150 lines
8.4 KiB
Plaintext
150 lines
8.4 KiB
Plaintext
|
Episode: 1888
|
||
|
|
Title: HPR1888: Diceware Passphrase
|
||
|
|
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1888/hpr1888.mp3
|
||
|
|
Transcribed: 2025-10-18 10:49:21
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
This is HPR Episode 1888 entitled,
|
||
|
|
Niceware Pastrain, and in part of the series,
|
||
|
|
Privacy and Security.
|
||
|
|
It is hosted by John Newhart,
|
||
|
|
and in about 13 minutes long.
|
||
|
|
The summary is,
|
||
|
|
Demonstration of using the Niceware method
|
||
|
|
of Pastrain Generation.
|
||
|
|
This episode of HPR is brought to you by
|
||
|
|
an honesthost.com.
|
||
|
|
Get 15% discount on all shared hosting
|
||
|
|
with the offer code,
|
||
|
|
HPR15, that's HPR15.
|
||
|
|
Better web hosting that's honest and fair,
|
||
|
|
at An Honesthost.com.
|
||
|
|
Hello, and welcome to another edition of Hacker Public Radio.
|
||
|
|
My name is John Newhart,
|
||
|
|
and today I wanted to talk to you a little bit about past phrases.
|
||
|
|
So we are all told that we should be very diligent
|
||
|
|
about creating past phrases that are non-deterministic,
|
||
|
|
or that we can remember easily.
|
||
|
|
The classic example is the XKCD cartoon
|
||
|
|
of correct horse battery staple,
|
||
|
|
just choosing five words or four words at random.
|
||
|
|
And that is a pretty good way to remember a past phrase,
|
||
|
|
and have it not be a known sentence or phrase,
|
||
|
|
which has shown to be less than ideally chosen for the fact
|
||
|
|
that algorithms can now put together predictable sets of words.
|
||
|
|
They know how English clauses go together,
|
||
|
|
so if it can detect that this noun and this verb go together,
|
||
|
|
it can pretty much predict what other,
|
||
|
|
or shorten the list of available words
|
||
|
|
that it could put together to finish that past phrase.
|
||
|
|
So I came across this technique a little while ago
|
||
|
|
that I hadn't heard about before, called diceware.
|
||
|
|
So this is a method of choosing a past phrase that was developed
|
||
|
|
by Arnold Reinhold,
|
||
|
|
and the process is choosing
|
||
|
|
X number of words at random,
|
||
|
|
but in order to make sure they are truly random,
|
||
|
|
you use dice to choose a number out of a list of words
|
||
|
|
that are pre-generated,
|
||
|
|
but Mr. Reinhold has a list of these words on his website,
|
||
|
|
and world.std.com tilde Reinhold slash diceware.html.
|
||
|
|
And the process is pretty straightforward,
|
||
|
|
so you take five dice,
|
||
|
|
and you roll them,
|
||
|
|
or you can take one die and roll it five times,
|
||
|
|
and that will give you a five-digit integer,
|
||
|
|
which you can then use to look up in this list of words
|
||
|
|
to find the appropriate word that that maps to.
|
||
|
|
So you can choose the number of words that you wish to have in your past phrase
|
||
|
|
in accordance with the amount of entropy that you would like.
|
||
|
|
So people smarter than me have determined that the math associated with this,
|
||
|
|
that each word generated by a diceware gives you 12.9 bits of entropy.
|
||
|
|
The current recommendation is six words,
|
||
|
|
which gives you approximately 76 bits of entropy.
|
||
|
|
And according to distributed.net as of about 2011,
|
||
|
|
given the computational power available at that time,
|
||
|
|
it would take roughly 124 years to crack a past phrase of 76 bits of entropy.
|
||
|
|
So I'm going to walk through the process of generating a diceware past phrase,
|
||
|
|
and then illustrate the commands needed to take your current GPG key,
|
||
|
|
and update that past phrase to the one determined by the diceware process.
|
||
|
|
So I have with me, I have five dies, and a cup.
|
||
|
|
So I'll put those in there, I'll shake them around.
|
||
|
|
I'm going to dump them out.
|
||
|
|
And that gives me five numbers that I'll put together here.
|
||
|
|
So that is five, six, four, six, one.
|
||
|
|
And if I go to Mr. Reinhold's word list,
|
||
|
|
and find that word, five, six, four, six, one,
|
||
|
|
that gives me the word tariff, T-A-R-I-F-F.
|
||
|
|
And then I simply repeat the process.
|
||
|
|
That gives me five more numbers.
|
||
|
|
Which are one, three, three, four, one.
|
||
|
|
And again, if I go to the list,
|
||
|
|
four, one, three, three, four, one,
|
||
|
|
that gives me the word barns, B-A-R-N-E-S.
|
||
|
|
So I do that again, and this time I get the number
|
||
|
|
two, five, four, three, one.
|
||
|
|
And again, if I search for that number, two, five,
|
||
|
|
four, three, one, in the word list,
|
||
|
|
that gives me the word field, F-I-E-L-D.
|
||
|
|
So let's get this process again.
|
||
|
|
And now I have the number four, six, three, four, six.
