Jump to content
Welcome, welcome! Come in and register, and have some developer coffee. 👨‍💻 ×

Diceware and password login mechanism


Recommended Posts

Often down the line, be it that we like it or not, we as a developer(mostly refer to web based application be it webpage or web API), we need to deal with passwords as a login mechanism.

The problem with passwords is that it's very easy to mess up on both user side and developer side.

Some developers don't know what they are doing and store them in plaintext, encrypted or hash them regularly.

These 3 stuffs that I described here even though it's common sense, but let's be honest, we do mess them up a lot don't we 🤣.

There're proper ways of dealing with passwords like using proper password based hashing algorithm(Argon2 or PBKDF2) and something called salting &hashing(sometimes pepper[server based salt based on each database] can be added). But in general because we don't know how strong the password(user) in terms of strength, using them to encrypt user data(keep in mind server won't have the password so they can't decrypt the user data) is not a good idea if the database or server ever gets hacked and private/confidential data is put onto darkweb to auction. How long does it takes for the user data to be able to decrypt again? not quite long.

Computerphile on Youtube have explained a lot of do's and don't(s) in passwords. Feel free to check them out.

If strong security is required, each user must have a random nonsense unique ASCII password assigned to each of them but this does not have strong usability(ease of use) especially when typing them into the password textbox, what people have suggested is to use something called diceware.

According to diceware official sites established in the 90s, they have around 7776 words that is publicly available on their site which have strong password strength, but to use them properly, users are advised to buy a dice then roll 6 times for getting a random word on the words list. Nowadays, standards may have changed, but back in the days 4 or 5 words that choose from the public words list is considered as nation state level security but as computer processing power becoming quicker and quicker, the words amount needed to provide nation state level security may have changed as well. 

This diceware and choosing words from the publicly available words list through dice is somewhat more usable and more friendly to users when picking a password. So I thought why not implement one offline desktop diceware program. This itself can be used for each user(developer included) to pick or to generate more user friendly english character passwords that has strong passwords strength(All bets are off if the passwords is process and stored in plaintext/encrypted/non salted hash/deprecated cryptographic hashing algorithm).

I have written some code to do it. I will put link in this post where I get to know the existence of diceware.

Reference:

http://bit.ly/c_diceware

Diceware source code
https://github.com/Chewhern/Diceware

Go and have fun with diceware that written in C#.
 

Diceware_Published.zip

  • Like 1
Link to post
Share on other sites
Quote

This diceware and choosing words from the publicly available words list through dice is somewhat more usable and more friendly to users when picking a password. 

Yes, I think can call it passphrases as well. 

I remember one user said Maybank staffs use password that takes 15 seconds to type.

Quote

The average person types between 38 and 40 words per minute (WPM), what translates into between 190 and 200 characters per minute (CPM). However, professional typists type a lot faster — on average between 65 and 75 WPM.

So a password which needs 15 seconds to type possibly is (15x3) 45 characters long.... Wow.

The following chart is for everyone's reference: (The estimated time taken to succeed in password search attack, depending on password length)

2019_09_15_214314.thumb.png.189752d1a43401af0aff776d38ebdf0a.png

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...