When online security is literally a roll of the dice, which dice do you use?

2fa plus a pin.

Yep, part of my master password is in one place, the other part… Somewhere else. Which unlocks some two hundred odd 16-20 digit passwords. Somewith misleading labels. And it is a breeze to manage.

I get that the author is having fun with it, but I still think that passwords are a giant fail. I like the systems that will text you a backup password and wonder why we don’t just use phone generated on the fly passwords each time, which seems more secure in every way.

a couple of reasons

  1. not everyone has a phone
  2. it’s questionable whether text messaging is actually a secure communication channel or not

My job has just ‘upgraded’ our password requirements so that they now have to change every 30 days, and there are ‘security’ questions to reset it. Oy vey…

1 Like

I like my workplace solution at least for windows login, My ID badge has a smartchip, that plus a long PIN log me in. Though I have to have 3 badges now, one for day to day stuff, one for my sysadmin server access, and now a new one for the old w2k3 stuff that has to stick around cause the required software wont migrate be it vendors going poof or vendors being lazy.

So you would have to steal the badge and know what random string of stuff I have memorized.
Though that still falls apart as there is still some software and things like domain joins that are not smart card aware and Linux isn’t there yet either. For windows I can generate a temp random password for the few things that still require userid and password or get an exception that is regularly checked.

Also good two factor gets ugly when you have have a card/usbstick/RSAKeyfob for every bank, online site, email account, etc.

Bleah, it’s complicated.

Maybe they’re using this advice, which appears to be from the '60s:

Also, any system that can mail you your password is de facto insecure.


By the way, the pen impressions from the previous password you made are clearly visible on the notebook paper in the last gif.

You should probably not use the corresponding password for anything.

Most of my passwords now are weird twists on words or phrases which are not random, but at least not in dictionaries either.

What throws me off most is knowing how big my character set is, remembering how the different OSes I use handle extended characters, and what characters different systems or services accept. Internet passwords such as web forums and email often seem to have fundamentally insecure requirements, like short max lengths.

I should probably use a password manager, but I still rage about my inability to remember arbitrary strings. I’d rather just be able to do it.

It seems to me that true randomness is less important than others not knowing what the correlation might be. I doubt in any crackers out there actually do physical modelling of the characteristics of cheap dice! I can make (and have done) a Zener noise generator for less than the cost of dice which spits out constant random voltages. A few volts measured to thousandths offers more than enough possible random values.

Don’t speak your password parts as you are devising it! Somebody who really wants to know what you are doing could have remotely activated one of your microphones already.

I think you’re describing one-time passwords (OTP). I use those occasionally, at work, and as a second factor of authentication for Google, and in the past I’ve used them for other accounts as well.

They’re more secure than regular passwords. But I don’t see how they’re any easier; at best I’d say they’re almost as easy as regular passwords. Your OTP is generated by a little gadget, or by an app on your smartphone, but you have to initialize it by syncing it with the system to which you’ll be authenticating. So, each OTP generator is unique to the system with which you use it. So ideally this would be the equivalent amount of effort to randomly generating a password for each account, and storing it on a password vault on your smartphone, and looking it up whenever you need to authenticate. In practice, initial set up can be more tricky, and it’s more work from the point of view of the service provider.

1 Like

I think the author would agree you should keep your online passwords in a manager app, and lock that with a Diceware-generated passphrase. Two approaches for two purposes.

BTW, things were going fine until the suggestion that you might want to fool around with the output from Diceware if you “didn’t like” what you got. NO! That blows away a whole bunch of the entropy you wanted. Humans, bad at math.

I personally like the idea of lava lamp or a fish tank for my randomness, but apparently that’s not the way crypto geeks have gone. So… how does someone pick a good source of randomness?

If you do a search for “Zener noise circuit schematic”, you can find hundreds of examples. They are easy to make, and by their unquantized nature more truly random than most (maybe all) digital methods.

1 Like

The one time I chi-square tested Gamescience dice, all but one checked out as reasonably random.

1 Like

I came to say exactly that. Soon Boing Boing will be nothing but artisanal shoehorns and perfect, curated thimbles. So instead I’ll say this:

Gaming dice are cheaply made and importantly, they are not random.

This statement is false. They are not uniformly random. Not the same thing at all.


Not only that try and roll 20+ of those vegas things at a time for a 40K game.

1 Like

I’m giving you a like because it’s not very often that I have no idea whether someone is kidding or not.


Rewrote the spreadsheet this morning, so it sucks numbers from random.org and then looks up the words in the list. Much better.

In the US it isn’t questionable at all. Different adversaries use different techniques, but I consider my phone way less secure than my wallet.

You know, it doesn’t give good entropy, right?


I had a friend doing QA for an app in 1999 that attempted to derive entropy in a similar manner (random mouse movements). It turns out movement biases decreased the entropy by at least a factor of a hundred, and he could generally brute force the key in 10-20k tries.

So, the best chance you have in your case, is to not tell anyone how you derived your passwords! BWAHAHAHAHA!!

1 Like