Placeholder Image

Subtitles section Play video

  • We've done a few videos on passwords cracking passwords choosing good passwords

  • and I've had had a few requests both by email, and you know Twitter and on in the comments about a

  • choosing a password mechanism called

  • Dice where so I thought we'd look at this and think what's the pros and cons of this of this quite interesting system for choosing

  • Passwords so here's my nice unbiased casino dice that I got just for this occasion

  • I was quite excited apparently this- this dice is not biased towards rolling a six

  • Which actually would just mean my performance in games goes down.

  • When we spoke about passwords last time my hypothetical password mechanism was something like four random words with a bit of

  • Symbolic symbols added in maybe randomly in the middle of a word now

  • I chose that because I felt it was a a nice compromise between having to type something in that's really, really long or

  • And having something that's not too hard to remember

  • But also quite hard to break. Now diceware is in some sense quite similar to this scheme

  • But it's perhaps more mathematically defined exactly how hard it is to break. Which is why people like it?

  • Because I think the question comes down to in my scheme if I pick four random words

  • How random are Bo's worse truly if an attacker wanted to brute forth my password?

  • Then and they know for example that I'm using four words appended together

  • Then what they're going to want to do is try and work out the list of all the words

  • I might have used. Now, I try and throw them off a bit by using slightly odd words, but I'm a bit weird but

  • For the majority people let's imagine that everyone in the country

  • where everyone in the world is using this password scheme lots of people are going to pick really easy words you know back to the

  • correct horse battery staple thing

  • Xkcd alluded to this and we'll talk about that in a minute, but didn't necessarily answer every question

  • but it did get a good message across the entropy or the

  • Number of possible words that you've chosen is gonna differ from person to person right if one of my words

  • I pick is database is that because I've picked that right out at random

  • Or is it because it says "databases" on this book up here, and I accidentally saw it in the corner of my eye

  • Don't pan to the bit with no books on it

  • Yeah, I'm just looking at your collection of cubes -All solved!

  • That's how I roll, so what dice where does the website was established in 1995 by a guy called Weinhold from the United States

  • What it is is a way of using dice to ensure that

  • The words you're picking are actually random rather than just what you think is random and that way we have a very nicely defined

  • Should we say mathematical difficulty for group forcing that password?

  • So this is the diceware list, but I guess it's a kind of compromise between the number of dice

  • You just have to roll incessantly to come up with passwords and being fairly quick

  • but there are

  • 7776

  • Words on this which is all the different combinations of five dice rolls, right? Now

  • So that's why I've got my nice unbiased dice

  • We don't wanna be accidentally biasing me towards the end of this document for example so as an example we roll the dice

  • It's a five. Each of these has five numbers from one to six in front of the word

  • Which tells you which words are going to pick. So these are the fours, I'm on to the five, says

  • There's the start of the fives there, then roll the dice again

  • It's a six, so I'm now on to the five-sixes which is here and then again

  • five six four

  • five

  • One five six four five one is the word

  • tapir

  • Whereas in the animal with the snout so that's the first word of my password so let me write that down

  • This could take a little while this is where you need to use all of your video editing skills tapir right. Let's do this again

  • Okay

  • 1 3 2 1 3

  • If you've done this a lot of times, maybe it'd be faster 1 3 2 1 3 there. We are back up nice

  • 5 1 3 3

  • What is it 1 5 1 3 3 1

  • How many times have you got to do this? Good question. "Rand", interesting. "R-A-N-D"

  • Ah, South African currency? Yeah, and also short for random, which is what we're doing now

  • 5 2 4 6 2 RW interesting read/write, yeah, so not all of these are full words

  • That's one of the thing that's quite about this 3

  • 6 having been in 2 3 exciting three six four

  • two

  • two

  • three six

  • four two two

  • They're guaranteed to be unbiased I think but then I got them cheaply off the internet, so I don't actually know

  • Okay, so let's let's stop. Let's stop there. I've done. I've got five words right now. Is this pasta really good

  • Well the first thing to notice

  • But what you don't want to do when you're picking a password is record it on video and show it on the internet

  • So I probably won't put this as my actual password

  • But there will be a few people that try nonetheless.

  • We've rolled the dice five times per word, we find the word and then we put spaces in between it and that's our passphrase, right?

  • So that is literally our password then for whatever purpose we want.

  • Why is this better than what I was doing? W ell, it's different, mostly. There's a few questions

  • we've got, right? The first is "But is this a reasonable password in terms of strength?"

