In a guest post for National Cyber Security Awareness Month, Bil Hays, Computer Science IT Manager, introduces us to Diceware, a system that generates passphrases as an alternative to passwords.
As password cracking tools have become more efficient, what counts as a good password has changed. At the time of this writing, 14-16 characters is pretty much the minimum length for a good password. And many of the old schemes we’ve used in the past, such as su6stitut1ng ch@ract3rs or using the first letters of words in a phrase, are so well known that they are no longer secure. Millions of cracked passwords, all of the words in the Bible and all of the words in all of the works in Project Gutenburg are now used to make guessing passwords easier for password crackers.
So we need an approach to passwords based on a system that produces good passwords that are easy to remember. The way to do that is to use a passphrase instead of a password, and the system to generate them is called Diceware.
You may have seen the XKCD cartoon about Diceware. The logic is pretty simple–if I can generate a random series of five or six words, I have something that is relatively easy to visualize and remember, easy to type, but hard to crack and more secure than nine to 10 random characters. The key is the words must be random–-phrases that you come up with are not random and are easier to crack. For example, “@w8Cj3s}Dv+s” as a password would be very hard to remember and no more secure than “booky wish aviate soda”. It’s not very intuitive, but this system treats the words as characters in the older approach–but instead of 96 characters we have on a standard keyboard, we have 7,777 words in the Diceware dictionary.
And if you are required to use special characters, just add them somewhere in the Diceware passphrase, like “booky wish aviate soda 2$.”
October is National Cyber Security Awareness Month. Visit ITS News throughout October for posts offering cyber security advice from experts and other tech tips. For additional cyber security tips and to check out the activities and resources associated with National Cyber Security Awareness Month, visit the national campaign’s website.