Before the severity of the Heartbleed exploit was revealed, weak passwords and passphrases were (and still are) one of the most common computer security flaws. A question that you may wish to ask yourself is whether your organization has a policy to help users generate secure, easy-to-remember passwords or passphrases. This, of course, leads to another question: what is the most effective way to manage passwords in an increasingly complex online world? Consider Diceware™, a simple method for generating cryptographic variables such as passphrases and passwords using an ordinary pair of dice as a hardware random number generator.
Diceware was invented in 1995 by Arnold Reinhold and is one of the best ways to generate strong, random, yet easy-to-remember passphrases. The beauty of this method is its simplicity. Anyone can use it and it doesn’t require an advanced knowledge of mathematics or cryptography. This is how it works:
Dice are rolled a number of times to generate a series of random numbers. These numbers are written down in groups of five to form a series of five-digit numbers that are subsequently matched to unique words found in the Diceware word list which consists of 7,776 English words. Once enough words are generated to create a passphrase of sufficient length, the paper on which the numbers and words were written must be securely destroyed. The Diceware passphrase generation method is explained here and the Diceware word list is also provided.
In the past, a five-word passphrase was considered sufficiently secure for typical applications, but a passphrase with six Diceware words is currently recommended. Alternately, five words that each have an extra character, randomly placed, can also be used. The increased complexity of the passphrase is related to the degree of computing power now available to organized crime for password cracking. To complicate things further, the algorithms and tools used by hackers to crack passwords are becoming more sophisticated and powerful. Adding the random character makes the passphrase around 1000 times harder to crack, but adding the sixth word makes it 7776 times harder.
So how long should a passphrase be? According to Arnold Reinhold’s Diceware FAQ, this depends on your security needs. Here are some examples:
- Five words are currently breakable using one thousand malware-infected botnet PCs equipped with high-end graphics processors.
Six words may be breakable by an organization with a very large budget, such as a large country's security agency.
Seven words and longer are currently unbreakable with any known technology, but may be within the range of large organizations by around 2030.
Eight words should be completely secure through 2050.
The bottom line is that passphrase length should be chosen based on the desired level of security. As mentioned above, a five-word passphrase was previously recommended for typical applications, but computer power keeps increasing, especially graphics processors. Graphics processors are easily adapted for use in password cracking, so six words is now the recommended minimum. Five words would still be sufficient for most uses if software designers used good key stretching techniques to augment security, but many do not so a longer passphrase is now recommended. If there are too many passwords or phrases to remember which is usually the case, security experts recommend the use of password managers so there is only single master passphrase or password to remember.
Despite best efforts to secure systems and applications with strong passphrases, it is also important for organizations to educate their user base (and sometimes their IT departments) to prevent security breaches through social engineering. Ideally, user passwords should remain private, but is this unrealistic in the real world? With that said, does your organization have controls and policies in place to teach users to never provide credentials to anyone, even members of the IT department? What about educating IT staff members to never request credentials from users? Users often believe that if an IT member requests their credentials, they must comply. When troubleshooting technical issues, does your IT department ensure that user passwords remain private by employing other troubleshooting tools and techniques, or is 'password sharing' acceptable in your organization?