  • Also, "How practical is it to type in?" right" It took a little while to generate

  • But if you're doing it a couple of times for the front end of a password manager, maybe that's not such a big deal

  • One thing that's worth noting is that this isn't all the words in the English language. This is this is a carefully chosen

  • 7700 words, but a knife is short so most of the words are fewer than five characters

  • There's a few really short ones the idea being that even if you've got a five word or six word passphrase

  • It's never going to get that long you should get quite quickly typing it in

  • but the real benefit of this system is that these are actually random as opposed to what I've perceived to be random because

  • I thought of a word in my head

  • Which might have been a word that I happen to see on the side of a bus this morning in the previous videos we talked

  • about brute forcing about not you knowing what any of the characters were and how we make it easier for the attacker by using a

  • Dictionary of known words yeah, so this is literally providing dictionary right yeah

  • That's the drawback in some sense and the strength so we know exactly what words could appear in my passphrase

  • But even so we still can't break it because I've used too many of them so in some password schemes like

  • Ones where I pick words at random from a dictionary in my own brain

  • I'm working under the assumption, but that's secure because no else knows how it works

  • No one can reverse-engineer that process. That might be true, it might not be true. It depends how well you know me.

  • This, the process is extremely open everyone knows what the password list was

  • Everyone knows what my password is going to be like

  • But they still can't break it because it's 2 to the 64 operations

  • Which is too much what we don't want is security through obscurity right if I use it if I only use a 500 word dictionary

  • Right, that's fine as long as I keep that dictionary secret if I doesn't seem like a very good idea because then that dictionary might

  • Accidentally come out, and then it would be incredibly easy to break my password

  • So what is the strength of his password well each of these words has come from?

  • 7776 right so we can assume that the attacker knows, but I'm using this password scheme, so they know my password is five words

  • separated by spaces which adds nothing because they know what the spaces are

  • out of a possible

  • 7776 so the strength of this password is actually 7 7 7 6

  • To the 5 so another way of looking at it isn't how many bits of entropy?

  • Does this password have but a lot of the time?

  • That's how we view passwords each of these words is 12 point 9 bits so 12 point 9

  • times by 5 words is

  • 64 point 5 bits which is pretty good actually that means that on average an attacker is going to have to do

  • about 2 - 63 - - just under 64 operations to guess your password in brute-force

  • That's quite a lot of operations particularly given

  • They're going to have to perform some hash to do this. The nice thing about this password scheme is

  • we know exactly how secure it is, right? As opposed to we're guessing that

  • the words aren't just words I know and someone can social engineer those words

  • and also if we want it to be more secure we can just add another word

  • Or another word as computational power goes up

  • We just add more words and we can probably remember a few words

  • Or if they get really long write them down and put it in our wallet. Don't lose it. I'm guessing as well

  • You could potentially vary the whole spaces thing right?

  • Yeah, so the space - the spaces thing is not hugely important the reason

  • it's there is because sometimes you might accidentally join two words together and them

  • Actually be a different word on here in which case your search has gone down to four words, right? Ao if you're being careful

  • That these are all actually different words, and they don't concatenate to make another word

  • You don't need the spaces or you could use a different character

  • You could also do what I did and use fewer words and

  • Put a random character in, right? Now on the website

  • He has plenty of ways of loading dice and also choosing random characters because again

  • when I pick a symbol

  • It's often

  • You know a star or an ampersand or an underscore

  • Those aren't all the characters that exist so it's a really interesting twist on picking passwords

  • This came about you know a few years ago now

  • where maybe a fork out a four word password was reasonable now in some sense you can't imagine that

  • Seven or eight or nine word passwords are that feasible for the majority of users that there has to be some usability

  • Considerations, but on the other hand five's not too bad

  • Or as I say four

  • But they make an unexpected alteration like an adding of a random symbol at a random position not between the words and that will

  • Significantly increase the amount of time it would take to break. You can get too carried away like with passive security

  • I have, and so half the time I can't login because I get my password wrong and so I've been - but

  • The thing you also you have to remember is that

  • This is way beyond a normal

  • Brute-force attack by someone who's just happens to have found your password hash on pastebin, right?

  • This is when we when we're talking about five or six word passwords where we're talking about nation state level

  • And you've got to really wonder whether they really care about your individual password

  • You might still want to secure it against them anyway. That's that's for you to decide but

  • They may just visit you instead

  • We'll put a link to the website in the description as well

  • So you can have a look through. He's considered almost every possible angle for this so when do you add symbols

  • How many words is enough for the level of security you want? It's a really good interesting

  • Look into password security

  • So I recommend you have a look

We've done a few videos on passwords cracking passwords choosing good passwords

Subtitles and vocabulary

Click the word to look it up Click the word to find further inforamtion about it