceware projects on GitHub<\/a>, which power users can check out. Stay tuned for a future post about this.<\/p>\n

How to memorize your crazy passphrase (without going crazy)<\/strong><\/p>\n

After you\u2019ve generated your passphrase, the next step is to commit it to memory.<\/p>\n

I recommend that you write your new passphrase down on a piece of paper and carry it with you for as long as you need. Each time you need to type it, try typing it from memory first, but look at the paper if you need to. Assuming you type it a couple times a day, it shouldn\u2019t take more than two or three days before you no longer need the paper, at which point you should destroy it.<\/p>\n

Typing your passphrase on a regular basis allows you to memorize it through a process known as spaced repetition, according to promising research<\/a> into high-entropy passphrases.<\/p>\n

Now that you know passphrases, here\u2019s when to avoid them<\/strong><\/p>\n

Diceware passphrases are great for when you\u2019re typing them into your computer to decrypt something locally, like your hard drive, your PGP secret key or your password database.<\/p>\n

You don\u2019t so much need them for logging into a website or something else on the Internet. In those situations, you get less benefit from\u00a0using a high-entropy passphrase. Attackers will never be able to guess a trillion times per second if each guess requires communicating with a server on the Internet. In some cases, attackers will own or take over the remote server \u2014 in which case they can grab the passphrase as soon you log in and send it, regardless of how strong or weak it is cryptographically.<\/p>\n

For logging in to websites and other servers, use a password database. I like KeePassX<\/a> because it\u2019s free, open source, cross-platform, and it never stores anything in the cloud. Then\u00a0lock up all your passwords behind a master passphrase that you generate with Diceware. Use your password manager to generate and store a different random password for each website you login to.<\/p>\n

How we use Diceware to protect our sources<\/strong><\/p>\n

At The Intercept<\/em> we run a SecureDrop<\/a> server, an open source whistleblower submission system, to make it simpler and more secure for anonymous sources to get in touch with us<\/a>.<\/p>\n

When a new source visits our SecureDrop website, they get assigned a code name made up of seven random words. After submitting messages or documents, they can use this code name to log back in and check for responses from our journalists.<\/p>\n

Under the hood, this code name not only acts as the source\u2019s encryption passphrase, but it\u2019s also really just a passphrase generated using the\u00a0Diceware method, but with a digital cryptographically secure random number generator, rather than rolling dice. SecureDrop\u2019s dictionary is only 6,800 words long (the developers removed some words from the original word list that could be considered offensive), making each word worth about 12.73 bits of entropy. But this is still plenty enough to make it impossible for anyone to ever simply guess a source\u2019s code name, unless they happen to have massive computational resources and several million years.<\/p>\n

Simple, random passphrases, in other words, are just as good at protecting the next whistleblowing spy as they are at securing your laptop. It\u2019s a shame that we live in a world where ordinary citizens need that level of protection, but as long as we do, the Diceware system makes it possible to get CIA-level protection without going through black ops training.<\/p>\n

_______________________________<\/p>\n

Thanks to Garrett Robinson<\/a> for double-checking my math and preventing me from making stupid mistakes.<\/em><\/p>\n

Email the author: micah.lee@theintercept.com<\/a><\/em><\/p>\n

Go to Original \u2013 firstlook.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

It\u2019s getting easier to secure your digital privacy. iPhones now encrypt a great deal of personal information; hard drives on Mac and Windows 8.1 computers are now automatically locked down. But none of this technology offers as much protection as you may think if you don\u2019t know how to come up with a good passphrase.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-56462","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/56462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=56462"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/56462\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=56462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=56462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=56462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}