Passwords are painful to remember and use, which is why IT people invented password managers. But this software itself must be protected by a particularly strong master password. Which creates a double problem: how to create it and how not to lose it?

There are already plenty of tips and tricks out there for generating strong passwords. The current trend is to line up punctuated words at random, for example using a list of words and throwing a few dice. This method – called “Diceware” – obviously pleased the cryptographer Stuart Schechter who perfected it to create “DiceKeys”.

This is a set of 25 dice, each with a letter and a number on its sides. By placing them at random in a box provided for this purpose, we obtain an arrangement with an entropy of 196 bits. Taking into account, in fact, the orientation of each die, there are 2 power 196 possible arrangements. Such a secret code is about as strong as a random string of about 30 characters (lowercase or uppercase letters, numbers, special characters). So that’s very good.

A single-use object

Once closed, this dice box will not be able to open. This arrangement is therefore permanent. The goal is then to use it to generate master passwords. Indeed, Stuart Schechter has developed an application that allows you to scan this arrangement of dice like a QR Code and from there to propose random successions of words: one for Google, one for Facebook, one for LastPass, etc. This is a one-way operation, like a hash algorithm: it is impossible to find the initial dice arrangement from the succession of words. A demonstration of this operation is available online at

Another use case is to use this arrangement of dice to create a primary cryptographic key in a SoloKeys security key. If it is lost, this technique would therefore make it possible to recreate an identical security key. This is not possible with YubiKey type keys, because they do not allow primary keys to be recreated.

According to Stuart Schechter, the advantages of DiceKeys would be manifold. This object makes it possible to create a particularly strong secret code whose saving would be much more efficient. It is less risky than Flash memory, which can deteriorate over time. And it’s stronger than paper.

In the discussion forums, this product – which is currently on presale for 25 dollars – causes disparate reactions. Some find it great, others not at all. Some, in particular, criticize the fact that you have to use an application to translate the dice scheme into a password. This is an intermediary that one could not necessarily trust, even if the researcher assures me that the code only runs locally and does not retrieve any data.

Still others feel that its use with password managers would not be very practical. Every time you want to open your encrypted database, you should have your dice box handy and the dedicated application. There are also those who are afraid of having the dice box stolen, but this risk also exists with any other storage medium. With the exception of the brain, of course, but you still have to be able to remember a password with a 196-bit entropy. In short, as we can see, there is no such thing as a perfect system.

Sources:, Bruce Schneier’s blog

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *