When online security is literally a roll of the dice, which dice do you use?

[Read the post]

1 Like

I was wondering if they author would offer any statistics about the relative randomness of cheap gaming dice and hard-to-find casino dice. I’d guess the difference is insignificant.

Also, I’m a bit amused that he shows an example of writing down the results on a pad of paper, since the Diceware instructions recommend against doing that.

For maximum security make sure you are alone and close the curtains. Write on a hard surface – not on a pad of paper. After you memorize your passphrase, burn your notes, pulverize the ashes and flush them down the toilet.

So I’d take it the real point here was to geek out about dice.

1 Like

I do love the geeking out about dice, and the appreciation of a special, precision-engineered artefact of numerology and math, juxtaposing superstition and science. That’s a lovely article.

But when it comes to the point of saying that rolling the dice on a hard surface will “ruin their randomness” in a way that makes them less suitable for generating a random password, the unreal assumptions being made here are bogglingly annoying.

Who thinks that the likelihood of having an external entity :

  • Knowing and caring that you used a diceware algorithm to choose a pass
  • Acquiring your actual physical dice
  • Determining that one of them has a 3% skew towards rolling 1s and another has a 10% skew towards rolling even numbers
  • Knowing if and what personal ‘salt’ you added to the rolls
  • Using that statistic to narrow down your actual password probabilities in any meaningful way

… is even imaginable?

Given the assumed physical invasion needed to get ahold of those particular ‘compromised’ dice, I think the Obligatory XKCD link that goes with this strategy should be easy to find …


That is a really nice shoebox. It’s actually fancier than most all of my shoes.


Not all “gaming dice” are created equal. I love my Gamescience dice–sharp edges, not tumbled.

1 Like

I wrote a spreadsheet to make diceware phrases – but then, I’m wondering how random Excel’s randbetween() is.

1 Like

Changing passwords regularly is actually not recommended – because it means you will have to write them down because the frequent changes mean you will never be able to memorize the password.

The recommended best practice is, rather, to generate a long random secure-but-memorizable password and then not to change it.


If it can be fetishized it will be. Oh the smooth dice and the cool random passwords.


I wonder if there is a way to collect a lot of numbers and run some tests on a random number generator in Excel. Some program or spreadsheet in which to collect the data… You might go to http://www.cacert.at/cgi-bin/rngresults and search for Excel, passes the tests they think are important.

I remember a slashdot post from about 2000 where they had DIY stuck an Americium sample from a smoke detector against a USB webcam sensor and then sealed it against light. I believe there was source code included to convert the scintillation into a best possible /dev/random


This article is a great example of how incredibly dumb the whole password method of “security” is. If this is a good method for creating a secure password, what’s the likelihood that the ones most people create are secure in the slightest degree? And what’s the likelihood that this six word password he created will not work for many sites who now require funky non-numeric symbols, uppercase, and such like? And so now he’s into creating a diceware password for the bank, for his retirement account, for his work HR system, and on and on, and so does he forget one? and then need to use the password reset? and are those “security questions” about the name of your first cat and the make of your first car really all that secure (how difficult would it be to come up with a program that ran through the most likely cat names and makes of cars going back a few years?).



I’ve seen a lot of articles that rant about how passwords are obsolete, but don’t even try to suggest an alternative. The rare efforts at suggesting an alternative usually suggest something that’s even more of a pain in the ass then passwords. And most often, it’s in addition to a password, anyway.

The real problem with passwords is that security people obsess about them, because choosing a password is nominally under your control. Most things to do with security aren’t.

The Diceware method is pretty simple, really. It’s just rolling dice and checking a table. The author chose to overcomplicate things.

Just to point out that another reason that casino dice are transparent and have flat rather than drilled pips is to make them “tamper evident” People have been known fill the bottom of drilled pip holes in dice with lead or gold to intentionally vary the probability of certain numbers…

1 Like

OK, what if online security is NOT literally a roll of the dice?

(I realize that this article is about dice, not so much about passwords.)

There have been enough breaches of plaintext password databases (plus of poorly secured password databases) that the bad guys have been able to perform statistical analysis of the most frequently used passwords, passphrases, and password-generating systems that real people use. People cannot generate truly random, only-brute-force-able passwords. You have to use other good sources of randomness to do this.

Using the Diceware list, with six choices, you will generate 2.2 x 10^23 different passwords; this is the search space this method generates. Remember, the bad guys have access to this list too.

If you eliminate the two-characters ‘words’ from the list (on the reasonable assumption that these reduce randomness), you’re left with 1.2 x 10^22 passwords. Roughly twice as many as an eleven-character randomly-generated password with lowercase/uppercase/number/symbol characters.

You’d be better off referring to Bruce Schneier’s advice, posted here for password generating recommendations. Password security is not a roll of the dice, it’s mildly difficult and you have to make an effort to understand it.


in the real world people have too many accounts to remember all their passwords anyway, unless they reuse the same password on multiple sites - which is one of the worse things you could do since a breach of one site means your account at every site that used that password is effectively compromised.

remembering passwords is obsolete. that’s why mankind invented password managers.


I like to point at my keyboard and move my hand in a cyclical rounded zig zag while a third party periodically announces ‘stop’. I then flip a coin to see if I hold shift while using the character. I do that about ten times and it gives me pretty good entropy (garbage for mnemonics, though).

As a backgammon fanatic I find few things to be more enjoyable than shaking wooden dice in a wooden cup and splatting them down on a wooden board.


This article feels like I was Rickrolled into watching an unboxing video. Clearly it needs an ASMR soundtrack to accompany it.


Some passwords need to be memorized, such as the password to gain entry to your password manager, or the passwords for accounts that you need to access from computers that you do not own.

The article did specifically mention that the author wanted to generate memorizable passwords.

1 Like

this article was, unfortunately, terrible as far as password advice goes.

if you are in a position where you only have one account anywhere that needs a password then maybe generating that password with dice is feasible, but that doesn’t scale well to the number of passwords most people need.

there’s numerous examples of old advice about passwords that just don’t apply to the modern age, and the “easy to remember but hard to guess” one is the best example of this.

with the number of sites having their password databases stolen, it’s clear that some of your passwords are going to get discovered through no fault of your own. in order to limit the potential for damage that this scenario one of the more important pieces of advice nowadays is to never use the same password twice, but with so many sites on the internet requiring a logon (boing boing forums included) that means that many people require more passwords than they could ever hope to remember.

the only way to get around that without reusing passwords is to use some sort of password management (whether it’s writing them down in a safe place or using password management software). modern (and even not so modern) password management programs are entirely capable of generating an arbitrarily large number of arbitrarily large passwords that are for all intents and purposes unguessable.

for online accounts, you get the most security bang for your effort by using a password manager.


no password needs to be memorized. even the one to unlock a password manager can be recorded elsewhere and kept in a secure location.

recording a password on (for example) a slip of paper effectively changes the password into a static security token (like your house keys). the only real problem with writing them down is that people frequently don’t recognize that once written down they need to be protected (like your house keys).