Talk:Diceware
From Wikipedia, the free encyclopedia
[edit] Dialdice
- Dialdice: Attemt at an easy-to-dial-on-a-phone version. Maybe it should be peer-reviewed for some statistical weakness beyond my (very superficial) understanding, but anyway - here it is
When I looked at that web page today, I saw a standard Diceware word list -- it has 7,776 unique words, so it's just as statistically secure as any other Diceware word list. It doesn't say anything about telephones, so I'm mystified as to why it's called "Dialdice" and why the original poster thought it had somthing to do with telephones. --DavidCary 04:40, 19 May 2005 (UTC)
This is zzzen (the original poster of the dialdice reference):
Dialdice does not use words from original diceware list. The words were chosen to satisfy various criteria (e.g. they were recognized by many non-english speakers), but the most important one is this:
No word contains 2 successive letters residing on the same key on a phone key-pad (avoiding long and annoying timeouts to wait for). There's still a chance of "keypad collision" between last letter of a word and first letter of next one, but chances are 1/9 for that so you usually have <=1 "keypad collision" on a 7 or 8 word long passphrase. Try dialing some words from the list into your sms text editor and you'll feel the smoothness (as opposed to "aaaa" which is a standard diceware word ;)
Dialdice was designed for the d.o.p.e project that does ciphersaber on the client side in javascript (for browsers) or wmlscript (if client is a wap phone)
Although next release of dope (whenever) won't support wap (inherent security hole: phone providers can easily install trapdoors during wmlscript compilation), there are machines with a phone keypad that support javascript, so dialdice is still handy as long as you disable wap ;)
[edit] Variable length word lists leak entropy?
A section was added that begins:
- "Diceware passphrases yield less entropy than the ideal 64.62 bits when used with dictionaries containing variable-length words. This is because the length of the resulting passphrases "leak" information about their composition."
Unless I am missing something, I don't believe this is correct unless the attacker has some way to learn the length of the passphrase. While it may be true that a five-word, 27 character passphrase from the Beale wordlist has 57.13 bits of entropy, 7.49 bits less than the theoretical strength of a five-word Diceware passphrase, that is exactly matched by the 0.553 % probability of such a passphrase occurring (log2(.00553)=-7.4985). The claim is analogous to saying all passphrases beginning with the word "ball" are weak since there are only 7776^4 possible five-word passphrases that begin with "ball".
There is a risk that someone who observes you entering your passphrase can count the number of characters entered. One could press and release a few keys that have no effect, such as "shift" or "control" when being observed to prevent this, but there is a greater danger that someone could record the clicking sounds of your keyboard and simply recover you passphrase. See acoustic cryptanalysis.
There is a separate problem with very short Diceware passphrases. An attacker who was simply trying all character combinations might recover these in a reasonable amount of time, so a 14 character minimum is recommended. --agr 00:10, 8 September 2005 (UTC)
[edit] But Why?
This whole method seems flawed and cumbersome. Why bother? It's not very easy to use, it's not all that secure (compared to other options).
Is anyone even using this invention? Why have this in wikipedia if no one is using the technique.
- I've changed "major advantage" to just "advantage". Coverage of diceware was specifically requested some time ago. See Talk:Password. As for its popularity, type "passsphrase" into Google and see where it comes up. What is your basis for "it's not all that secure (compared to other options)"? --agr 12:23, 3 February 2006 (UTC)
- I've used it. Hrm, should the "alternate" (UK variant) wordlists be mentioned? Alphax τεχ 09:03, 9 February 2006 (UTC)
- I use it though I generate the phrases with a program rather than physical dice. There is a client side Javascript implementation here. Phr 22:47, 18 February 2006 (UTC)
it's not all that secure (compared to other options). Is that so? This is one of the few ways I know of to generate a password with any desired number of bits of entropy that is completely invulnerable to keylogging. Please tell me about any other option that is more secure. --68.0.120.35 17:14, 15 August 2007 (UTC)