|
||
|
|
And we go back to the list, four, six, three, four, six.
|
||
|
|
And that gives me the word press, P-R-E-S-S.
|
||
|
|
I'll do one last word here.
|
||
|
|
And the roll of the dice gives us one, three, one, five, four.
|
||
|
|
And on the list, number one, three, one, five, four,
|
||
|
|
is the word A-Z as.
|
||
|
|
So that gives us a five word pass phrase, which with 76 bits of entropy,
|
||
|
|
all lower case. So we could choose to upper case one of these words
|
||
|
|
to make that more, to give us a wider character space.
|
||
|
|
So let's choose to capitalize field.
|
||
|
|
And we can also add a little bit more entropy by randomly replacing one of the characters with a
|
||
|
|
special character or a numeral. So there are instructions on how to do this on the
|
||
|
|
the die square web page. And basically, we roll the dice again.
|
||
|
|
Only need four this time.
|
||
|
|
So we'll roll the dice and the way this works is the first number, which in my case is three.
|
||
|
|
We'll tell us what word to change. So that brings me down to field.
|
||
|
|
Five would tell me what character in that word to change.
|
||
|
|
So one, two, three, four, five would be the last word or the last letter in field, which
|
||
|
|
would be the D. And then there's a table on the website. So the third roll is the row.
|
||
|
|
And the fourth number is the column.
|
||
|
|
Or I'm sorry, backwards. The third number is the column and the fourth number is the row.
|
||
|
|
So on this table, I have three for my column and four for my row, which gives me the
|
||
|
|
character of a double quote. So I would replace the D in field with a double quote.
|
||
|
|
But so now my passphrase is tariff, barns, field with a capital F and a double quote replacing
|
||
|
|
the D press and AZ. So most charmingly, according to the website, the process here is
|
||
|
|
write this down on a piece of paper. Make sure you're doing it on a hard surface.
|
||
|
|
So the data that you're transcribing doesn't, isn't captured on the substrate or
|
||
|
|
that you're pressing against. And then you should memorize this information and then burn
|
||
|
|
the paper and destroy the ashes. Okay. So we're going to update our GPG passphrase with the command
|
||
|
|
GPG dash dash edit key, edit, edit dash key. And then the email identifier of our key. So in my
|
||
|
|
case, I'm using Elvis at example.com, a little test key here. And that will bring me to the GPG
|
||
|
|
prompt. So now I would enter the command password, P-A-S-S-W-D. And in order to make this change,
|
||
|
|
I need to enter the current passphrase for the key. And now that I have entered the correct
|
||
|
|
current passphrase, I can now enter the new passphrase for the secret key. So I'll go ahead
|
||
|
|
and enter my new passphrase, T-A-R-I-F-S-B-A-R-N-E-S, space capital F, I-E-L,
|
||
|
|
double quote, space P-R-E-S-S, space A-Z. And then I just repeat. T-A-R-I-F-S-S-B-A-R-N-E-S,
|
||
|
|
space capital F-I-E-L, quote, space P-R-E-S-S, space A-Z, and voila. I go ahead and type quit.
|
||
|
|
To quit the GPG session, it asks me if I want to save the changes, type yes. And presto, I have
|
||
|
|
an updated passphrase. So now I can test this out by decrypting a document. So GPG decrypt,
|
||
|
|
and then a file name. And it will ask me for the passphrase. I'll use my brand new
|
||
|
|
Dysquare Passphrase to unlock the key.
|
||
|
|
And presto, I have the key or have the contents of that file decrypted. So that's how you
|
||
|
|
generate a Dysquare Passphrase and update your GPG key. I encourage you, if you're interested
|
||
|
|
in this, to take a closer look at the Dysquare Passphrase homepage. Again, at W-O-R-L-D.STD.com.
|
||
|
|
Tilda Reinhold, that's R-E-I-N-H-O-L-D slash Dysquare.html. There's also a nice Wikipedia article on
|
||
|
|
Dysquare. It talks a little bit about the EnterSP statistics. And it's a nice way to get a randomly
|
||
|
|
generated passphrase that isn't predictable, but is yet easy enough that you could
|
||
|
|
memorize it and not have to have it stored anywhere else. So that's it for this edition of
|
||
|
|
Hacker Public Radio. I hope you found this useful and I encourage you to submit a show to
|
||
|
|
Hacker Public Radio about something you find interesting. Take care, bye-bye.
|
||
|
|
You've been listening to Hacker Public Radio at Hacker Public Radio. We are a community podcast
|
||
|
|
network that releases shows every weekday Monday through Friday. Today's show, like all our shows,
|
||
|
|
was contributed by an HBR listener like yourself. If you ever thought of recording a podcast
|
||
|
|
and click on our contributing to find out how easy it really is. Hacker Public Radio was found
|
||
|
|
by the digital dog pound and the infonomicon computer club and it's part of the binary revolution
|
||
|
|
at binrev.com. If you have comments on today's show, please email the host directly, leave a comment
|
||
|
|
on the website or record a follow-up episode yourself. Unless otherwise status, today's show is
|
||
|
|
released on the earth. Create a comments, attribution, share a light, 3.0 license.
|